Unbelievable Breaking News: IoT kettles are insecure

Oct 20, 2015 09:14 GMT  ·  By

Security researchers at Pen Test Partners have found a security vulnerability in the iKettle Wi-Fi Electric Kettle that allows attackers to crack the password of the WiFi network to which the kettle is connected.

iKettle is one of the new-era electronic devices that manufacturers are taunting as IoT (Internet of Things) devices.

The kettle, besides just boiling water, can connect to a user's home WiFi network, and comes accompanied with an Android and iOS app that lets the user start the kettle and boil the water from another room or location. This means that the kettle stores the user's local WiFi network password, somewhere in its settings.

Attackers can steal WiFi passwords from smart-kettles

The research was carried out this summer as part of Pen Test Partners' initiative in finding and disclosing security vulnerabilities in IoT devices and was documented on their site in fine detail.

To summarize their findings, attackers could easily use a directional antenna aimed at a house where an iKettle is used, force the kettle into dropping its current WiFi network, spoofing the original network's SSID, and fool the iKettle into connecting to the attacker's network using the password for the original WiFi network.

Researchers say that using this simple trick and information about iKettles they got from wigle.net and Twitter, they drove around London, cracked home WiFi networks, and created a map of insecure WiFi networks across the city. For security and privacy reasons, they said they wouldn't reveal the map.

The iKettle iOS and Android apps are also poorly secured

Additionally, the researchers also found out that the smartphone app that controls the iKettle's behavior uses the insecure Telnet protocol to relay commands to the device.

Both use PINs to authenticate the user on their kettle, and both are easy to hack within hours, as researchers found out. In this case, the iOS app is more secure because it uses a 6-digit PIN, but the Android app only uses a 4-digit code.

While this latter security vulnerability is less dangerous, Dr. Evil wannabes would be able to use it to boil your kettle water at the most inappropriate moments.

We previously reported on Pen Test Partners this summer, when they managed to hack a Samsung smart-fridge to disclose Gmail passwords.