My new air fryer is a security risk

by Larry Magid

This post first appeared in the Mercury News

My Cosori air fryer, which is not the model with known vulnerabilities (image downloaded from Amazon.com)

Little did I know that my latest home appliance would be a security risk. Earlier this month, I purchased a “smart” 12-in-one COSORI air fryer, toaster, dehydrator, rotisserie, and convection oven. I’ve used it to make pizza, biscuits, non-greasy fries and air-fried Brussels sprouts.

I love cooking with this device, but I just read on ZDNet that a Cosori air fryer was found to have “two remote code execution (RCE) vulnerabilities.” I’m still using mine, but at least until I verify that the vulnerability has been fixed, I plan to leave it unplugged while it’s not in use. Actually, unplugging it is a good idea for other reasons. It saves energy (most modern electronic devices use a small amount of power when not in use) and avoids any possibility of a safety issue when not in use. The CS158 model with the known vulnerabilities is different from mine, but I wonder whether mine might also have issues.

Like a growing number of appliances, the “smart” air fryer I bought can connect to a home Wi-Fi network so that it can be controlled via a smartphone app or by voice through Amazon Alexa or Google Home smart speakers. The accompanying app contains multiple recipes with a “cook this dish” button that automatically programs the oven with the time, temperature, and other settings for each dish. It also notifies you when the dish is done — a handy but far from essential feature.

As-yet unpatched vulnerability

But, with all devices that are connected to the internet, there is some risk. In this case, the risk is real, according to Cisco Talas Intelligence Group, which discovered the flaw. The Cosori  smart air fryer it tested has “vulnerabilities that could allow an attacker to remotely inject code into the device. This could hypothetically allow an adversary to change temperatures, cooking times and settings on the air fryer, or start it without the user’s knowledge. The adversary must have physical access to the air fryer for some of these vulnerabilities to work.”  The Cosori model I have can be programmed via the app, but you have to press a button on the device to start the cooking process.

Cisco Talos said that it reported the vulnerability to Cosori, but the company “did not respond appropriately during the 90-day period as outlined in the (Talos) policy.” Security researchers generally provide manufacturers a reasonable amount of warning before disclosing a vulnerability so that they can fix it before it’s made public and therefore more likely to be exploited by hackers who might have otherwise not known about it. I reached out to Cosori via Twitter and its website but did not receive a response before my deadline.

I’m not particularly worried about a hacker sabotaging my next chicken dinner, but I do worry about it becoming a vector that could jeopardize other devices on my home network, including my PCs and smartphones. And I don’t just worry about this one device. Many homes have multiple Internet of Things (IoT) devices, including smart speakers, TV, door locks, cameras, appliances and much more.

In an interview, Craig WIlliams, Talos outreach director at Cisco, was less concerned about an IoT vulnerability jeopardizing your PC or smartphone data than the possibility that a security breach of a device could be used by an attacker to stage attacks on other systems. “One of the things an attacker always wants is more places to route their attacks through and having home network connections that are effectively unmonitored is a great way to do that,” he said.

Williams said that a vulnerability in IoT devices is very common. What’s important is that the company fix vulnerabilities when they’re discovered. He recommends only buying devices from companies that are likely to be around for a while and said that one way to find out how a company responds to vulnerabilities is to Google their name followed by CVE, short for Common Vulnerabilities and Exposures. If you search “Cosori CVE,” you’ll find references to this issue. Whenever possible you should consider unplugging an IoT device when it’s not in use (that’s not always possible), and before buying an IoT device, consider whether it really needs an internet connection. In the case of my air fryer, the connection to my app and smart speaker is handy, but I can’t think of any reason why the device itself needs to connect to “the cloud.”

Having more than one network in a home is easier said than done. A blog post from ActionTech (tinyurl.com/sepnetwork) explains multiple ways to accomplish this, ranging from the most secure — two completely different networks, to the easiest — using one router to set up a guest Wi-Fi network, a simple feature supported by most routers.

According to a blog post from the Oregon FBI field office “unsecured devices can allow hackers a path into your router, giving the bad guy access to everything else on your home network that you thought was secure.”  The FBI office advised users to “change the device’s factory settings from the default password, and if the device has a companion smartphone app, “know what kind of personal information those apps are collecting and say “no” to privilege requests that don’t make sense. The FBI also advises that “your fridge and your laptop should not be on the same network. Keep your most private, sensitive data on a separate system from your other IoT devices.

It’s also important to use unique passwords for all your devices and accounts to protect against a password breach being used on other devices and services. Make sure that all your smartphone and computer apps and operating systems are up-to-date, and whenever possible, configure your devices to be updated automatically. This way, you’ll be protected if companies find and fix a vulnerability. Unfortunately, some IoT devices don’t have an obvious way to update their firmware, but many do through their companion apps.

Don’t panic or throw away your IoT devices

The fact that we live in a world with vulnerabilities doesn’t mean that we are likely to be seriously victimized. While I recognize that all technology (and indeed most things in life) have risks, they also have rewards. My advice is to enjoy the rewards while managing the risks by making sure you follow basic security and safety steps. Long before they became “smart,” toaster ovens would occasionally burn people and even cause home fires. So did cooking technologies that preceded them. That’s why the most vital component of any device, smart or not, is a smart user.

Larry Magid is a tech journalist and internet safety activist.