The worst part of waking up could be the Chinese spying in your coffee cup.
American researcher Christopher Balding said he uncovered evidence that China is devouring data collected through smart coffee machines made in the communist country.
Mr. Balding’s report at New Kite Data Labs said problems with the internet-connected coffee machines are part of a broader data collection effort aimed at Internet of Things devices with low security and unclear data policies.
IoT home appliances include robotic vacuums and thermostats that use machine learning to keep temperatures comfortable.
“China is really collecting data on really just anything and everything,” Mr. Balding said. “As a manufacturing hub of the world, they can put this capability in all kinds of devices that go out all over the world.”
Mr. Balding said the problematic coffee machines are made by Kalerm in Jiangsu, China. The machines gather product information, payment data, and customer information involving location and time, the report from New Kite Data Labs said.
The data provides insight into a user’s name, relative location and usage patterns. In commercial settings such as hotel breakfast buffets, a coffee machine might collect types of payments and routing information.
Mr. Balding said his research firm wouldn’t disclose how it obtained the information because he does not want China to stop him from learning more about its data collection.
New Kite Data Labs’ report made clear that the data was collected from consumers in China. Yet it said the products are sold widely throughout the U.S. and Europe and the data exfiltrated from machines in China is likely taken from machines in the U.S.
“While we cannot say this company is collecting data on non-Chinese users, all evidence indicates their machines can and do collect data on users outside of Mainland China and store the data in China,” the report said. “The data is collected at the point of operation from software embedded in the coffee maker.”
New Kite Data Labs did not reveal evidence to show the Chinese government is using data gathered by Kalerm.
Still, China’s policies of military-civil fusion mandate corporations to cooperate with the communist government. That means data stored in China is exposed to the government.
Kalerm did not respond to requests for comment.
Smart coffee machines are not the only vulnerable internet-connected devices putting hidden data at risk. Devices may connect to smartphones or have embedded cameras and microphones to sense and respond to voice commands, making more data available to a manufacturer.
Some robotic vacuums use microphones to respond to users’ commands. The vacuums can be controlled with apps available through Apple and Google app stores.
Last year, the cybersecurity firm Mandiant said it uncovered a vulnerability in baby monitors and video doorbells that use the ThroughTek Kalay network, which might allow hackers to access live video and audio.
ThroughTek said at the time that it had notified customers about the flaw and told them how to address it.
The Cybersecurity and Infrastructure Security Agency published an alert about the flaw in August. A cybersecurity official noted that the vulnerability resided in a software development kit designed to encrypt data that is transferred from one point to another and used heavily in IoT devices.
China is not the only nation interested in the data produced by IoT devices.
Former National Security Agency contractor Edward Snowden has expressed concern about a blender.
Mr. Snowden, who revealed private details of NSA’s global surveillance in 2013 and fled to Russia, said the blender’s electronic signature could reveal his location to the U.S. government and others, according to Barton Gellman’s 2020 book “Dark Mirror.”
Mr. Balding has noted that China operates from a distinct position of gathering all the data it can and determining how to use it later.
“Most countries of any significant size probably have interest in devices like this — make zero mistake about that,” Mr. Balding said. “I think the thing that is unique about China is the breadth and depth of their data-collection efforts.”
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
Please read our comment policy before commenting.