Easily Hacked Tea Kettle Latest To Highlight Pathetic Internet Of Things 'Security'

from the pwned-Earl-Grey dept

Fri, Oct 23rd 2015 3:20am — Karl Bode

We've discussed at length that companies rushing to embrace the "Internet of Things" (read: networked devices for those of us not in marketing) tend to have completely forgotten a little something called device security. As a result we're now bombarded week after week with stories about cars that can be controlled remotely, televisions that share your unencrypted living room conversations with anybody on the Internet, and refrigerators that leave the door wide open to having your e-mail password stolen. Some of these are kind of cute exploits, but many of them could be potentially fatal.

While these companies are desperately trying to highlight the wonderful future of Internet connected devices, they've inadvertently been creating advertisements for why many devices should just remain stupid. Especially if you're going to cut corners in development so device security is an afterthought, or cut corners post release when it comes to quickly identifying and patching exploits.

The latest case in point: the $150 iKettle by UK company Smarter promises to save its users "two days a year in wasted waiting time" over traditional tea kettles. How? Users can remotely turn the kettle on from anywhere via smartphone app, potentially letting users walk into the house just as the kettle comes to a boil. Avoiding the horrible task of having to walk a few feet and wait a few minutes is the pinnacle of modern engineering to be sure; the problem is that for the better part of this year researchers have been noting that the security on the kettle was virtually nonexistent:

"If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle," Munro says. "Attackers will need to setup a malicious network with the same SSID but with a stronger signal that the iKettle connects to before sending a disassociation packet that will cause the device to drop its wireless link. "So I can sit outside of your place with a directional antenna, point it at your house, knock your kettle of your access point, it connects to me, I send two commands and it discloses your wireless key in plain text."

The researchers call the current state of IOT security "utterly bananas," and warn readers of their blog not to "put pointless ‘Internet of Things’ devices on your home network, unless their security is proven." For what it's worth, the company behind the not-so-smart kettle tells several other news outlets that it will be updating the kettle's companion app to eliminate the security vulnerability -- sometime next month. So yeah, we've ingeniously "solved" the problem of having to walk a few feet to turn on the kettle, but created countless new problems while simultaneously advertising the benefits of competing dumb products.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: internet of things, security, tea kettle

37 Comments

If you liked this post, you may also be interested in...

Reader Comments

The First Word

“

"My tea kettle got hacked!"
"That's nothing. My printer got sued for copyright infringement."

—Anonymous Coward

”

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 23 Oct 2015 @ 3:44am

Internet Of Things!
...or as I like to call it "Easier to Brake Things".

Why the hell do appliances even need a communication link anyway? Communication is meant for humans.
[ link to this | view in chronology ]
- Ninja (profile), 23 Oct 2015 @ 4:28am
  
  Re: Internet Of Things!
  On a side note, try to picture your usual Hollywood hacker group around a computer using hacker magic to do their magic (and possibly a shiny golden key) when they suddenly erupt in cheers while the one operating the box yells "I did it, I hacked into the kettle!". Then the scene changes and there's a massive explosion in the nearby power plant, because reasons.
  [ link to this | view in chronology ]
Ninja (profile), 23 Oct 2015 @ 3:56am

A few of these things connected to the Internet are really useful and do help a lot. But a kettle? Putting the security issue aside, a kettle? Wtf humanity.

We should be striving to recover time for ourselves, for human interaction, for "petty" pleasure or simply for doing nothing and yet here we are, trying to squeeze every single minute out of our 'useless' time to do more of.. what? Why do we need to do more? Why do we need to be even more connected?

Really, I'm moving to the other side.
[ link to this | view in chronology ]
- Roger Strong (profile), 23 Oct 2015 @ 12:42pm
  
  Re:
  You've lived a sheltered life.
  
  If the kettle were made by Withings it would demand your Facebook and Twitter passwords during setup. Every time you heat water it would proudly inform everyone on social media. Every interaction with your kettle would go through a server in France so that you could be monetized.
  [ link to this | view in chronology ]
  - Bergman (profile), 20 Sep 2020 @ 3:53pm
    
    Re: Re:
    And if you own a camera, it would insist that you take a picture of it with whatever cup of tea you brewed.
    [ link to this | view in chronology ]
Yes, I know I'm commenting anonymously, 23 Oct 2015 @ 4:03am

`Replace your fork, it has exceeded its maximum number of bites'
We will soon have to incorporate mandatory faraday-cages into building regulations, simply because all available devices will have unsecure, always-on wifi connections.
[ link to this | view in chronology ]
Anonymous Coward, 23 Oct 2015 @ 4:16am

Makes me think there might well be a market for home insulation with a conductive foil vapor barrier...
[ link to this | view in chronology ]
Anonymous Coward, 23 Oct 2015 @ 4:19am

Arsonist's Best Friend.
Just keep turning it on through the day. At 'worst' it'll quickly break, at 'best' it'll actually overheat and short.
[ link to this | view in chronology ]
Anonymous Coward, 23 Oct 2015 @ 4:42am

it’s trivially easy for hackers to find your house and take over your kettle.

