Air fryers are trending in many places, especially due to the lower-fat cooking, for example, of French fries during our testing engineers’ lunch break. We subjected the app-controlled Cosori CS158-AF to an extensive security test.
The smart air fryer CS158-AF has a 5.5-liter cooking chamber and heats it up with a specified power of 1700 W. It can be controlled with 11 automatic programs, but also manually – both via the control panel and via app or voice assistant. After the short setup, the fryer is permanently connected to the home Wi-Fi and can also be controlled on the go. The device is controlled via the VeSync app (Android, iOS). Recipes can also be viewed and started via this app – the recipe shows the necessary settings of the fryer. Similar to Xiaomi, the VeSync app is not only focused on fryers, but also includes numerous products from different areas of life, such as lighting, air purifiers and fitness equipment.
We subjected the VeSync app (version 3.1.32) to a static and dynamic analysis. It has very extensive permissions, for example GPS, contacts, call history, running apps and access to the camera. These are only requested if they are needed. The basic configuration of the application allows unencrypted communication to any server and, according to the static analysis, overrides various certificate validation mechanisms. Furthermore, access to numerous activities and services is shared with other apps, which could be a potential entry point for malware. Another possible entry point is at least one insecure WebView implementation in which Remote WebView Debugging is enabled. This could give full access to the application’s data even on non-rooted devices. However, this would require unlocking the smartphone, opening the correct view and connecting the smartphone to a computer with an active Android debug bridge. Accordingly, this scenario is rather theoretical, but it reinforces the impression of an application in need of security improvements.
A look into the data folders that are usually only visible through the application itself, on unrooted devices, shows, among other things, data from the numerous integrated trackers (according to static analysis: Bugsnag, Facebook Login, Facebook Places, Facebook Share, Google CrashLytics, Google Firebase Analytics, Sensors Analytics and TalkingData). Also the access credentials of the mandatory VeSync account are stored in plain text in the user_save_info.xml, where not the password itself but its MD5 hash (#rainbowtable) is stored. Additionally, an access token is stored, which is used to authenticate all further queries to the VeSync API. Reverse engineering was not necessary for this, since the app creates a debug log of every app start in the smartphone’s public memory, where all queries and responses are listed – including the access data used in plain text.
The Cosori air fryer is controlled via the already mentioned VeSync API. According to the network analysis, a chip from the manufacturer Espressif is responsible for the Wi-Fi connection, more precisely an ESP8285 – a Wi-Fi SoC with integrated flash memory. The device establishes an encrypted MQTT connection to Amazon AWS US and always keeps it alive. Local control via the app apart from the VeSync API is not possible.
All connections to the VeSync API were TLS1.2 encrypted, but the API also allows older, insecure TLS versions such as TLS1.0. Therefore, there is no protection against downgrade attacks. Open source projects have already documented the API in detail. In a test of the important functions, including the check for an existing account of an e-mail address and the login itself, it was noticed that the API does not seem to use any rate limiting mechanisms and opens the door to attacks, for example using rainbow tables. In our test, it was not possible to control the fryer above its maximum temperature of 205°C, but a successful attack can still be dangerous.
The fryer itself validates certificates correctly, and the app has also implemented certificate pinning for all VeSync API queries, contrary to contradictory statements in the static analysis.
The Cisco Talos Intelligence Group discovered two vulnerabilities in the device registration process in April 2020. (CVE-2020-28592, CVE-2020-28593, firmware version 1.1.0) It exploited the open Wi-Fi hotspot that is available at the beginning of the setup and sent a corrupted configuration packet to the device, which could be used to open a debug port and execute arbitrary code. According to the report, physical access and resetting the device was required to exploit the vulnerability. In April 2021, Cosori released a firmware update that closed these vulnerabilities, according to Talos. It is interesting that the fryer we tested seems to have an older firmware version and still claims to be up-to-date.
The Internet of Things is expanding into many areas. Smart appliances are also gaining in popularity in the kitchen, for example the Monsieur Cuisine Connect, which we also tested. However, the Cosori CS158-AF air fryer leaves us with mixed feelings. Of course, one can argue about the sense and nonsense of a fryer that can be controlled via the Internet – but what is not debatable is that the access must be secured and the data collection only to the extent that the purpose requires it. Both points are rather questionable in the case of the device from the US manufacturer. The online communication, which is always encrypted, does not hide the high data collection by many analysis tools and trackers. Furthermore, both the VeSync app and its API are in need of improvement.
For this reason, we award the Cosori CS158-AF one out of three possible stars.