The “Crazy Toaster” Trojan Horse

A security geek created a toaster that could connect to a home network, sniff for passwords, and then crack the Home PC.

From the Reg here:

The more paranoid among us have long been wary of the possibility that networked fridges might spontaneously turn off, perhaps after becoming infected with a computer virus, ruining milk in the process. Other networked appliances might also pose a danger of sorts, security boffins have shown.

A security expert from Check Point demonstrated at the recent ClubHACK 2007 conference in India how a networked toaster might be used to hack a computer.

Check Point’s Dror Shalev said he developed the networked toaster hack in response to a statement from a senior scientist from Google that there was no need to be afraid of a toaster at home. “But as a hacker, I came up with a toaster that could actually hack a computer,” Shalev explained. “I call it a ‘Crazy Toaster’.”

Details on Shalev’s quixotic hack are sparse, but it is said to involve the development of software that interacted with a networked toaster. “As soon as the toaster is plugged in, the software is activated before it breaks into the user’s computer system. The same software prototype can be networked with any home appliance for stealing the Web secrets,” Shalev said. “With wireless technology available, there is no need for connecting the appliance with the computer,” he chillingly added.

I would just be happy with a toaster that toasted my bread evenly. And they can’t create a toaster that self-butters the toast, but they already have one that can hack your PC?

Actually, Shalev makes a pretty good point, and I have two scenarios that are a bit more real-world.

First Scenario: You are hosting a Holiday Party and everyone shows up and has a good time. One of your guests calls three days later and asks if he left his coat there. You look at your coat rack and notice that yes, the coat is there, and you tell him to come pick it up. Before he arrives, you pick up his coat and notice that something bulky is in the pocket. You reach in and its a PDA. The LED is flashing, but its biometrically locked. You have no idea what it was doing. You have a wireless network at your home and you perform some sensitive computing there. A quick check of your wireless router logs shows that the PDA had connected to your wi-fi network. Your guest shows up to get his coat. Do you return his PDA?

Second Scenario: You want a cool techie gadget that will quick-chill a beer, and will do so over the home network. You buy the device, configure it to connect to your Wi-Fi, and install the software to monitor the chiller and control it from your basement PC or home theater media center. After six weeks of normal operation, the device shuts down and won’t restart. Its still under warranty. Do you return it?

PDA’s can run programs and can even audio-record its surroundings based on sound activation. How would you know that your guest hadn’t essentially wire-tapped your network connection and captured your network traffic or even eavesdropped on your conversations?

And how could you be sure that the device you connected to chill your beer didn’t do the same? Returning the device to the manufacturer under warranty may disclose, at the least, your wireless password, and at the most, whatever else it could have been maliciously programmed to do.

Yeah its far-fetched, but more realistic than the toaster, and besides, who doesn’t want a cold beer right now?