and burning down your house.

ishit when i hear stories like this.
[ link to this | view in chronology ]
Anonymous Coward, 23 Oct 2015 @ 4:45am

"My tea kettle got hacked!"
"That's nothing. My printer got sued for copyright infringement."
[ link to this | view in chronology ]
- Anonymous Coward, 23 Oct 2015 @ 5:06am
  
  Re:
  Printers are people my friend.
  [ link to this | view in chronology ]
- Anonymous Coward, 29 Oct 2015 @ 6:42pm
  
  Re:
  My wifi is up on murder charges.
  She is currently in solitaire and is only allowed one packet a day.
  [ link to this | view in chronology ]
Violynne (profile), 23 Oct 2015 @ 5:09am

I'm a little teapot, short and stout.
Here is my app. Here is my spout.

When I get all steamed up, hear me shout:
"I've been hacked! What's that about?".
[ link to this | view in chronology ]
- Anonymous Coward, 23 Oct 2015 @ 5:39am
  
  Re:
  Polly put the kettle on, Polly put kettle on.
  Polly put the kettle on, we all got hacked.
  [ link to this | view in chronology ]
Dingledore the Flabberghaster, 23 Oct 2015 @ 6:16am

the $150 iKettle by UK company Smarter promises to save its users "two days a year in wasted waiting time" over traditional tea kettles. How? Users can remotely turn the kettle on from anywhere via smartphone app

Useless if they can't remotely put the required amount of water in it.
[ link to this | view in chronology ]
- Anonymous Coward, 23 Oct 2015 @ 6:37am
  
  Re:
  and you win the internet.
  [ link to this | view in chronology ]
- Rekrul, 23 Oct 2015 @ 3:15pm
  
  Re:
  Useless if they can't remotely put the required amount of water in it.
  
  That's what the iFaucet will be for!
  [ link to this | view in chronology ]
Anonymous Coward, 23 Oct 2015 @ 7:01am

ITea kettle for IT professionals everywhere.
[ link to this | view in chronology ]
Anonymous Coward, 23 Oct 2015 @ 7:11am

Megaman Battle Network, a children's game series, got this back in the early 00s. How can professionals in the field not get that this would happen?

Oh right, executives. Nevermind.
[ link to this | view in chronology ]
Anonymous Coward, 23 Oct 2015 @ 7:26am

Security
Not really surprising. And it's not just IoT items you buy in the store. All these 'makers' don't have the slightest clue when it comes to security. They will install tons of random crap on their Raspberry Pi's for all over the internet because their how-to blogs told them to. Then they will throw the Pi in the DMZ and blab about their new lightup toy all over the internet without even thinking about securing the device.
[ link to this | view in chronology ]
Wendy Cockcroft, 23 Oct 2015 @ 7:30am

Remember the blob-like people in Wall-E? Get off the damn couch and switch on the kettle yourself! It's not like you're being asked to pedal a bicycle hooked up to a dynamo to power the thing!
[ link to this | view in chronology ]
a.s, 23 Oct 2015 @ 7:31am

Adam Smith on the Internet Of Things
examine the records of history, recollect what has happened within the circle of your own experience, consider with attention what has been the conduct of almost all the greatly unfortunate, either in private or public life, whom you may have either read of, or heard of, or remember; and you will find that the misfortunes of by far the greater part of them have arisen from their not knowing when they were well, when it was proper for them to sit still and to be contented. The inscription upon the tomb-stone of the man who had endeavoured to mend a tolerable constitution by taking physic; 'I was well, I wished to be better; here I am; may generally be applied with great justness to the distress of disappointed avarice and ambition.

but of course now that the advertisers have managed to remove the word "enough" from our dictionaries, very few people want to hear it.
[ link to this | view in chronology ]
avideogameplayer, 23 Oct 2015 @ 7:33am

Until I hear that someone made like 10,000 of these kettles blow up all at once, this is just a bs fluff story...

Worse case scenario: these kettles magically make you coffee instead of tea...or worse...DECAF!
[ link to this | view in chronology ]
- John Fenderson (profile), 23 Oct 2015 @ 7:37am
  
  Re:
  No, the worst case scenario is that your place burns down.
  [ link to this | view in chronology ]
  - avideogameplayer, 23 Oct 2015 @ 8:07am
    
    Re: Re:
    Sarcasm...do you know it?
    [ link to this | view in chronology ]
    - John Fenderson (profile), 23 Oct 2015 @ 8:59am
      
      Re: Re: Re:
      Sorry! I am familiar with the concept of sarcasm. Your comment just wasn't quite sarcastic enough to trigger my detectors. I tripped up on whatever the sarcastic version of Poe's law is.
      [ link to this | view in chronology ]
Oblate (profile), 23 Oct 2015 @ 8:07am

There's a need here...
There's a need for an app or device that protects all of the 'things' that the typical residence has, or will soon have, from malicious activity, or at least detects when they've been compromised. This Protector of 'Things' (POT) could report to you as soon as it detects any such activity.

