Putting your kettle on the Internet of Things may make your life more convenient, but it could also make your Wi-Fi password public.
“To connect to the Internet, the iKettle needs to know your Wi-Fi password, which it stores in the clear in its memory,” Boing Boing‘s Cory Doctorow explained. “The kettle is also naïve enough to connect to any network that has the same name as yours. So all an attacker has to do is use a specialized antenna to overpower your wifi signal, right through the walls of your house, and trick the kettle into connecting to their spoof network, and then they can extract your wifi password and connect to your network.”
The researchers who exposed the vulnerability showed how easy it find unsecured iKettle’s around London.
So should we expect daily stories about hackers using net-connected blenders to dig into home networks?
“Are crooks going to drive around the neighborhood to find iKettles and overpower every SSID they find hosting one?” Mika Ståhlberg, F-Secure’s Director of Strategic Threat Research, asked me.
“What kind of a profit would a criminal be able to make with this approach? Unfortunately, there are easier ways for criminals to gain access to a large number home networks than to target iKettle. For example Windows malware spread through exploit kits or even wardriving for Wi-Fis with bad passphrases or without any. The real-world IoT hacks of baby monitors and such are done over the Internet by attackers who do these attacks globally.”
Of course, the the landscape is evolving quickly with new technology making science fiction come to life faster than it can even be imagined.
Mika suggests there may be soon be a time when these sort of drive-by attacks specifically targeting smart home devices could present an real business model for criminals targeting blenders or sprinklers.
But that would likely require an exploit kit with hundreds of exploits for different IoT devices. If that happens, the game is on. Combine those vulnerabilities with the ability to rent drones online for couch tourism and before we know it, wardriving or warflying attacks on internet-connected kitchen devices could be just another threat we have to defend against.
But for now “unless criminals are after a specific target that they know has an iKettle” on weakly defended Wi-Fi network but a hardened attack surface otherwise, hacks utilizing this IoT-connected blender aren’t very likely — yet.
“We’re still living in very early stages of IoT and its adoption,” Mika said. “These are great ‘post-mortem’ reports for people building IoT solutions. They sort of allow you to learn from other people’s mistakes, but unfortunately I don’t think the startup teams rushing IoT products to the market are taking the time to do this learning at the moment. These reports don’t mean the sky is falling as IoT is very heterogeneous still and adoption is relatively low.”
Doctorow has written eloquently about the need to build privacy and security into the Internet of Things — and surely this post is a nudge for developers to get serious about their future products. What’s alarming is that some IoT developers are producing their “smart” devices as if we’ve learned nothing from decades of online threats.
[Photo by Harri Susi]
It was hard to top 2016, the year when cyber security's role in global politics…
December 29, 2017