The $150 Smarter Ikettle lets you start your water boiling from anywhere in the world over the Internet — and it also contains long-term serious security vulnerabilities that allow attackers to extract your wifi passwords from it.
To connect to the Internet, the Ikettle needs to know your wifi password, which it stores in the clear in its memory. The kettle is also naive enough to connect to any network that has the same name as yours. So all an attacker has to do is use a specialized antenna to overpower your wifi signal, right through the walls of your house, and trick the kettle into connecting to their spoof network, and then they can extract your wifi password and connect to your network.
There are a few steps you can take to improve this situation, but ultimately, the Ikettle is just a badly secured device that shouldn’t be on the same network as sensitive items like home burglar alarm cameras, networked thermostats, and the phones and laptops you use to access sensitive services.
The researchers at Pen Test Partners have pointed this out to Smarter for a year, but no fix has emerged for it.
The Ikettle’s lack of security isn’t remarkable in the badly secured world of the Internet of Things, where security is an afterthought, and often not auditable thanks to the widespread use of digital rights management, which gives companies the right to sue people who disclose security vulnerabilities.
If you have a Wi-Fi kettle, a hacker can drive past your house and steal your Wi-Fi key (the PSK).
This is REALLY easy if you use the Android app to control your kettle. If you use the iPhone app, it takes a little longer.
If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle. Check out our map of some unconfigured iKettles locations in West London:
If you have configured it, again it takes a little longer.
Once the hacker has your Wi-Fi key, they would probably use it to access your home network, take control of your Wi-Fi router, then change your DNS settings so that all your internet traffic is relayed via them. Easy to steal your passwords!
Your online banking, social networks, email. All compromised.
NEW WI-FI KETTLE, SAME OLD SECURITY ISSUES? MEH. [Pen Test Partners]
Easily Hacked Tea Kettle Latest To Highlight Pathetic Internet Of Things ‘Security’
[Karl Bode/Techdirt]