Easily Hacked Tea Kettle Latest To Highlight Pathetic Internet Of Things 'Security'
from the pwned-Earl-Grey dept
We've discussed at length that companies rushing to embrace the "Internet of Things" (read: networked devices for those of us not in marketing) tend to have completely forgotten a little something called device security. As a result we're now bombarded week after week with stories about cars that can be controlled remotely, televisions that share your unencrypted living room conversations with anybody on the Internet, and refrigerators that leave the door wide open to having your e-mail password stolen. Some of these are kind of cute exploits, but many of them could be potentially fatal.While these companies are desperately trying to highlight the wonderful future of Internet connected devices, they've inadvertently been creating advertisements for why many devices should just remain stupid. Especially if you're going to cut corners in development so device security is an afterthought, or cut corners post release when it comes to quickly identifying and patching exploits.
The latest case in point: the $150 iKettle by UK company Smarter promises to save its users "two days a year in wasted waiting time" over traditional tea kettles. How? Users can remotely turn the kettle on from anywhere via smartphone app, potentially letting users walk into the house just as the kettle comes to a boil. Avoiding the horrible task of having to walk a few feet and wait a few minutes is the pinnacle of modern engineering to be sure; the problem is that for the better part of this year researchers have been noting that the security on the kettle was virtually nonexistent:
"If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle," Munro says. "Attackers will need to setup a malicious network with the same SSID but with a stronger signal that the iKettle connects to before sending a disassociation packet that will cause the device to drop its wireless link. "So I can sit outside of your place with a directional antenna, point it at your house, knock your kettle of your access point, it connects to me, I send two commands and it discloses your wireless key in plain text."The researchers call the current state of IOT security "utterly bananas," and warn readers of their blog not to "put pointless ‘Internet of Things’ devices on your home network, unless their security is proven." For what it's worth, the company behind the not-so-smart kettle tells several other news outlets that it will be updating the kettle's companion app to eliminate the security vulnerability -- sometime next month. So yeah, we've ingeniously "solved" the problem of having to walk a few feet to turn on the kettle, but created countless new problems while simultaneously advertising the benefits of competing dumb products.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: internet of things, security, tea kettle
Reader Comments
The First Word
“"That's nothing. My printer got sued for copyright infringement."
Subscribe: RSS
View by: Time | Thread
Internet Of Things!
Why the hell do appliances even need a communication link anyway? Communication is meant for humans.
[ link to this | view in chronology ]
Re: Internet Of Things!
[ link to this | view in chronology ]
We should be striving to recover time for ourselves, for human interaction, for "petty" pleasure or simply for doing nothing and yet here we are, trying to squeeze every single minute out of our 'useless' time to do more of.. what? Why do we need to do more? Why do we need to be even more connected?
Really, I'm moving to the other side.
[ link to this | view in chronology ]
Re:
If the kettle were made by Withings it would demand your Facebook and Twitter passwords during setup. Every time you heat water it would proudly inform everyone on social media. Every interaction with your kettle would go through a server in France so that you could be monetized.
[ link to this | view in chronology ]
Re: Re:
And if you own a camera, it would insist that you take a picture of it with whatever cup of tea you brewed.
[ link to this | view in chronology ]
`Replace your fork, it has exceeded its maximum number of bites'
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Arsonist's Best Friend.
[ link to this | view in chronology ]
and burning down your house.
ishit when i hear stories like this.
[ link to this | view in chronology ]
"That's nothing. My printer got sued for copyright infringement."
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
She is currently in solitaire and is only allowed one packet a day.
[ link to this | view in chronology ]
Here is my app. Here is my spout.
When I get all steamed up, hear me shout:
"I've been hacked! What's that about?".
[ link to this | view in chronology ]
Re:
Polly put the kettle on, we all got hacked.
[ link to this | view in chronology ]
Useless if they can't remotely put the required amount of water in it.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
That's what the iFaucet will be for!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Oh right, executives. Nevermind.
[ link to this | view in chronology ]
Security
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Adam Smith on the Internet Of Things
but of course now that the advertisers have managed to remove the word "enough" from our dictionaries, very few people want to hear it.
[ link to this | view in chronology ]
Worse case scenario: these kettles magically make you coffee instead of tea...or worse...DECAF!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
There's a need here...
With this system in place, you could get a text or e-mail stating that the POT is calling the iKettle hacked.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Don't let strangers in your network (IoT device === stranger)
Any new device that claims to be "smart" goes into a sandbox DMZ that allows you to get in and control it, but those devices are not allowed to get out, even to the internet. Possibly have one zone per device.
If you chose to trust a device move it to a DMZ that has more permissions, maybe internet access or maybe just access to other devices.
If it's not open source it's going to have to have a lot of trust before getting inside the zone where "my stuff" is.
Poorly designed devices may still be vulnerable to a wifi attack, but they can't serve as a gateway into your network.
Maybe instead of DMZs; using WPA-2 Enterprise, combined with a RADIUS server would work. (I'm not a network guy, just paranoid enough to learn)
True, this wont help with nefarious devices that you connect to the wrong zone, but that's a different issue anyway.
[ link to this | view in chronology ]
Re: Don't let strangers in your network (IoT device === stranger)
Very very few consumer devices support 802.1x. I wish they did. I hate having a single PSK for the devices on my network that are probably the least secure. I isolate them and apply strict ingress and egress rules for traffic to them.
[ link to this | view in chronology ]
Smart
[ link to this | view in chronology ]
Really??
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Uh...simple question:
If you haven't configured it yet, how can they get your PSK?
[ link to this | view in chronology ]
It's like the old story of how they catch monkeys; Put some food in tree stump with a hole that is only big enough for the monkey to reach into with a relaxed hand. When the monkey closes its fist around the food, its hand is too big to pull out of the hole and the monkey is stuck. Even when it sees danger approaching, it's not smart enough to drop the food and pull out its hand.
People are monkeys and the IOT is the tree stump.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Blackout
[ link to this | view in chronology ]