Easily Hacked Tea Kettle Latest To Highlight Pathetic Internet Of Things 'Security'

from the pwned-Earl-Grey dept

We've discussed at length that companies rushing to embrace the "Internet of Things" (read: networked devices for those of us not in marketing) tend to have completely forgotten a little something called device security. As a result we're now bombarded week after week with stories about cars that can be controlled remotely, televisions that share your unencrypted living room conversations with anybody on the Internet, and refrigerators that leave the door wide open to having your e-mail password stolen. Some of these are kind of cute exploits, but many of them could be potentially fatal.

While these companies are desperately trying to highlight the wonderful future of Internet connected devices, they've inadvertently been creating advertisements for why many devices should just remain stupid. Especially if you're going to cut corners in development so device security is an afterthought, or cut corners post release when it comes to quickly identifying and patching exploits.

The latest case in point: the $150 iKettle by UK company Smarter promises to save its users "two days a year in wasted waiting time" over traditional tea kettles. How? Users can remotely turn the kettle on from anywhere via smartphone app, potentially letting users walk into the house just as the kettle comes to a boil. Avoiding the horrible task of having to walk a few feet and wait a few minutes is the pinnacle of modern engineering to be sure; the problem is that for the better part of this year researchers have been noting that the security on the kettle was virtually nonexistent:
"If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle," Munro says. "Attackers will need to setup a malicious network with the same SSID but with a stronger signal that the iKettle connects to before sending a disassociation packet that will cause the device to drop its wireless link. "So I can sit outside of your place with a directional antenna, point it at your house, knock your kettle of your access point, it connects to me, I send two commands and it discloses your wireless key in plain text."
The researchers call the current state of IOT security "utterly bananas," and warn readers of their blog not to "put pointless ‘Internet of Things’ devices on your home network, unless their security is proven." For what it's worth, the company behind the not-so-smart kettle tells several other news outlets that it will be updating the kettle's companion app to eliminate the security vulnerability -- sometime next month. So yeah, we've ingeniously "solved" the problem of having to walk a few feet to turn on the kettle, but created countless new problems while simultaneously advertising the benefits of competing dumb products.

Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 23 Oct 2015 @ 3:44am

    Internet Of Things!

    ...or as I like to call it "Easier to Brake Things".

    Why the hell do appliances even need a communication link anyway? Communication is meant for humans.

    reply to this | link to this | view in chronology ]

    • icon
      Ninja (profile), 23 Oct 2015 @ 4:28am

      Re: Internet Of Things!

      On a side note, try to picture your usual Hollywood hacker group around a computer using hacker magic to do their magic (and possibly a shiny golden key) when they suddenly erupt in cheers while the one operating the box yells "I did it, I hacked into the kettle!". Then the scene changes and there's a massive explosion in the nearby power plant, because reasons.

      reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 23 Oct 2015 @ 3:56am

    A few of these things connected to the Internet are really useful and do help a lot. But a kettle? Putting the security issue aside, a kettle? Wtf humanity.

    We should be striving to recover time for ourselves, for human interaction, for "petty" pleasure or simply for doing nothing and yet here we are, trying to squeeze every single minute out of our 'useless' time to do more of.. what? Why do we need to do more? Why do we need to be even more connected?

    Really, I'm moving to the other side.

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 23 Oct 2015 @ 12:42pm

      Re:

      You've lived a sheltered life.

      If the kettle were made by Withings it would demand your Facebook and Twitter passwords during setup. Every time you heat water it would proudly inform everyone on social media. Every interaction with your kettle would go through a server in France so that you could be monetized.

      reply to this | link to this | view in chronology ]

  • identicon
    Yes, I know I'm commenting anonymously, 23 Oct 2015 @ 4:03am

    `Replace your fork, it has exceeded its maximum number of bites'

    We will soon have to incorporate mandatory faraday-cages into building regulations, simply because all available devices will have unsecure, always-on wifi connections.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Oct 2015 @ 4:16am

    Makes me think there might well be a market for home insulation with a conductive foil vapor barrier...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Oct 2015 @ 4:19am

    Arsonist's Best Friend.

