As the title insinuates, we have now evolved to the point of no return. Researchers from Cisco Talos revealed the discovery of two RCEs in the Cosori Smart Air Fryer, a Wi-Fi-connected kitchen product that leverages the internet to give users remote control over cooking temperature, times, and settings. RCEs are not a vulnerability that you can just brush over, they're often considered to be some of the most severe types of vulnerabilities as they allow attackers to remotely deploy code, potentially leading to the system being hijacked, remote tampering, and the execution of additional malicious payloads.
Now, these RCEs may not have the same immediate impact as a similar vulnerability on a corporate network, but it is still worth pondering the amount of possible vulnerabilities that future and current smart products may possess. The imminent threat of greedy hackers using your microwave as a way to steal your credentials is extremely troubling to say the least. This discovery along with many others should be warnings to the people of the world today that a focus on cyber security is becoming more and more of a necessity every day.
Upon analysis of the Cosori Smart Air Fryer (v.1.1.0) the leading researchers discovered two vulnerabilities, CVE-2020-28592 and CVE-2020-28593. The first vulnerability is caused by an unauthenticated backdoor and the second is a heap-based overflow issue. Both vulnerabilities could be exploited via crafted traffic packets, although local access may be required for a more streamline exploitation.
Cosori told ZDNet "the scope of the vulnerability is limited to the local area network and cannot be controlled remotely through WAN," and a firmware update to patch the vulnerabilities is due on April 25.