i bought a smart toaster because amazon recommended it and i was, frankly, weak. it has wifi. it has an app. it has, as we shall see, a port 23 listener with a hardcoded admin password baked into the firmware.
this post is a love letter to that toaster.
step 0: assume the worst
before plugging it in i put it on its own vlan. before it joined the network i set tcpdump rolling. before i installed the app i made a throwaway google account. paranoia is just experience that's been kept warm.
step 1: nmap doesn't lie
$ nmap -sV -p- 192.168.99.42
PORT STATE SERVICE VERSION
23/tcp open telnet BusyBox telnetd
80/tcp open http lighttpd 1.4.13 (2007)
8888/tcp open http Custom mDNS controller
9100/tcp open ??? ???
telnet on port 23. on a toaster. in 2026. the firmware was signed, by the way, with the literal string 'PASSWORD'. i wish i was making this up.
what i did with my findings
filed a CVE. emailed the vendor. they replied in three weeks asking if i could call their developer 'in china, who built it'. i flashed open-source firmware and now the toaster runs prometheus. it exports 14 metrics. one of them is 'crumb_density'.
ten out of ten purchase. would be horrified again.