Vulnerabilities Were Discovered in Smart Air Fryer
The RCEs Were Discovered in the Cosori Smart Air Fryer, a Wi-Fi-Connected Kitchen Product, That Leverages the Internet to Give Users Remote Control.
We live in a connected world, but sometimes too much connectivity can impact our cybersecurity. Researchers at TALOS have disclosed recently two remote code execution vulnerabilities present in a smart air fryer.
As you might already know RCEs are maybe some of the most severe types of vulnerabilities because they are allowing attackers to remotely deploy malicious code, thus potentially leading to the takeover of a system, remote tampering, and execution of additional malware payloads.
It’s true that targeting consumer products for the execution of an RCE may not have the same impact as when the attackers are targeting a corporate network, but it is worth highlighting that a smart product that we have in our home is not necessary also safe.
Two RCEs were discovered in the Cosori Smart Air Fryer, a Wi-Fi-connected kitchen product, the air fryer leverages the internet to give users remote control over cooking temperature, times, and settings.
TALOS-2020-1216 (CVE-2020-28592) and TALOS-2020-1217 (CVE-2020-28593) are remote code execution vulnerabilities that could allow an attacker to remotely inject code into the device. This could hypothetically allow an adversary to change temperatures, cooking times and settings on the air fryer, or start it without the user’s knowledge. The adversary must have physical access to the air fryer for some of these vulnerabilities to work.”
The cyber researchers tested the Cosori Smart 5.8-Quart Air Fryer CS158-AF (v.1.1.0) and discovered two vulnerabilities, called CVE-2020-28592 and CVE-2020-28593.
Both vulnerabilities could be exploited with the use of crafted traffic packets, although local access may be required for easier exploitation.
At this time the vulnerabilities don’t have any fix, as Cosori did not respond within the typical 90-day vulnerability disclosure period.
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
The important takeaway from this situation is related to the vulnerabilities that can interact and affect the Internet of Things (IoT) devices in our homes, and the further implications this might have.