Blog: Android

New Wi-Fi kettle, same old security issues? Meh.

Ken Munro 15 Oct 2015

ket2

We saw that Smarter‘s iKettle 2.0 and Smarter Coffee machine were reviewed on ITV’s This Morning yesterday.

If you’re not familiar with the iKettle it’s a device that solves one problem (physically having to get up and switch your kettle on!) and creates a whole bunch more.

We haven’t been shy about our security research findings, you can find them covered here, here, here, and here.

The fundamental issue is that if you have this kettle it’s possible for someone to get your wireless network key, and help themselves to whatever is on your network, or use your Wi-Fi for whatever purpose they choose.

Anyway, that’s all in the past because the new iKettle 2.0 model fixes all that.
…erm, except it doesn’t.

smarter-products

The apps that control them haven’t been updated. Here’s some screen shots taken today showing the version and age status of both the iOS and Android apps, no updates since our initial findings back in June.

iOS

iOS-appV

Android

droid-appV

Here’s what is broken about the iKettle

If you have a Wi-Fi kettle, a hacker can drive past your house and steal your Wi-Fi key (the PSK).

This is REALLY easy if you use the Android app to control your kettle. If you use the iPhone app, it takes a little longer.

If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle. Check out our map of some unconfigured iKettles locations in West London:

ikettleKMLmap

If you have configured it, again it takes a little longer.

Once the hacker has your Wi-Fi key, they would probably use it to access your home network, take control of your Wi-Fi router, then change your DNS settings so that all your internet traffic is relayed via them. Easy to steal your passwords!

Your online banking, social networks, email. All compromised.

What can you do?

If you know how to decompile, edit and recompile Android APKs, you can implement strong PIN security yourself to make the Wi-Fi key extraction much harder.

If you can’t do that then do the following:

  • Make sure you change your Wi-Fi router admin password. That’s good advice whether you have a Wi-Fi kettle or not!
  • Make sure you’ve changed your Wi-Fi network key from the default too.
  • Hopefully the manufacturer will update their application and implement some security. As soon as they do, update your app version.
  • Don’t put pointless ‘Internet of Things’ devices on your home network, unless their security is proven.
  • In the meantime, turn your iKettle on at the mains when you want to boil it, and off again after.