Sunday, October 25, 2015

Putting your kettle on the Internet of Things makes your wifi passwords an open secret (plus Izabella Kaminska does a driveby)

From boing boing:
The $150 Smarter Ikettle lets you start your water boiling from anywhere in the world over the Internet -- and it also contains long-term serious security vulnerabilities that allow attackers to extract your wifi passwords from it.

To connect to the Internet, the Ikettle needs to know your wifi password, which it stores in the clear in its memory. The kettle is also naive enough to connect to any network that has the same name as yours. So all an attacker has to do is use a specialized antenna to overpower your wifi signal, right through the walls of your house, and trick the kettle into connecting to their spoof network, and then they can extract your wifi password and connect to your network.

There are a few steps you can take to improve this situation, but ultimately, the Ikettle is just a badly secured device that shouldn't be on the same network as sensitive items like home burglar alarm cameras, networked thermostats, and the phones and laptops you use to access sensitive services.
The researchers at Pen Test Partners have pointed this out to Smarter for a year, but no fix has emerged for it.

The Ikettle's lack of security isn't remarkable in the badly secured world of the Internet of Things, where security is an afterthought, and often not auditable thanks to the widespread use of digital rights management, which gives companies the right to sue people who disclose security vulnerabilities.
If you have a Wi-Fi kettle, a hacker can drive past your house and steal your Wi-Fi key (the PSK). This is REALLY easy if you use the Android app to control your kettle. If you use the iPhone app, it takes a little longer. If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle. Check out our map of some unconfigured iKettles locations in West London...MORE
One of the best expositions of the freakshow that the IoT could become was I.Kaminksa's "Cybersecurity dispatches: Managing the IoT poltergeist threat" which we linked to a couple times, the first being "Internet of Things: In Which Izabella Approaches Escape Velocity Edition":

This is pretty good.
From FT Alphaville:
Cybersecurity dispatches: Managing the IoT poltergeist threat
Imagine the scene in the not too distant future.

An Uber self-driving electric car has just dropped you home. Your front door has recognised your face, and your fingerprint has authenticated that it’s definitely you. You get into your house, not a key in sight, kick off your shoes, and happily discover that the 3D printing feature in your fridge has already printed the food you plan to consume for dinner. All the appliances you need are on. And everything you don’t need is off, nice and efficiently saving power.

You decide to treat yourself to a quick 30-minute Netflix holographic update, only to get a nudge from your wearable tech that you’ve still got a 10 minute exercise deficit to meet your daily exercise quota. It’s a problem because you happen to have signed up to the extreme health management option which shuts down ApplePay access — without which Netflix won’t work — if you fail to meet your objectives. You quickly get busy on your smart-grid connected treadmill (which conveniently sells off the energy produced by your system back into the grid).

When all of a sudden… your utility door flings open and your iRobot Roomba begins singing Daisy, Daisy....MORE
But do you know why your Roomba is singing Daisy?
It's an homage to an homage to the first singing computer:

From Switched, November 2009:
...Rejoice! World Learns Why HAL Sang 'Daisy'