    Just keep turning it on through the day. At 'worst' it'll quickly break, at 'best' it'll actually overheat and short.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Oct 2015 @ 4:42am

    it’s trivially easy for hackers to find your house and take over your kettle.

    and burning down your house.

    ishit when i hear stories like this.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Oct 2015 @ 4:45am

    "My tea kettle got hacked!"
    "That's nothing. My printer got sued for copyright infringement."

    reply to this | link to this | view in chronology ]

  • icon
    Violynne (profile), 23 Oct 2015 @ 5:09am

    I'm a little teapot, short and stout.
    Here is my app. Here is my spout.

    When I get all steamed up, hear me shout:
    "I've been hacked! What's that about?".

    reply to this | link to this | view in chronology ]

  • identicon
    Dingledore the Flabberghaster, 23 Oct 2015 @ 6:16am

    the $150 iKettle by UK company Smarter promises to save its users "two days a year in wasted waiting time" over traditional tea kettles. How? Users can remotely turn the kettle on from anywhere via smartphone app

    Useless if they can't remotely put the required amount of water in it.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Oct 2015 @ 7:01am

    ITea kettle for IT professionals everywhere.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Oct 2015 @ 7:11am

    Megaman Battle Network, a children's game series, got this back in the early 00s. How can professionals in the field not get that this would happen?

    Oh right, executives. Nevermind.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Oct 2015 @ 7:26am

    Security

    Not really surprising. And it's not just IoT items you buy in the store. All these 'makers' don't have the slightest clue when it comes to security. They will install tons of random crap on their Raspberry Pi's for all over the internet because their how-to blogs told them to. Then they will throw the Pi in the DMZ and blab about their new lightup toy all over the internet without even thinking about securing the device.

    reply to this | link to this | view in chronology ]

  • identicon
    Wendy Cockcroft, 23 Oct 2015 @ 7:30am

    Remember the blob-like people in Wall-E? Get off the damn couch and switch on the kettle yourself! It's not like you're being asked to pedal a bicycle hooked up to a dynamo to power the thing!

    reply to this | link to this | view in chronology ]

  • identicon
    a.s, 23 Oct 2015 @ 7:31am

    Adam Smith on the Internet Of Things

    examine the records of history, recollect what has happened within the circle of your own experience, consider with attention what has been the conduct of almost all the greatly unfortunate, either in private or public life, whom you may have either read of, or heard of, or remember; and you will find that the misfortunes of by far the greater part of them have arisen from their not knowing when they were well, when it was proper for them to sit still and to be contented. The inscription upon the tomb-stone of the man who had endeavoured to mend a tolerable constitution by taking physic; 'I was well, I wished to be better; here I am; may generally be applied with great justness to the distress of disappointed avarice and ambition.

    but of course now that the advertisers have managed to remove the word "enough" from our dictionaries, very few people want to hear it.

    reply to this | link to this | view in chronology ]

  • identicon
    avideogameplayer, 23 Oct 2015 @ 7:33am

    Until I hear that someone made like 10,000 of these kettles blow up all at once, this is just a bs fluff story...

    Worse case scenario: these kettles magically make you coffee instead of tea...or worse...DECAF!

    reply to this | link to this | view in chronology ]

  • icon
    Oblate (profile), 23 Oct 2015 @ 8:07am

    There's a need here...

    There's a need for an app or device that protects all of the 'things' that the typical residence has, or will soon have, from malicious activity, or at least detects when they've been compromised. This Protector of 'Things' (POT) could report to you as soon as it detects any such activity.

    With this system in place, you could get a text or e-mail stating that the POT is calling the iKettle hacked.

    reply to this | link to this | view in chronology ]

  • identicon
    Rex Rollman, 23 Oct 2015 @ 8:08am

    The Internet Of Insecure Things.

    reply to this | link to this | view in chronology ]

  • icon
    Blaine (profile), 23 Oct 2015 @ 8:32am

    Don't let strangers in your network (IoT device === stranger)

    We need a "my mom could use it" device that sets up some DMZs in the network.

    Any new device that claims to be "smart" goes into a sandbox DMZ that allows you to get in and control it, but those devices are not allowed to get out, even to the internet. Possibly have one zone per device.

    If you chose to trust a device move it to a DMZ that has more permissions, maybe internet access or maybe just access to other devices.

    If it's not open source it's going to have to have a lot of trust before getting inside the zone where "my stuff" is.

    Poorly designed devices may still be vulnerable to a wifi attack, but they can't serve as a gateway into your network.

