- A popular smart air fryer could be made to run malicious code through specially crafted JSON objects.
- The two flaws that affect the product were disclosed to the vendor back in December 2020 but remain unfixed.
- The particular air fryer is being used by a large number of consumers and is still available on Amazon.
If you need another reminder of why smart home devices can pose a physical risk to you and your family, Cisco Talos researchers have just the right thing. The team has discovered two flaws, TALOS-2020-1216 (CVE-2020-28592) and TALOS-2020-1217 (CVE-2020-28593), both remote code execution vulnerabilities that could allow a malicious actor to inject code into the Cosori Smart Air Fryer. The hypothetical results of this include raising the cooking times and/or temperatures, starting or stopping cooking, etc.
As one understands, having your air fryer activated and going to max temp in the middle of the night could be very dangerous, so this isn’t just an annoyance. Also, the Talos team mentions that they disclosed the vulnerabilities to Cosori back in December 2020, but the vendor hasn’t responded and hasn’t fixed the flaws, and so this is now public. As the researchers confirmed in the relevant post, the latest firmware version, Cosori Smart 5.8-Quart Air Fryer CS158-AF version 1.1.0, is still exploitable.
The particular product is one of the best-selling air fryers on Amazon, having tens of thousands of reviews. Thus, Talos’ findings concern a large number of consumers who are running risks they’re unaware of. Cosori is an American brand manufacturing its products in China, and it’s generally considered a good value for money choice.
However, their response to the Talos reports has been underwhelming, as it seems. The particular product is no longer listed on the company’s website, but since it’s still used out there and is available through resellers, there should be no discontinuation excuses here.
Returning to the flaws themselves, CVE-2020-28592 is a heap-based buffer overload vulnerability existing in the configuration server functionality of the product. An attacker could potentially craft a JSON object that leads to RCE or crash upon delivering a malicious packet. This flaw has a CVSSv3 score of 8.1.
CVE-2020-28593 is an unauthenticated backdoor in the configuration server functionality again, also triggered via a JSON object that arrives via a malicious packet. The CVSSv3 score is the same, at 8.1. In both cases, the exploit would require the physical presence of the attacker in the device’s WiFi range during the initial setup phase.
If you love the comfort of smart home devices, which is understandable, you should keep in mind the associated risks, too, especially when the device can reach high temperatures for prolonged periods. A solid way to protect yourself from any risk is to keep them offline or simply unplugged when not in use and/or supervised.