Pinterest Stumbleupon Whatsapp
Ads by Google

When it comes to Smart Home technology, there’s no shortage of products whose raison d’être is questionable, to put it mildly. In fact, I wrote an entire article Tweeting Fridges and Web Controlled Rice Cookers: 9 of the Stupidest Smart Home Appliances Tweeting Fridges and Web Controlled Rice Cookers: 9 of the Stupidest Smart Home Appliances There are a lot of smart home devices that are worthy of your time and money. but there are also kinds that should never see the light of day. Here are 9 of the worst. Read More on them in April of this year. One of the devices that I mentioned was the iKettle, by Smarter Labs.

iKettle 2.0 (Comes with UK Plug and requires US Power Converter) iKettle 2.0 (Comes with UK Plug and requires US Power Converter) Remote boil via smart device (iOS7+ and Android 4+) - download app from your app store Buy Now At Amazon

The iKettle is a WiFi enabled kettle. Yes, you read that right. Apparently the task of heating water to its boiling point is something that can only be accomplished with WiFi integration.

Oh, and did I mention it came with a massive, gaping security flaw that had the potential to blow open entire WiFi networks?

How the Attack Worked

Yes, it turns out the iKettle isn’t too hot (sorry) when it comes to security. With just a couple of steps, you can convince it to cough up the user’s WiFi password. So, how do you hack a kettle?

First, the attacker would need to identify a wireless network with an iKettle connected. Then, they would create their own wireless network using the same SSID.

ikettle-main

Ads by Google

When the iKettle switches to that network, the attacker can connect to it over port 23 using Telnet What Is Telnet & What Are Its Uses? [MakeUseOf Explains] What Is Telnet & What Are Its Uses? [MakeUseOf Explains] Telnet is one of those tech terms you may occasionally hear, but not in an ad or a feature laundry list of any product you may buy. That’s because it’s a protocol, or a language... Read More . This is a freely available tool that’s similar to SSH, and allows users to remotely manage computers.

The iKettle will then prompt the attacker for a six digit passcode. This can be brute-forced, but if the kettle was set up with an Android device, it has the default password of 000000. Once authenticated, the attacker will tell the kettle to list its settings. At which point, it’ll spit out the entire cached WiFi password in plain text, allowing an attacker to gain access to the entire network.

The Problem of Management

A spokesperson for Smarter Labs was eager to stress that a fix for this problem isn’t far away.

“We take security very seriously here at Smarter and have been working with our engineers to ensure that our new products don’t encounter security issues. We will be updating the effected product in November to eradicate that issue.”

They also stressed that the upcoming iKettle won’t be affected:

“Our new product and application have updated security features that are not relevant to [the vulnerability].”

Users with an affected kettle can update it using the iKettle app, available for iPhone and Android. In the meantime, it might be sensible to attach a second router to your home network with a different SSID, and connect your kettle to that. You can find a perfectly adequate router from Amazon for as little as $10.

TP-Link N300 Wireless Wi-Fi Router, Up to 300Mbps (TL-WR841N) TP-Link N300 Wireless Wi-Fi Router, Up to 300Mbps (TL-WR841N) Version 11.1, wireless N speed up to 300Mbps ideal applications for video streaming, online gaming VoIP, web browsing and multi-tasking Buy Now At Amazon $6.59

This episode reminds us how the smart home products we use are essentially computers, and how they face the same security problems traditional computers do. It’s bizarre to imagine someone using Telnet to connect to a kettle, but apparently it’s a thing.

As the Smart Home field inevitably matures, manufacturers will be under increasing pressure to consider the security of their devices. And when things go wrong (as they inevitably do) they can expect to have their feet held above the coals.

ikettle-lid

Manufacturers will have to design their products to be easy to reset, and to update. They’ll have to take a proactive approach to the security of their devices, and work with security researchers. They’ll have to learn how to manage disclosure Full or Responsible Disclosure: How Security Vulnerabilities Are Disclosed Full or Responsible Disclosure: How Security Vulnerabilities Are Disclosed Security vulnerabilities in popular software packages are discovered all the time, but how are they reported to developers, and how do hackers learn about vulnerabilities that they can exploit? Read More  and their relationships with the security community Oracle Wants You To Stop Sending Them Bugs - Here's Why That's Crazy Oracle Wants You To Stop Sending Them Bugs - Here's Why That's Crazy Oracle is in hot water over a misguided blog post by security chief, Mary Davidson. This demonstration of how Oracle's security philosophy departs from the mainstream wasn't received well in the security community... Read More , which some have found incredibly challenging to do.

Manufacturers will have to consider how to ensure the security of their devices, in the event of they go bust. More importantly, they will have to establish a consensus with their customers of how long they’ll be expected to maintain a particular product.

Unplanned Obsolescence

A friend of mine has a microwave that’s literally ancient. It sounds like hyperbole, but it isn’t. He inherited it from his parents, who in turn bought it from a now-defunct hypermarket in the 1980s. Let me put that in context: his microwave is older than me.