With this system in place, you could get a text or e-mail stating that the POT is calling the iKettle hacked.
[ link to this | view in chronology ]
Rex Rollman, 23 Oct 2015 @ 8:08am

The Internet Of Insecure Things.
[ link to this | view in chronology ]
Blaine (profile), 23 Oct 2015 @ 8:32am

Don't let strangers in your network (IoT device === stranger)
We need a "my mom could use it" device that sets up some DMZs in the network.

Any new device that claims to be "smart" goes into a sandbox DMZ that allows you to get in and control it, but those devices are not allowed to get out, even to the internet. Possibly have one zone per device.

If you chose to trust a device move it to a DMZ that has more permissions, maybe internet access or maybe just access to other devices.

If it's not open source it's going to have to have a lot of trust before getting inside the zone where "my stuff" is.

Poorly designed devices may still be vulnerable to a wifi attack, but they can't serve as a gateway into your network.

Maybe instead of DMZs; using WPA-2 Enterprise, combined with a RADIUS server would work. (I'm not a network guy, just paranoid enough to learn)

True, this wont help with nefarious devices that you connect to the wrong zone, but that's a different issue anyway.
[ link to this | view in chronology ]
- allengarvin (profile), 23 Oct 2015 @ 3:06pm
  
  Re: Don't let strangers in your network (IoT device === stranger)
  "using WPA-2 Enterprise, combined with a RADIUS server would work. (I'm not a network guy, just paranoid enough to learn)"
  
  Very very few consumer devices support 802.1x. I wish they did. I hate having a single PSK for the devices on my network that are probably the least secure. I isolate them and apply strict ingress and egress rules for traffic to them.
  [ link to this | view in chronology ]
Anonymous Anonymous Coward, 23 Oct 2015 @ 9:10am

Smart
Y’all don’t get it. You're supposed to call the smart kettle from your smartphone while driving your smart car so that you can make tea or some other smart beverage upon arrival home. Meanwhile, your smart car will recognize that you are using a smart device while driving and do a near field connection to the police via a smart network of smart cars to the closest smart WiFi connection to smartly report you. When the police pull you over, your smart car will also report you for ignoring the smart car’s warning that service is needed soon (specifically your oil will need changing in 3999 miles) and failure to pay your weekly smart auto dealership fine, err fee. While the police officer looks up your record he calls for the K-9 unit to do a quick sniff, and then writes a smart ticket that will disable your ignition until it is paid, your smart kettle is merrily boiling away whatever water you remembered to leave in it. When the smart kettle goes dry, it is not smart enough to turn itself off, but fortunately your smart smoke detector is smart enough to inform your smart security system after your smart thermostat reaches its preset ‘something is wrong’ temperature. You smartly set the combination of smart smoke detector and smart temperature sensor to avoid false positives from your smart toaster burning your toast. When you finally arrive home after using your smart debit card to pay the various smart fines imposed by the smart police via your smartphone, you find the smart fire department hosing down the remains of your smartly equipped smart house, and preparing an invoice for smart fire fighting network access overages that were necessary because your smart devices use up their network allocation by reporting in detail with hi-def video the smart emergency at your home.
[ link to this | view in chronology ]
Cassie, 23 Oct 2015 @ 10:45am

Really??
I don't understand the need for an iKettle, to start with. The internet can be a valuable asset, but there comes a point where you just have to stop and leave well enough alone!
[ link to this | view in chronology ]
Jake, 23 Oct 2015 @ 2:43pm

Well, looks like RFC 2324 needs updating.
[ link to this | view in chronology ]
allengarvin (profile), 23 Oct 2015 @ 2:58pm

Uh...simple question:
"If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle," Munro says. ... "I send two commands and it discloses your wireless key in plain text."

If you haven't configured it yet, how can they get your PSK?
[ link to this | view in chronology ]
Rekrul, 23 Oct 2015 @ 3:32pm

The whole IOT idea reminds me of the current debate on encryption. The tech companies are (rightly) arguing that adding backdoors to encryption will make it less secure, but at the same time, everyone is rushing to voluntarily add backdoors to everything else from refrigerators to thermostats, all in the name of convenience.

It's like the old story of how they catch monkeys; Put some food in tree stump with a hole that is only big enough for the monkey to reach into with a relaxed hand. When the monkey closes its fist around the food, its hand is too big to pull out of the hole and the monkey is stuck. Even when it sees danger approaching, it's not smart enough to drop the food and pull out its hand.

People are monkeys and the IOT is the tree stump.
[ link to this | view in chronology ]
Kronomex, 23 Oct 2015 @ 3:44pm

GHCQ and Police announce that a new taskforce will be set up to investigate the possible radicalisation of tea kettles by foreign coffee machines. A spokesperson (on loan from a bicycle repair shop) said that this was a worrying trend in turning household items into potential terrorists, "Who amongst us fears that our tea kettles could ambush us by not having tea inside them? We should act now."
[ link to this | view in chronology ]
OGquaker (profile), 23 Oct 2015 @ 4:15pm

Blackout
Every kettle in the UK pops on at the same moment; inrush current might blow all the local transformers off their poles?
[ link to this | view in chronology ]