Easily Hacked Tea Kettle Latest To Highlight Pathetic Internet Of Things 'Security'

from the pwned-Earl-Grey dept

We’ve discussed at length that companies rushing to embrace the “Internet of Things” (read: networked devices for those of us not in marketing) tend to have completely forgotten a little something called device security. As a result we’re now bombarded week after week with stories about cars that can be controlled remotely, televisions that share your unencrypted living room conversations with anybody on the Internet, and refrigerators that leave the door wide open to having your e-mail password stolen. Some of these are kind of cute exploits, but many of them could be potentially fatal.

While these companies are desperately trying to highlight the wonderful future of Internet connected devices, they’ve inadvertently been creating advertisements for why many devices should just remain stupid. Especially if you’re going to cut corners in development so device security is an afterthought, or cut corners post release when it comes to quickly identifying and patching exploits.

The latest case in point: the $150 iKettle by UK company Smarter promises to save its users “two days a year in wasted waiting time” over traditional tea kettles. How? Users can remotely turn the kettle on from anywhere via smartphone app, potentially letting users walk into the house just as the kettle comes to a boil. Avoiding the horrible task of having to walk a few feet and wait a few minutes is the pinnacle of modern engineering to be sure; the problem is that for the better part of this year researchers have been noting that the security on the kettle was virtually nonexistent:

“If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle,” Munro says. “Attackers will need to setup a malicious network with the same SSID but with a stronger signal that the iKettle connects to before sending a disassociation packet that will cause the device to drop its wireless link. “So I can sit outside of your place with a directional antenna, point it at your house, knock your kettle of your access point, it connects to me, I send two commands and it discloses your wireless key in plain text.”

The researchers call the current state of IOT security “utterly bananas,” and warn readers of their blog not to “put pointless ‘Internet of Things’ devices on your home network, unless their security is proven.” For what it’s worth, the company behind the not-so-smart kettle tells several other news outlets that it will be updating the kettle’s companion app to eliminate the security vulnerability — sometime next month. So yeah, we’ve ingeniously “solved” the problem of having to walk a few feet to turn on the kettle, but created countless new problems while simultaneously advertising the benefits of competing dumb products.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Easily Hacked Tea Kettle Latest To Highlight Pathetic Internet Of Things 'Security'”

Subscribe: RSS Leave a comment
37 Comments
Ninjasays:

Re: Re: Internet Of Things!

On a side note, try to picture your usual Hollywood hacker group around a computer using hacker magic to do their magic (and possibly a shiny golden key) when they suddenly erupt in cheers while the one operating the box yells “I did it, I hacked into the kettle!”. Then the scene changes and there’s a massive explosion in the nearby power plant, because reasons.

Ninjasays:

A few of these things connected to the Internet are really useful and do help a lot. But a kettle? Putting the security issue aside, a kettle? Wtf humanity.

We should be striving to recover time for ourselves, for human interaction, for “petty” pleasure or simply for doing nothing and yet here we are, trying to squeeze every single minute out of our ‘useless’ time to do more of.. what? Why do we need to do more? Why do we need to be even more connected?

Really, I’m moving to the other side.

Roger Strongsays:

Re: Re:

You’ve lived a sheltered life.

If the kettle were made by Withings it would demand your Facebook and Twitter passwords during setup. Every time you heat water it would proudly inform everyone on social media. Every interaction with your kettle would go through a server in France so that you could be monetized.

Anonymoussays:

Security

Not really surprising. And it’s not just IoT items you buy in the store. All these ‘makers’ don’t have the slightest clue when it comes to security. They will install tons of random crap on their Raspberry Pi’s for all over the internet because their how-to blogs told them to. Then they will throw the Pi in the DMZ and blab about their new lightup toy all over the internet without even thinking about securing the device.

a.ssays:

Adam Smith on the Internet Of Things

examine the records of history, recollect what has happened within the circle of your own experience, consider with attention what has been the conduct of almost all the greatly unfortunate, either in private or public life, whom you may have either read of, or heard of, or remember; and you will find that the misfortunes of by far the greater part of them have arisen from their not knowing when they were well, when it was proper for them to sit still and to be contented. The inscription upon the tomb-stone of the man who had endeavoured to mend a tolerable constitution by taking physic; ‘I was well, I wished to be better; here I am; may generally be applied with great justness to the distress of disappointed avarice and ambition.

but of course now that the advertisers have managed to remove the word “enough” from our dictionaries, very few people want to hear it.

