Thermomix TM5 Vulnerabilities Enable Remote Takeover by Attackers

Researchers have uncovered multiple vulnerabilities in the Thermomix TM5, a multifunctional kitchen appliance from Vorwerk, allowing attackers to potentially achieve remote takeover through firmware manipulation and persistent code execution.

The device’s main board, powered by a Freescale/NXP i.MX28 SoC with ARM926EJ-S core, integrates a NAND flash (Toshiba TC58NVG0S3HTA00) and DDR2 SDRAM, which were dumped and examined after removing conformal coating.

Critical Flaws in Firmware

The NAND uses a custom GPMI controller with metadata interleaving for integrity, complicating direct reads, but tools like imx-nand-tools enabled extraction of the boot control blocks (BCBs), including Firmware Configuration Blocks (FCBs) and Discovered Bad Block Tables (DBBTs), protected by software ECC.

This revealed encrypted file systems and keys, such as the AES-128 CBC encryption in /opt/cookey.txt, used for decrypting “cook sticks” magnetic USB modules containing recipe databases.

By reverse-engineering the kernel’s Data Co-Processor (DCP) driver, hardcoded cmp_key and act_key ...