When it comes to Smart Home technology, there’s no shortage of products whose raison d’être is questionable, to put it mildly. In fact, I wrote an entire article on them in April of this year. One of the devices that I mentioned was the iKettle, by Smarter Labs.
The iKettle is a WiFi enabled kettle. Yes, you read that right. Apparently the task of heating water to its boiling point is something that can only be accomplished with WiFi integration.
Oh, and did I mention it came with a massive, gaping security flaw that had the potential to blow open entire WiFi networks?
How the Attack Worked
Yes, it turns out the iKettle isn’t too hot (sorry) when it comes to security. With just a couple of steps, you can convince it to cough up the user’s WiFi password. So, how do you hack a kettle?
First, the attacker would need to identify a wireless network with an iKettle connected. Then, they would create their own wireless network using the same SSID.
When the iKettle switches to that network, the attacker can connect to it over port 23 using Telnet. This is a freely available tool that’s similar to SSH, and allows users to remotely manage computers.
The iKettle will then prompt the attacker for a six digit passcode. This can be brute-forced, but if the kettle was set up with an Android device, it has the default password of 000000. Once authenticated, the attacker will tell the kettle to list its settings. At which point, it’ll spit out the entire cached WiFi password in plain text, allowing an attacker to gain access to the entire network.
The Problem of Management
A spokesperson for Smarter Labs was eager to stress that a fix for this problem isn’t far away.
“We take security very seriously here at Smarter and have been working with our engineers to ensure that our new products don’t encounter security issues. We will be updating the effected product in November to eradicate that issue.”
They also stressed that the upcoming iKettle won’t be affected:
“Our new product and application have updated security features that are not relevant to [the vulnerability].”
Users with an affected kettle can update it using the iKettle app, available for iPhone and Android. In the meantime, it might be sensible to attach a second router to your home network with a different SSID, and connect your kettle to that. You can find a perfectly adequate router from Amazon for as little as $10.
This episode reminds us how the smart home products we use are essentially computers, and how they face the same security problems traditional computers do. It’s bizarre to imagine someone using Telnet to connect to a kettle, but apparently it’s a thing.
As the Smart Home field inevitably matures, manufacturers will be under increasing pressure to consider the security of their devices. And when things go wrong (as they inevitably do) they can expect to have their feet held above the coals.
Manufacturers will have to design their products to be easy to reset, and to update. They’ll have to take a proactive approach to the security of their devices, and work with security researchers. They’ll have to learn how to manage disclosure and their relationships with the security community, which some have found incredibly challenging to do.
Manufacturers will have to consider how to ensure the security of their devices, in the event of they go bust. More importantly, they will have to establish a consensus with their customers of how long they’ll be expected to maintain a particular product.
A friend of mine has a microwave that’s literally ancient. It sounds like hyperbole, but it isn’t. He inherited it from his parents, who in turn bought it from a now-defunct hypermarket in the 1980s. Let me put that in context: his microwave is older than me.
But here’s the thing; it’s a perfectly adequate microwave. Almost thirty years on, it can still turn a frozen lasagne ready-meal into a steaming pool of molten cheese, and it can still easily defrost frozen meat. There’s literally no reason to replace it.
That’s the thing about traditional white goods. They’re not subject to the same cycle of planned obsolescence that most tech is. There’s no such thing as a “refrigerator refresh cycle”. There’s no such thing as a “two year upgrade” in the white goods world.
Another thing: My friend’s microwave was manufactured in a country that no longer exists (The German Democratic Republic, also known as East Germany), by a company that has similarly ceased to exist. But that’s posed no impediment to him making cheesy microwave nachos, thirty years on.
It’s a different matter for smart home tech. It’s highly likely that your computerized kettle, or WiFi enabled umbrella, will require periodic performance and security updates.
The problem is, programmers are expensive, and it’s fundamentally unrealistic to expect software companies to maintain their products indefinitely. Eventually, they’ve got to let it go, as Microsoft did with Windows XP early in 2014.
Then, there’s the small matter of tech companies having a tendency to eventually implode like The Death Star, leaving a mountain of promotional laptop stickers and now-unsupported code in their wake. To give you just three (of many) examples, there’s Silicon Graphics, Palm, and Commodore.
If you buy a product that inherently needs a lot of management just to keep it secure and operating smoothly, you take a gamble that the company will stick around to support it. That’s not always a safe bet.
Protecting The Internet of Things
Right now, the Internet of Things is a nascent idea, still half-formed. It’s still very much an experiment, with dozens of questions still un-answered.
Should manufacturers be responsible for the security of the products they sell? If so, to what extent?
Should a company reasonably be expected to support an IoT or Smart Home product? If so, how long?
What happens if the manufacturer fails? Many startups have pledged to release their code under the public domain, should they fail. Should smart home manufacturers be compelled to do the same?
Is there anything consumers can do to ensure that their hardware is secure? If so, what?
These questions will be answered in time. But until they are, I suspect the majority of consumers will be reticent to embrace the Internet of Things world.
But what do you think? Leave me a comment below, and we’ll chat.