    Maybe instead of DMZs; using WPA-2 Enterprise, combined with a RADIUS server would work. (I'm not a network guy, just paranoid enough to learn)

    True, this wont help with nefarious devices that you connect to the wrong zone, but that's a different issue anyway.

    reply to this | link to this | view in chronology ]

    • icon
      allengarvin (profile), 23 Oct 2015 @ 3:06pm

      Re: Don't let strangers in your network (IoT device === stranger)

      "using WPA-2 Enterprise, combined with a RADIUS server would work. (I'm not a network guy, just paranoid enough to learn)"

      Very very few consumer devices support 802.1x. I wish they did. I hate having a single PSK for the devices on my network that are probably the least secure. I isolate them and apply strict ingress and egress rules for traffic to them.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Anonymous Coward, 23 Oct 2015 @ 9:10am

    Smart

    Y’all don’t get it. You're supposed to call the smart kettle from your smartphone while driving your smart car so that you can make tea or some other smart beverage upon arrival home. Meanwhile, your smart car will recognize that you are using a smart device while driving and do a near field connection to the police via a smart network of smart cars to the closest smart WiFi connection to smartly report you. When the police pull you over, your smart car will also report you for ignoring the smart car’s warning that service is needed soon (specifically your oil will need changing in 3999 miles) and failure to pay your weekly smart auto dealership fine, err fee. While the police officer looks up your record he calls for the K-9 unit to do a quick sniff, and then writes a smart ticket that will disable your ignition until it is paid, your smart kettle is merrily boiling away whatever water you remembered to leave in it. When the smart kettle goes dry, it is not smart enough to turn itself off, but fortunately your smart smoke detector is smart enough to inform your smart security system after your smart thermostat reaches its preset ‘something is wrong’ temperature. You smartly set the combination of smart smoke detector and smart temperature sensor to avoid false positives from your smart toaster burning your toast. When you finally arrive home after using your smart debit card to pay the various smart fines imposed by the smart police via your smartphone, you find the smart fire department hosing down the remains of your smartly equipped smart house, and preparing an invoice for smart fire fighting network access overages that were necessary because your smart devices use up their network allocation by reporting in detail with hi-def video the smart emergency at your home.

    reply to this | link to this | view in chronology ]

  • identicon
    Cassie, 23 Oct 2015 @ 10:45am

    Really??

    I don't understand the need for an iKettle, to start with. The internet can be a valuable asset, but there comes a point where you just have to stop and leave well enough alone!

    reply to this | link to this | view in chronology ]

  • identicon
    Jake, 23 Oct 2015 @ 2:43pm

    Well, looks like RFC 2324 needs updating.

    reply to this | link to this | view in chronology ]

  • icon
    allengarvin (profile), 23 Oct 2015 @ 2:58pm

    Uh...simple question:

    "If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle," Munro says. ... "I send two commands and it discloses your wireless key in plain text."

    If you haven't configured it yet, how can they get your PSK?

    reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 23 Oct 2015 @ 3:32pm

    The whole IOT idea reminds me of the current debate on encryption. The tech companies are (rightly) arguing that adding backdoors to encryption will make it less secure, but at the same time, everyone is rushing to voluntarily add backdoors to everything else from refrigerators to thermostats, all in the name of convenience.

    It's like the old story of how they catch monkeys; Put some food in tree stump with a hole that is only big enough for the monkey to reach into with a relaxed hand. When the monkey closes its fist around the food, its hand is too big to pull out of the hole and the monkey is stuck. Even when it sees danger approaching, it's not smart enough to drop the food and pull out its hand.

    People are monkeys and the IOT is the tree stump.

    reply to this | link to this | view in chronology ]

  • identicon
    Kronomex, 23 Oct 2015 @ 3:44pm

    GHCQ and Police announce that a new taskforce will be set up to investigate the possible radicalisation of tea kettles by foreign coffee machines. A spokesperson (on loan from a bicycle repair shop) said that this was a worrying trend in turning household items into potential terrorists, "Who amongst us fears that our tea kettles could ambush us by not having tea inside them? We should act now."

    reply to this | link to this | view in chronology ]

  • icon
    OGquaker (profile), 23 Oct 2015 @ 4:15pm

    Blackout

    Every kettle in the UK pops on at the same moment; inrush current might blow all the local transformers off their poles?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.