But here’s the thing; it’s a perfectly adequate microwave. Almost thirty years on, it can still turn a frozen lasagne ready-meal into a steaming pool of molten cheese, and it can still easily defrost frozen meat. There’s literally no reason to replace it.

ikettle-microwave

That’s the thing about traditional white goods. They’re not subject to the same cycle of planned obsolescence Thou Shalt Consume: The Story of Consumer Electronics [Feature] Thou Shalt Consume: The Story of Consumer Electronics [Feature] Every year, exhibitions around the world present new high tech devices; expensive toys that come with many promises. They aim to make our lives easier, more fun, super connected, and of course they are status... Read More that most tech is. There’s no such thing as a “refrigerator refresh cycle”. There’s no such thing as a “two year upgrade” in the white goods world.

Another thing: My friend’s microwave was manufactured in a country that no longer exists (The German Democratic Republic, also known as East Germany), by a company that has similarly ceased to exist. But that’s posed no impediment to him making cheesy microwave nachos, thirty years on.

It’s a different matter for smart home tech. It’s highly likely that your computerized kettle, or WiFi enabled umbrella, will require periodic performance and security updates.

The problem is, programmers are expensive, and it’s fundamentally unrealistic to expect software companies to maintain their products indefinitely. Eventually, they’ve got to let it go, as Microsoft did with Windows XP What The Windows XPocalypse Means For You What The Windows XPocalypse Means For You Microsoft is going to kill support for Windows XP in April 2014. This has serious consequences for both businesses and consumers. Here is what you should know if you are still running Windows XP. Read More early in 2014.

Then, there’s the small matter of tech companies having a tendency to eventually implode like The Death Star, leaving a mountain of promotional laptop stickers and now-unsupported code in their wake. To give you just three (of many) examples, there’s Silicon Graphics, Palm, and Commodore.

If you buy a product that inherently needs a lot of management just to keep it secure and operating smoothly, you take a gamble that the company will stick around to support it. That’s not always a safe bet.

Protecting The Internet of Things

Right now, the Internet of Things is a nascent idea, still half-formed. It’s still very much an experiment, with dozens of questions still un-answered.

Should manufacturers be responsible for the security of the products they sell? If so, to what extent?

ikettle-photo

Should a company reasonably be expected to support an IoT or Smart Home product? If so, how long?

What happens if the manufacturer fails? Many startups have pledged to release their code under the public domain, should they fail. Should smart home manufacturers be compelled to do the same?

Is there anything consumers can do to ensure that their hardware is secure? If so, what?

These questions will be answered in time. But until they are, I suspect the majority of consumers will be reticent to embrace the Internet of Things world.

But what do you think? Leave me a comment below, and we’ll chat.

  1. Kurt
    April 10, 2016 at 8:57 pm

    Attacker?! It's hard to take this article with any seriousness.

    Yes, I own an iKettle. I'm more concerned that an ATTACKER could physically break into my home with forced entry and physically turn on my iKettle and my 1980's microwave.

    If someone manages to break into my home network then my least concern would be for them to scan my network, discover I have an iKettle (this isn't trivial just by looking at a MAC address), figure out that it's TELNET command and execute it. If an intruder remotely access my home network there are much more prevalent attacks and exploits they would chose (dumping files, hijacking sessions etc). Why and for what motive would they exploit a device such as the iKettle? "Oh nooo, the attacker is turning on my kettle!!".

    You might argue that in future what if ovens or a more hazardous device can be controlled via a network. I'd partially agree, but much like you have a lock on your front door and likely windows, you would have security around your network.

    Do you put a padlock on your 1980 microwave? No, you put the lock on the door of your house.

    Your article lacks any common sense. Don't scare people into change. Networked devices and home automation is the future. Security flaws are everywhere, both virtually and physically. Your article is just a shallow and pedantic. Write about some real security flaws and news. Have some trust in technology and the people with a forward thinking mentality, your views hinder my faith in humanity.

    • Dave
      May 7, 2016 at 1:33 am

      I don't think you understood the attack. The attacker can get access to your home network through the kettle. They don't have to have access to your home network beforehand.

      You say you have bigger concerns if your home network was compromised. The kettle enables just that! The kettle has its own open WiFi network that anyone can connect to. Once connected, you can tell it to give you the password to the home network it's connected to. Then the bad stuff happens.

  2. fcd76218
    October 23, 2015 at 1:57 pm

    iKettle is another example of the "When you're a hammer, the entire world looks like a nail" syndrome. Manufacturers equip all matter of devices with Internet capability not because it makes the devices more useful or convenient but because they can.

    Our microwave is also of the 1980's vintage. It still performs its job flawlessly. During its lifetime the only part that I had to replace were the light bulbs. The one big advantage it has over the modern microwaves is that it does not require a degree in engineering and a 500 page owner's manual explaining all the options to operate. AND no hacker can screw up the warming up of my left-over tuna casserole. :-)

    • Matthew Hughes
      October 26, 2015 at 12:48 pm

      I agree 100%, Dragonmouth. The sad part is WiFi enabled white goods will soon cease to be the exception. They'll be the rule.

Leave a Reply

Your email address will not be published. Required fields are marked *