McAfee Labs’ Advanced Threat Research team today detailed vulnerabilities in two smart home devices that could cause grief for users: a smart padlock and an internet-connected coffee maker.

The first device, called BoxLock, first made an appearance on the show Shark Tank and is designed to be set up outside a home to secure a package delivery container.

So-called “porch pirates,” people who steal deliveries from the front of homes, has become a growing problem in the U.S. in the age of home deliveries. The idea is by having a secure container, the delivery person can place the ordered item in the container and then secure it with the BoxLock.

The lock can be opened by via a mobile application or by using the built-in barcode scanner to scan a package that is being delivered. Homeowners can then later unlock the BoxLock to retrieve the delivered item once they return home.

If that all sounds great in theory, the implementation of security in the device was not. The vulnerability lies with the device’s use of Bluetooth Low Energy which can be used to download an app, send one command and open the lock.

The issue isn’t related to BLE itself but the specific implementation used by the vendor. The researchers were able to find a way, using Generic Attributes commands from a smartphone without the BoxLock app installed, to open the device.

The good news is that the BoxLock was responsive when the McAfee researchers approached them, both working with them to rectify the issue and roll out patches to the lock.

Second on the list is an internet-connected coffee machine, the Mr. Coffee Smart Coffeemaker enabled with WeMo.

WeMo is an “internet of things” platform from Belkin International Inc. that now finds itself appearing in other devices as well.

The coffeemaker accepts scheduling of coffee brewing via the WeMo app but in doing so does not properly validate requests. What that means is that the third-party with access to the network could schedule coffee-making on demand.

While that may not sound specifically nefarious, the coffeemaker could be forced on without fresh coffee in place potentially causing either burned coffee or in an extreme case even a fire.

Belkin did not respond to the McAfee security researchers but has since issued an update that addressed the issue.

“Most businesses, from Fortune 500s to mom-and-pop shops, will likely deal with a security breach or vulnerability disclosure at some point,” Steve Povolny, head of Advanced Threat Research at McAfee, told SiliconANGLE. “Those who are proactive and very public in addressing the issue have an opportunity to reinforce consumer trust and confidence.”

In the case of vulnerability disclosure, he added, “by engaging with the research team and coordinating on the mitigation and communication of the issue, vendors can set themselves apart in industries that are facing further security scrutiny from customers, shareholders and the general public.”

Image: BoxLock; photo: Mr. Coffee