Easily Hacked Tea Kettle Latest To Highlight Pathetic Internet Of Things 'Security'
from the pwned-Earl-Grey dept
We’ve discussed at length that companies rushing to embrace the “Internet of Things” (read: networked devices for those of us not in marketing) tend to have completely forgotten a little something called device security. As a result we’re now bombarded week after week with stories about cars that can be controlled remotely, televisions that share your unencrypted living room conversations with anybody on the Internet, and refrigerators that leave the door wide open to having your e-mail password stolen. Some of these are kind of cute exploits, but many of them could be potentially fatal.
While these companies are desperately trying to highlight the wonderful future of Internet connected devices, they’ve inadvertently been creating advertisements for why many devices should just remain stupid. Especially if you’re going to cut corners in development so device security is an afterthought, or cut corners post release when it comes to quickly identifying and patching exploits.
The latest case in point: the $150 iKettle by UK company Smarter promises to save its users “two days a year in wasted waiting time” over traditional tea kettles. How? Users can remotely turn the kettle on from anywhere via smartphone app, potentially letting users walk into the house just as the kettle comes to a boil. Avoiding the horrible task of having to walk a few feet and wait a few minutes is the pinnacle of modern engineering to be sure; the problem is that for the better part of this year researchers have been noting that the security on the kettle was virtually nonexistent:
“If you haven?t configured the kettle, it?s trivially easy for hackers to find your house and take over your kettle,” Munro says. “Attackers will need to setup a malicious network with the same SSID but with a stronger signal that the iKettle connects to before sending a disassociation packet that will cause the device to drop its wireless link. “So I can sit outside of your place with a directional antenna, point it at your house, knock your kettle of your access point, it connects to me, I send two commands and it discloses your wireless key in plain text.”
The researchers call the current state of IOT security “utterly bananas,” and warn readers of their blog not to “put pointless ?Internet of Things? devices on your home network, unless their security is proven.” For what it’s worth, the company behind the not-so-smart kettle tells several other news outlets that it will be updating the kettle’s companion app to eliminate the security vulnerability — sometime next month. So yeah, we’ve ingeniously “solved” the problem of having to walk a few feet to turn on the kettle, but created countless new problems while simultaneously advertising the benefits of competing dumb products.
Filed Under: internet of things, security, tea kettle
Comments on “Easily Hacked Tea Kettle Latest To Highlight Pathetic Internet Of Things 'Security'”
Internet Of Things!
…or as I like to call it “Easier to Brake Things”.
Why the hell do appliances even need a communication link anyway? Communication is meant for humans.
Re: Internet Of Things!
On a side note, try to picture your usual Hollywood hacker group around a computer using hacker magic to do their magic (and possibly a shiny golden key) when they suddenly erupt in cheers while the one operating the box yells “I did it, I hacked into the kettle!”. Then the scene changes and there’s a massive explosion in the nearby power plant, because reasons.
A few of these things connected to the Internet are really useful and do help a lot. But a kettle? Putting the security issue aside, a kettle? Wtf humanity.
We should be striving to recover time for ourselves, for human interaction, for “petty” pleasure or simply for doing nothing and yet here we are, trying to squeeze every single minute out of our ‘useless’ time to do more of.. what? Why do we need to do more? Why do we need to be even more connected?
Really, I’m moving to the other side.
Re: Re:
You’ve lived a sheltered life.
If the kettle were made by Withings it would demand your Facebook and Twitter passwords during setup. Every time you heat water it would proudly inform everyone on social media. Every interaction with your kettle would go through a server in France so that you could be monetized.
Re: Re: Re:
And if you own a camera, it would insist that you take a picture of it with whatever cup of tea you brewed.
`Replace your fork, it has exceeded its maximum number of bites'
We will soon have to incorporate mandatory faraday-cages into building regulations, simply because all available devices will have unsecure, always-on wifi connections.
Makes me think there might well be a market for home insulation with a conductive foil vapor barrier…
Arsonist's Best Friend.
Just keep turning it on through the day. At ‘worst’ it’ll quickly break, at ‘best’ it’ll actually overheat and short.
it’s trivially easy for hackers to find your house and take over your kettle.
and burning down your house.
ishit when i hear stories like this.
“My tea kettle got hacked!”
“That’s nothing. My printer got sued for copyright infringement.”
Re: Re:
Printers are people my friend.
Re: Re:
My wifi is up on murder charges.
She is currently in solitaire and is only allowed one packet a day.
I’m a little teapot, short and stout.
Here is my app. Here is my spout.
When I get all steamed up, hear me shout:
“I’ve been hacked! What’s that about?”.
Re: Re:
Polly put the kettle on, Polly put kettle on.
Polly put the kettle on, we all got hacked.
the $150 iKettle by UK company Smarter promises to save its users “two days a year in wasted waiting time” over traditional tea kettles. How? Users can remotely turn the kettle on from anywhere via smartphone app
Useless if they can’t remotely put the required amount of water in it.
Re: Re:
and you win the internet.
Re: Re:
That’s what the iFaucet will be for!
ITea kettle for IT professionals everywhere.
Megaman Battle Network, a children’s game series, got this back in the early 00s. How can professionals in the field not get that this would happen?
Oh right, executives. Nevermind.
Security
Not really surprising. And it’s not just IoT items you buy in the store. All these ‘makers’ don’t have the slightest clue when it comes to security. They will install tons of random crap on their Raspberry Pi’s for all over the internet because their how-to blogs told them to. Then they will throw the Pi in the DMZ and blab about their new lightup toy all over the internet without even thinking about securing the device.
