Remote code execution vulnerabilities uncovered in smart air fryer

Updated: The impacted vendor has not responded or fixed the security issues.

In another example of how connectivity can impact our home security, researchers have disclosed two remote code execution (RCE) vulnerabilities in a smart air fryer.

RCEs are often considered to be some of the most severe types of vulnerabilities as they allow attackers to remotely deploy code, potentially leading to the hijack of a system, remote tampering, and the execution of additional malware payloads. 

While targeting consumer products and executing an RCE may not have the same immediate impact as doing the same on a corporate network, it is still worth highlighting that just because a product we have in our home is considered 'smart,' it does not mean that it is safe. 

On Monday, researchers from Cisco Talos revealed the discovery of two RCEs in the Cosori Smart Air Fryer, a Wi-Fi-connected kitchen product that leverages the internet to give users remote control over cooking temperature, times, and settings. 

However, it is the same connectivity -- when coupled with security flaws -- that also allows others to take control of the device, too. 

The team tested the Cosori Smart 5.8-Quart Air Fryer CS158-AF (v.1.1.0) and discovered CVE-2020-28592 and CVE-2020-28593. The first vulnerability is caused by an unauthenticated backdoor and the second, a heap-based overflow issue -- both of which could be exploited via crafted traffic packets, although local access may be required for easier exploitation. 

The vulnerabilities have now been disclosed without any fix. According to Talos researchers, Cosori did not "respond appropriately" within the typical 90-day vulnerability disclosure period, and so -- perhaps -- now the vendor will consider issuing a patch now the issues are public. 

While the idea of your cooking utensils being held to ransom by threat actors may be far-fetched, the vulnerabilities represent what is a far wider problem: the general vulnerable state of Internet of Things (IoT) devices in our homes. 

Last week, researchers disclosed nine vulnerabilities in four TCP/IP stacks commonly used by smart devices for communication purposes that could be weaponized to remotely hijack them. The security flaws, thought to impact over 100 million consumer, enterprise, and industrial devices, may be exploited to add vulnerable products to botnets or to obtain entry into linked networks. 

Update 23/4 20.56 BST: Cosori told ZDNet that "the scope of the vulnerability is limited to the local area network and cannot be controlled remotely through WAN," and a firmware update is due for release to patch the flaw on April 25. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0