The company's biggest security hole lived in the breakroom

Connected devices can leave an otherwise secure network vulnerable
Pwned Welcome to Pwned, The Register's new column, where we highlight the worst infosec own goals so you can, hopefully, protect against them.

Caffeine is an essential tool for most IT defenders, so, on balance, we're sure it has protected against a lot more exploits than it has caused.

But in this case, the desire for everyone's favorite stimulant led to a massive breach.

Our story comes to us courtesy of a reader we'll Regomize as TR, a digital forensics investigator with almost two decades of experience.

He describes a situation where a corporate client called because they thought that their server room had been invaded by a rival after suffering a data breach.

Rather than jump to that conclusion, TR and his company spent several days looking for malware and other vulnerabilities on the network.

What they found was rather surprising.

It turned out that the leak came not from malicious software, but from an internet-connected coffee machine that was on the client's secure network.

This device could output espresso, but it also came with a default password, an ancient OS, and no firewall.

Threat actors discovered the coffee machine and used it to get around all of the client's security measures.

Every time someone brewed a cup, the machine was sending packets outside the country to malicious actors.

"We needed to explain to the room that was full of vibrant executives that they had highly sensitive data that was compromised by a cappuccino," TR said.

"Even the most expensive firewall that the world has to offer will not be able to secure you when even your kitchen appliances are chatting with the enemy."
Sound far-fetched?

Merritt Maxim, VP and research director at Forrester Research, said that this incident reminded him of one from 2017, when hackers used a connected fish tank to pwn a North American casino [PDF].

The tank used a VPN to separate its data from the rest of the network.

However, attackers still managed to exfiltrate 10 GB of data and send it all the way to Finland, according to Darktrace.

"Forrester data shows that connected devices are increasingly involved in data breaches," Maxim said, "because they often have default passwords, lack monitoring of traditional desktops, and are often assumed to be benign."
So be careful what devices you allow onto your network.

And make sure you always change the default passwords.