The company's biggest security hole lived in the breakroom
- Reference: 1775116870
- News link: https://www.theregister.co.uk/2026/04/02/pwned/
- Source link:
Our story comes to us courtesy of a reader we'll Regomize as TR, a digital forensics investigator with almost two decades of experience.
He describes a situation where a corporate client called because they thought that their server room had been invaded by a rival after suffering a data breach. Rather than jump to that conclusion, TR and his company spent several days looking for malware and other vulnerabilities on the network. What they found was rather surprising.
[1]
It turned out that the leak came not from malicious software, but from an internet-connected coffee machine that was on the client's secure network. This device could output espresso, but it also came with a default password, an ancient OS, and no firewall.
[2]
[3]
Threat actors discovered the coffee machine and used it to get around all of the client's security measures. Every time someone brewed a cup, the machine was sending packets outside the country to malicious actors.
"We needed to explain to the room that was full of vibrant executives that they had highly sensitive data that was compromised by a cappuccino," TR said. "Even the most expensive firewall that the world has to offer will not be able to secure you when even your kitchen appliances are chatting with the enemy."
[4]To BSOD or not to BSOD? Only Microsoft knows the answer
[5]Windows pays tribute to Britain's creaking rail network with a BSOD
[6]Lloyds Banking Group apps play mix-and-match with customer transactions
[7]Hotel's rotary switchboard so retro it predates the concept of crashing
Sound far-fetched? Merritt Maxim, VP and research director at Forrester Research, said that this incident reminded him of one from 2017, when hackers used a connected fish tank to [8]pwn a North American casino [PDF]. The tank used a VPN to separate its data from the rest of the network. However, attackers still managed to exfiltrate 10 GB of data and send it all the way to Finland, according to Darktrace.
"Forrester data shows that connected devices are increasingly involved in data breaches," Maxim said, "because they often have default passwords, lack monitoring of traditional desktops, and are often assumed to be benign."
[9]
So be careful what devices you allow onto your network. And make sure you always change the default passwords.
Have a story about someone leaving a gaping hole in their network? Share it with us at [10]pwned@sitpub.com . Anonymity available upon request. ®
Get our [11]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ac4-QkTG9Gmzpriq5v5BIwAAAJI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ac4-QkTG9Gmzpriq5v5BIwAAAJI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ac4-QkTG9Gmzpriq5v5BIwAAAJI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2026/03/28/rsac_bork/
[5] https://www.theregister.com/2026/03/13/windows_railway_bork/
[6] https://www.theregister.com/2026/03/12/lloyds_banking_group_glitch/
[7] https://www.theregister.com/2026/02/23/bork_goes_retro_with_a/
[8] https://web.archive.org/web/20180418230731/https://www.darktrace.com/resources/wp-global-threat-report-2017.pdf
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ac4-QkTG9Gmzpriq5v5BIwAAAJI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] mailto:pwned@sitpub.com
[11] https://whitepapers.theregister.com/
Internet -connected coffee machine ?! Who in wherever installed that ?
BTW, nice to see el reg doing some public service; right on, I say..
Coffee machine. Check... IPad... Check
In my main office, the coffee type is chosen via an IPad app..... Sometimes, you can't get your coffee shot due to lack of WiFi signal!
Why???? What was wrong with the old methods?
My question is - what the f**k was it doing on a *secure* network? At most, it should have been connected to the insecure/guest network.
Not just an issue for secure networks...
We had a power cut one day and discovered that one of the coffee machines, which was outside the server room but against one of the server room walls, was on the UPS-protected supply. It became a very popular machine that day, but sadly, facilities quickly had that power socket rewired.
I dont doubt the story...
... but I cannot think of a single use case for an internet connected Coffee Machine in a business environment. Literally not one that makes actual sense.
If people can order coffees from their desks, so that they just have to go and collect them when they're done, there is still no need for it to be talking outside of the network. (Not to mention the stupidity of such a system, where people would clearly just take whatever coffee is waiting there, and cause fights when someone grabs the wrong coffee. People have to get up and walk to the machine to collect anyway, so they can handle the 1 minute to actually make the coffee in front of them.
A machine like this would almost certainly have a cleaning contract, so whoevers cleaning it can also handle the ordering of new beans/milk/etc. So again no need for it to ring outside.
But a machine like this would absolutely appeal to the sort of brain dead upper management who like expensive toys that are utterly useless... So I do not doubt for a second this actually happened...
Re: I dont doubt the story...
Just needs one of those Amazon drones/trucks to get it to your desk
Re: I dont doubt the story...
" I cannot think of a single use case for an internet connected Coffee Machine in a business environment. "
I think the original idea was that these machines could phone home for more beans etc or when a service was required. Vending machines around the same era had 3G connections for the same purpose. OTA firmware updates were also considered "a good idea™."
Moving on to the ummentionable, HP printers do similar things for toner, paper etc.Big leased (pay per page) enterprise printers like Ricoh are often managed remotely but the printer can be placed on an DMZ network of some kind, but given the printers typically store/spool quite large print jobs any external access poses a risk of confidential material being exfiltrated.
So much even consumer shit has wifi and ethernet (RJ45 or USB) built in, even effing lightbulbs, so if you value network security the Maginot Line strategy isn't going to work as the adversary is already inside the perimeter.
Port authentication (802.1x) and encrypted ethernet might need to be considered.
Every smartphone inside the perimeter is a potential gateway or bridge on to your network(s).
Powerline ethernet could be quite nasty in a shared building.
I suspect much of this stuff like the coffee machine uses a ubiquitous SOC and runs Linux for cheapness rather than using an ASIC. The SOC system invariably provides wifi, ethernet, usb etc hardware and Linux the drivers so adding network/internet support is often a low cost marketing ploy — feature creep or creepy feature ?
As NPU / AI capable processors become de rigeur for these products it can only go from bad to worse. Even as we speak Talkie the toaster is probably talking off a production line somewhere in China.
Re: I dont doubt the story...
I cannot think of a single use case for an internet connected Coffee Machine in a business environment.
It's a very common one - being expensive "This is a very important business with very important people in it. We have to have very important surroundings. We need a very important [i.e. expensive, the two are often confused by the confused] coffee machine to go with the very important [ditto] furniture."
Literally not one that makes actual sense.
Manglement thinking doesn't make actual sense, especially when prestige is taken into account.
internet-connected coffee machine? I am getting tired of saying this but di called smart devices are a stupid choice. My old aluminum coffee maker is s pain to clean but it comes malware free.
Been there, seen that
I was called in at a setup in London because they had a major infestation. For starters, they had a global network without any segregation so a virus infection would spread quicker than Covid in a room of heave breathers, and this one duly did.
We set up separation and started cleaning up, keeping an eye on progress via a laptop running etherape (it's a simple tool, but a broadcasting virus shows up very well). After a few days we had a reasonable state, but we had two sources of broadcast left. One suddenly emerged and was quickly traced to a boardroom location where one of the very high ups from Far Far Away was giving a presentation (which got interesting politically), one was persistent and a swine to track as nobody knew what it was (I did mention a way too flat network). Eventually we figured it out: it was the switchboard, which was running a rather old version of Windows and had managed to pick up this virus too.
Took quite a bit of brute forcing before the vendor decided that maybe an update was a good idea - the suppliers were only set up to sell an appliance, not to do anything more intelligent so it took a while to get through to the actual manufacturer.