The $150 Smarter Ikettle lets you start your water boiling from anywhere in the world over the Internet – and it also contains long-term serious security vulnerabilities that allow attackers to extract your wifi passwords from it.
To connect to the Internet, the Ikettle needs to know your wifi password, which it stores in the clear in its memory. The kettle is also naive enough to connect to any network that has the same name as yours. So all an attacker has to do is use a specialized antenna to overpower your wifi signal, right through the walls of your house, and trick the kettle into connecting to their spoof network, and then they can extract your wifi password and connect to your network.
There are a few steps you can take to improve this situation, but ultimately, the Ikettle is just a badly secured device that shouldn’t be on the same network as sensitive items like home burglar alarm cameras, networked thermostats, and the phones and laptops you use to access sensitive services.
The researchers at Pen Test Partners have pointed this out to Smarter for a year, but no fix has emerged for it.
The Ikettle’s lack of security isn’t remarkable in the badly secured world of the Internet of Things, where security is an afterthought, and often not auditable thanks to the widespread use of digital rights management, which gives companies the right to sue people who disclose security vulnerabilities.
