After a first sale in June, Lidl’s robot-cooker will return to France on December 2nd: there will be 150,000 appliances on sale. It is the same product, with the vulnerabilities Numerama pointed out in an investigation. But the inactive microphone will now be mentioned in the manual.
You haven’t heard the last of Mr. Kitchen Connect The connected household appliance marketed by Lidl for the first time in June 2019 will return to the shelves on 2 December next, as the Les Numériques website noted in September. Lidl’s official advertising now confirms it: 150,000 products will be on sale throughout France, at a price of 359 euros.
This very low-cost connected robot cooker had been the talk of the town in the summer, due to the crowd of potential customers who had gathered in front of Lidl stores to buy it. He had also been at the centre of an investigation published by Numerama concerning a deported microphone in the aircraft, which was not mentioned anywhere, and which is potentially vulnerable to outside attacks.
Is Lidl going to market the same product six months later? The answer is yes.
Contacted by Numerama, the hard-discount brand confirmed that it will be the “same model as the one sold in June 2019, and therefore the microphone will still be deported and inactive.” On the other hand, Lidl has nevertheless made an important modification: “the microphone will be clearly indicated in theuser manual “, we are told, “except for the leftovers from our sale last June which will also be put back on sale in stores on this occasion.“Slight progress, then.
The case of Mr. Cook Connect and its vulnerabilities
Last June, with the help of two French people Alexis Viguié (@Siphonay) and Adrien Albisetti (@Sinuso), we discovered that the Mr. Connect Kitchen contained a hidden microphone, even though it was officially not possible to control the device by voice. Alexis and Adrien had managed to “unlock” the Android interface that allows the robot’s tablet to rotate and hijack it to do other things: watch a Youtube video play the Doom game, and… make a call by activating the famous microphone that wasn’t supposed to exist.
The most plausible explanation is that SilverCrest, the brand that produces the device in China, simply used a banal entry-level tablet to operate its robot-cooker, thus keeping some features that are not interesting for a household robot (Bluetooth 4.0, 16 GB internal memory, a quad-core processor at 1.3 GHz, and therefore, a microphone).
But our attention had been drawn to the fact that the microphone had been deliberately moved out of the tablet by the manufacturer, by a mechanical extension, which showed that there was indeed a will, in the long run, to use this microphone. As we pointed out at the time, the microphone seemed to be disabled by default.
Interior of Monsieur Cuisine Connect sold in France // Source : Adrien Albisetti (@Sinuso)
This is the defence that Lidl finally gave after our investigation was published: “This microphone option is installed in the machine to enable future developments such as voice control. The activation of the latter will be subject to an update and the customer will be able to choose whether or not to use this feature.»
In the meantime, however, the famous microphone was not mentioned in any place, so clients were not necessarily aware of it. This will no longer be the case with this updated product insert – however, we do not know how many old June 2019 products will be released for sale in December. Michel Biero, the executive director of purchasing and marketing at Lidl France, told Les Numériques that there would be ” 1,500 copies” that were not recovered in June, and therefore will be put back on sale as is, without the new notice.
Should I buy the Lidl Mister Kitchen Connect?
Another important piece of information: the famous tablet that runs the device runs on an older version of Android, Android 6.0, with security patches dating back to 2017… This makes the device vulnerable to attacks.
Have any corrections been made at this level? Based on Lidl’s response, it would appear not: “The Mister Cuisine Connect, which will be sold in LIDL supermarkets in December 2019, will be the same model as the one sold in June 2019 “, the brand states. At the time, the company replied that “is provided for in the operating instructions for regular updates, which is common forconnected devices”.
monsieur-cuisine.com
The Mr. Kitchen Connect is a device that has been, and will surely still be in December, a great success: it is sold for 359 euros, for features that seem to be close to those provided by the high-end Thermomix, which is three times more expensive.
Can you buy it safely? The device’s vulnerabilities are not reassuring: as is the case for many everyday connected objects, especially entry-level ones, additional protections would be necessary, especially considering the ease with which some people manage to take control of connected objects (remotely or not) for malicious purposes (hacking into a casino by taking control of a connected thermometer, for example).
Could pirates “remotely activate your microphone to spy on you in your kitchen while you are making onion soup “, as we have heard on some shows? The probability is low (and so is the interest), even if there is no risk 0. There is a greater risk, in cases such as this, that malicious individuals could hijack this device, along with thousands of others, to make them carry out targeted commands from a distance (launching a DDos attack, for example).
It would have been welcome if Lidl had had its product modified to address these potential vulnerabilities before releasing it for sale in December in France. Of course, this would certainly have been costly, for a product that is intended to be entry-level and designed to reduce costs as much as possible. Also, it is not known whether, one day, the product will be equipped with voice control (as Lidl claims). The important thing is that you are aware of these vulnerabilities, and that you know what are the potential risks to be weighed against the gain from this purchase. In any case, you now have all the information you need to make this choice.
>> To reread our entire survey on the Mr. Cook Connect, it’s here
>> To reread Lidl’s explanations at the time, it’s here.
This article was originally published on September 28, 2019
verifiedtasks
admin
