(Info Numerama) Lidl's brand new connected cooker-cooker has been a hit in France since early June 2019. While wanting to divert its touch screen, two Frenchmen have discovered several curious elements in the operation of the device. With their help, Numerama uncovers the existence of an inactive secret microphone, which could be vulnerable to attack.
The release of Mr. Connect Kitchen Lidl in France did not go unnoticed. This low cost competitor cooker-cooker from the famous Thermomix was put on sale on Monday June 3rd, 2019, causing many crowds at Lidl stores in France. In question: its very attractive price of 359 euros, for features that seem close to what provides the high-end (1,299 euros for the Thermomix TM6).
The success of this new model of Mr. Kitchen (the first was released in 2016, without connected screen) is such that Lidl has committed to supply 200 stores in France for 15 weeks, reports the Parisian, tens of thousands of products which will be sold in France in the coming months.
But how does this connected object, designed in Germany, produced in China by the brand SilverCrest and marketed by Lidl in France, Germany, Belgium, Switzerland and Great Britain really work? Numerama discovered, with the help of two Frenchmen, that certain characteristics of the apparatus raised questions. Our investigation shows in particular that a microphone was installed in the Mr. Kitchen Connect, without its presence is indicated, and without any apparent justification.
An inactive but functional secret microphone
The Mr. Connect Kitchen is a cooking robot connected to the internet by Wi-Fi. It is equipped with a connected touch screen of 7 inches which is mainly used to consult recipes and manage cooking.
A few days after detecting the product at Lidl, Alexis Viguié (@Siphonay) and Adrien Albisetti (@sinusoidal), two French people who touch a little computer science, decided to have fun with the camera to see how it was done. " A friend gave him the challenge of turning Doom over Explains Alexis. Doom, a cult video game, has almost become a meme in the community of fans, who, for fun, try to install it on many devices that were not designed for that.
After a few minutes, the two men notice that the keyboard used by Mr. Connect is that of Android, the most used operating system in the world – on which turn a lot of smartphones and connected objects to date.
After some online research, they discovered the tutorial of a German who had managed to "unlock" the Android interface of his Mr. Connect Kitchen, and use it as if it were a real tablet. They managed to replicate the process and then showed the result in a YouTube video. We can see that the Mr. Cook Connect can be used, while he is eating, to watch a YouTube video or surf the site FranceInfo.
But one detail caught our attention: the two men also managed to operate the microphone built into the device. Or officially, the device has no microphone.
There is no mention anywhere of its existence, neither on the official website, nor in the instructions for use that we consulted. Still, it is in perfect working order. The two French have agreed to shoot a video for Numerama, in which we see they get to chat via the voicemail application Discord, via the speakers and the built-in microphone.
The microphone seems disabled by default. " The basic firmware application does not require Android permission to use the microphone ", Confirms Alexis Viguié. But why, then, is the device equipped? Contacted by Numerama, Lidl took note of our questions but did not come back to us within the 48 hours proposed by the editorial staff. This article will be updated if the sign provides answers.
The simplest answer is to look at the side of the tablet (entry level) that has been integrated into the Mr. Connect Kitchen, and that has hardly been modified to meet the needs of the cooking robot. As noted by Alexis Viguié and Adrien Albisetti, it has additional functions that are useless for cooking, which suggests that the manufacturer would not have bothered to customize the device in detail, but simply took a tablet with its existing features. There is Bluetooth 4.0, an internal memory of 16 GB (which is huge compared to the very low needs of storage of the product), a quad-core processor at 1.3 GHz, and … a microphone.
So we could think that the microphone was in the original tablet and therefore it exists by default, without it being a choice of the manufacturer to add it. But when we dismount Mr. Connect Kitchen, we see that the microphone was in fact voluntarily deported by the manufacturer on the side, outside the tablet, by a mechanical extension.
In a video of the German YouTube channel Gauster Haus, in which the youtubeur dismounted the camera in May 2018, we can see that two elements were deported: on the left, the microphone, on the right, an output sound in the form of small speaker (screenshot with our annotations below).
These are the same components that Adrien Albisetti found by dismantling the device itself, as Numerama found in the photos he provided us. Note also that the microphone is similar, but the speaker seems larger than the model of the German youtubeur in 2018.
When we observe the device from the outside, there is no doubt: there are two areas of holes that have been drilled on both sides of the ventilation (fan that we see on the picture of the interior above). They are even clearly distinguished on some promotional images of the robot posted on the site sir-cuisine.com (but not on others, where the hole of the microphone is not apparent).
This means that the manufacturer has voluntarily chosen to deport the microphone out of the tablet, and create a specific output for him. Does Lidl plan to allow voice control in the near future? The record of Mr. Connect Cuisine mentions in any case well the possibility that the device makes automatic software updates, so without the need of the user's agreement.
A tablet running Android 6.0
The fact of having a microphone without notifying users is already a problem in itself: others before Lidl have been pinned for similar cases. We remember recently Google who was forced to admit, in February 2019, that a non-active microphone was integrated into the Nest Secure alarm system, while no one knew about it and the data sheet did not. did not mention.
But the existence of this microphone not mentioned could have much more serious consequences in case of attempted hacking of the device. But as Alexis Viguié and Adrien Albisetti have observed, it turns out that Mr. Cuisine runs on an older version of Android, Android 6.0, with security patches dating from 2017, which makes the device vulnerable to attack.
Each month, Google deploys a new security patch that fixes dozens of flaws, more or less important, which concern Android but also third-party components. In each security bulletin, the company highlights the severity of each vulnerability: "moderate", "high" or "critical".
Android 6.0 was released in October 2015, and the last update of this branch (6.0.1) was in October 2017. Mr. Cuisine Connect was first offered for sale in May 2018 in Germany, a year later. the last update. In addition, the latest security patch for Android 6.0 was released in August 2018: the company could have applied it.
Why is a product from 2018 equipped with this old version of Android, unsecured, moreover? Lidl did not come back to us with an explanation. That said, there can be several elements of answers: the development time of a product can be slow, older versions of Android are easier to customize … or, quite simply, the manufacturer has taken an Android tablet brand white and stuck it "as is" in his robot. And since these data are not known to customers, builders do not necessarily feel obliged to go to more secure.
To date, we have not seen a possible takeover of the microphone of the remote tablet.
Information to share with us? You can contact the Numerama editorial office at email@example.com or firstname.lastname@example.org, DM Twitter or by Signal (number on request).