Remember the blob-like people in Wall-E? Get off the damn couch and switch on the kettle yourself! It’s not like you’re being asked to pedal a bicycle hooked up to a dynamo to power the thing!
Adam Smith on the Internet Of Things
examine the records of history, recollect what has happened within the circle of your own experience, consider with attention what has been the conduct of almost all the greatly unfortunate, either in private or public life, whom you may have either read of, or heard of, or remember; and you will find that the misfortunes of by far the greater part of them have arisen from their not knowing when they were well, when it was proper for them to sit still and to be contented. The inscription upon the tomb-stone of the man who had endeavoured to mend a tolerable constitution by taking physic; ‘I was well, I wished to be better; here I am; may generally be applied with great justness to the distress of disappointed avarice and ambition.
but of course now that the advertisers have managed to remove the word “enough” from our dictionaries, very few people want to hear it.
Until I hear that someone made like 10,000 of these kettles blow up all at once, this is just a bs fluff story…
Worse case scenario: these kettles magically make you coffee instead of tea…or worse…DECAF!
Re: Re:
No, the worst case scenario is that your place burns down.
Re: Re: Re:
Sarcasm…do you know it?
Re: Re: Re: Re:
Sorry! I am familiar with the concept of sarcasm. Your comment just wasn’t quite sarcastic enough to trigger my detectors. I tripped up on whatever the sarcastic version of Poe’s law is.
There's a need here...
There’s a need for an app or device that protects all of the ‘things’ that the typical residence has, or will soon have, from malicious activity, or at least detects when they’ve been compromised. This Protector of ‘Things’ (POT) could report to you as soon as it detects any such activity.
With this system in place, you could get a text or e-mail stating that the POT is calling the iKettle hacked.
The Internet Of Insecure Things.
Don't let strangers in your network (IoT device === stranger)
We need a “my mom could use it” device that sets up some DMZs in the network.
Any new device that claims to be “smart” goes into a sandbox DMZ that allows you to get in and control it, but those devices are not allowed to get out, even to the internet. Possibly have one zone per device.
If you chose to trust a device move it to a DMZ that has more permissions, maybe internet access or maybe just access to other devices.
If it’s not open source it’s going to have to have a lot of trust before getting inside the zone where “my stuff” is.
Poorly designed devices may still be vulnerable to a wifi attack, but they can’t serve as a gateway into your network.
Maybe instead of DMZs; using WPA-2 Enterprise, combined with a RADIUS server would work. (I’m not a network guy, just paranoid enough to learn)
True, this wont help with nefarious devices that you connect to the wrong zone, but that’s a different issue anyway.
Re: Don't let strangers in your network (IoT device === stranger)
“using WPA-2 Enterprise, combined with a RADIUS server would work. (I’m not a network guy, just paranoid enough to learn)”
Very very few consumer devices support 802.1x. I wish they did. I hate having a single PSK for the devices on my network that are probably the least secure. I isolate them and apply strict ingress and egress rules for traffic to them.
Smart
Y’all don’t get it. You’re supposed to call the smart kettle from your smartphone while driving your smart car so that you can make tea or some other smart beverage upon arrival home. Meanwhile, your smart car will recognize that you are using a smart device while driving and do a near field connection to the police via a smart network of smart cars to the closest smart WiFi connection to smartly report you. When the police pull you over, your smart car will also report you for ignoring the smart car’s warning that service is needed soon (specifically your oil will need changing in 3999 miles) and failure to pay your weekly smart auto dealership fine, err fee. While the police officer looks up your record he calls for the K-9 unit to do a quick sniff, and then writes a smart ticket that will disable your ignition until it is paid, your smart kettle is merrily boiling away whatever water you remembered to leave in it. When the smart kettle goes dry, it is not smart enough to turn itself off, but fortunately your smart smoke detector is smart enough to inform your smart security system after your smart thermostat reaches its preset ‘something is wrong’ temperature. You smartly set the combination of smart smoke detector and smart temperature sensor to avoid false positives from your smart toaster burning your toast. When you finally arrive home after using your smart debit card to pay the various smart fines imposed by the smart police via your smartphone, you find the smart fire department hosing down the remains of your smartly equipped smart house, and preparing an invoice for smart fire fighting network access overages that were necessary because your smart devices use up their network allocation by reporting in detail with hi-def video the smart emergency at your home.
Really??
I don’t understand the need for an iKettle, to start with. The internet can be a valuable asset, but there comes a point where you just have to stop and leave well enough alone!
Well, looks like RFC 2324 needs updating.
Uh...simple question:
“If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle,” Munro says. … “I send two commands and it discloses your wireless key in plain text.”
If you haven’t configured it yet, how can they get your PSK?
The whole IOT idea reminds me of the current debate on encryption. The tech companies are (rightly) arguing that adding backdoors to encryption will make it less secure, but at the same time, everyone is rushing to voluntarily add backdoors to everything else from refrigerators to thermostats, all in the name of convenience.
It’s like the old story of how they catch monkeys; Put some food in tree stump with a hole that is only big enough for the monkey to reach into with a relaxed hand. When the monkey closes its fist around the food, its hand is too big to pull out of the hole and the monkey is stuck. Even when it sees danger approaching, it’s not smart enough to drop the food and pull out its hand.
People are monkeys and the IOT is the tree stump.
GHCQ and Police announce that a new taskforce will be set up to investigate the possible radicalisation of tea kettles by foreign coffee machines. A spokesperson (on loan from a bicycle repair shop) said that this was a worrying trend in turning household items into potential terrorists, “Who amongst us fears that our tea kettles could ambush us by not having tea inside them? We should act now.”
Blackout
Every kettle in the UK pops on at the same moment; inrush current might blow all the local transformers off their poles?