The worst part of waking up could be the Chinese spying in your coffee cup.
American researcher Christopher Balding said he uncovered evidence that China is hoovering up data collected through smart coffee machines that are made in the communist country and shipped to America.
Mr. Balding’s report at New Kite Data Labs said problems with the internet-connected coffee machines are part of a broader data-collection effort aimed at internet-of-things (IoT) devices that have low security and unclear data policies.
IoT devices include a range of home appliances from robotic vacuums to thermostats using machine learning to keep people comfortable amid the summer heat.
“China is really collecting data on really just anything and everything,” Mr. Balding said. “As a manufacturing hub of the world, they can put this capability in all kinds of devices that go out all over the world.”
Mr. Balding identified the problematic coffee machines as products made by Kalerm, which is located in Jiangsu, China. The machines gather product information, payment data, and customer information involving location and time data, according to New Kite Data Labs’ report.
Taken together, this data provides insight into a user’s name, relative location, and usage patterns. The data may include financial information such as the type of payment and routing information typically used by the machines in commercial settings.
For example, a coffee machine at a breakfast buffet in a hotel may gather payments from individuals in contrast to the company’s home-use coffee machines.
Mr. Balding said his research firm is mum on how it obtained the information because he does not want China to stop him from learning more about its data collection inside the communist country.
New Kite Data Labs’ report made clear the data collection it observed happened on China-based consumers, though it noted that the products are sold widely throughout the U.S. and Europe and the distribution makes it likely that the same data exfiltrated from machines in China is taken from machines in America.
“While we cannot say this company is collecting data on non-Chinese users, all evidence indicates their machines can and do collect data on users outside of Mainland China and store the data in China,” the report said. “The data is collected at the point of operation from software embedded in the coffee maker.”
New Kite Data Labs did not reveal evidence to show the Chinese government is using data gathered by Kalerm.
China’s policies of military-civil fusion, however, force corporations to cooperate with the communist government meaning that data stored in China is exposed to the government.
Kalerm did not respond to requests for comment.
Smart coffee machines are not the only vulnerable internet-connected devices putting Americans at-risk for hidden data collection. Other internet-of-things devices may connect to smartphones or have embedded cameras and microphones to sense and respond to voice commands, which makes more data available for a manufacturer to gather.
For example, some robotic vacuums use microphones to respond to users’ commands and the vacuums can be controlled by apps accessible on a range of devices through Apple and Google’s app stores.
Last year, the cybersecurity firm Mandiant said it uncovered a vulnerability in baby monitors and video doorbells that use ThroughTek’s Kalay network, which would give hackers the potential to access live video and audio.
ThroughTek said at the time it had notified customers about the flaw and told them how to address it.
The Cybersecurity and Infrastructure Security Agency published an alert about the flaw last August, and a cyber official noted then that the vulnerability resided in a software development kit designed to encrypt data that is transferred from one point to another and used heavily in IoT devices.
China is not the only nation with an interest in the data produced by IoT devices around the world.
Former National Security Agency contractor Edward Snowden has expressed concern about owning a blender to make milkshakes after fleeing the U.S. for Russia.
Mr. Snowden, who revealed private details of NSA’s global surveillance in 2013, worried that the blender’s electronic signature could reveal his location to the U.S. government and others, according to author Barton Gellman’s 2020 book “Dark Mirror.”
Mr. Balding has noted that China operates from a distinct position of gathering all the data it can and determining how to use it later.
“Most countries of any significant size probably have interest in devices like this — make zero mistake about that,” Mr. Balding said. “I think the thing that is unique about China is the breadth and depth of their data-collection efforts.”