Oblatesays:

There's a need here...

There’s a need for an app or device that protects all of the ‘things’ that the typical residence has, or will soon have, from malicious activity, or at least detects when they’ve been compromised. This Protector of ‘Things’ (POT) could report to you as soon as it detects any such activity.

With this system in place, you could get a text or e-mail stating that the POT is calling the iKettle hacked.

Blainesays:

Don't let strangers in your network (IoT device === stranger)

We need a “my mom could use it” device that sets up some DMZs in the network.

Any new device that claims to be “smart” goes into a sandbox DMZ that allows you to get in and control it, but those devices are not allowed to get out, even to the internet. Possibly have one zone per device.

If you chose to trust a device move it to a DMZ that has more permissions, maybe internet access or maybe just access to other devices.

If it’s not open source it’s going to have to have a lot of trust before getting inside the zone where “my stuff” is.

Poorly designed devices may still be vulnerable to a wifi attack, but they can’t serve as a gateway into your network.

Maybe instead of DMZs; using WPA-2 Enterprise, combined with a RADIUS server would work. (I’m not a network guy, just paranoid enough to learn)

True, this wont help with nefarious devices that you connect to the wrong zone, but that’s a different issue anyway.

allengarvinsays:

Re: Re: Don't let strangers in your network (IoT device === stranger)

“using WPA-2 Enterprise, combined with a RADIUS server would work. (I’m not a network guy, just paranoid enough to learn)”

Very very few consumer devices support 802.1x. I wish they did. I hate having a single PSK for the devices on my network that are probably the least secure. I isolate them and apply strict ingress and egress rules for traffic to them.

Anonymous Anonymous Cowardsays:

Smart

Y?all don?t get it. You’re supposed to call the smart kettle from your smartphone while driving your smart car so that you can make tea or some other smart beverage upon arrival home. Meanwhile, your smart car will recognize that you are using a smart device while driving and do a near field connection to the police via a smart network of smart cars to the closest smart WiFi connection to smartly report you. When the police pull you over, your smart car will also report you for ignoring the smart car?s warning that service is needed soon (specifically your oil will need changing in 3999 miles) and failure to pay your weekly smart auto dealership fine, err fee. While the police officer looks up your record he calls for the K-9 unit to do a quick sniff, and then writes a smart ticket that will disable your ignition until it is paid, your smart kettle is merrily boiling away whatever water you remembered to leave in it. When the smart kettle goes dry, it is not smart enough to turn itself off, but fortunately your smart smoke detector is smart enough to inform your smart security system after your smart thermostat reaches its preset ?something is wrong? temperature. You smartly set the combination of smart smoke detector and smart temperature sensor to avoid false positives from your smart toaster burning your toast. When you finally arrive home after using your smart debit card to pay the various smart fines imposed by the smart police via your smartphone, you find the smart fire department hosing down the remains of your smartly equipped smart house, and preparing an invoice for smart fire fighting network access overages that were necessary because your smart devices use up their network allocation by reporting in detail with hi-def video the smart emergency at your home.

Rekrulsays:

The whole IOT idea reminds me of the current debate on encryption. The tech companies are (rightly) arguing that adding backdoors to encryption will make it less secure, but at the same time, everyone is rushing to voluntarily add backdoors to everything else from refrigerators to thermostats, all in the name of convenience.

It’s like the old story of how they catch monkeys; Put some food in tree stump with a hole that is only big enough for the monkey to reach into with a relaxed hand. When the monkey closes its fist around the food, its hand is too big to pull out of the hole and the monkey is stuck. Even when it sees danger approaching, it’s not smart enough to drop the food and pull out its hand.

People are monkeys and the IOT is the tree stump.

Kronomexsays:

GHCQ and Police announce that a new taskforce will be set up to investigate the possible radicalisation of tea kettles by foreign coffee machines. A spokesperson (on loan from a bicycle repair shop) said that this was a worrying trend in turning household items into potential terrorists, “Who amongst us fears that our tea kettles could ambush us by not having tea inside them? We should act now.”

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow