A Secure “Smart” Kettle?

We haven’t looked at smart kettles for a long time, mostly as the UK market leader, Smarter, fixed their security with the iKettle 3.0.

So I got quite excited when a colleague pointed out the Xiaomi ‘smart’ kettle a few weeks back. It’s the first kettle with a mobile app that we’ve seen for a while.

A couple of days later it arrived. We already knew that it connected over BLE rather than Wi-Fi, unlike the Smarter kettle. That limited the use case to boiling water within Bluetooth range only. I’ve never been convinced by the need to boil water from a distance, but that’s not important here.

We started out convinced that the Xiaomi kettle would be easy to hack. It was BLE, so it would be easy, right?

The app took a bit of fiddling to get it working. We had to set our location to be in China for it to play ball. After that, it was pretty straightforward.

What shocked us was that it required a 3-second button push to enter what the device calls “pairing” mode, which shouldn’t be confused with BLE pairing. Only when “paired” would it work with the mobile app.

This is good – a physical button press is required to connect the kettle with the phone, making compromise over BLE much harder.

BLE basics

As a reminder, BLE security starts with a connect which every device must allow, then with a certain characteristic it may require that the connection is paired or bonded, for that characteristic and that characteristic only.

So the levels are:

• Connect – the device must support this for the basic BLE services, clear text, can be sniffed
• Pair – a short term key is transferred over the air for only this session, encrypted, can’t be sniffed
• Bond – a long term key is transferred over for however as long as the bond last, encrypted, can’t be sniffed

A lot of manufacturers have a process they call pairing, but it isn’t actually true BLE pairing, it’s just what manufacturers call it.

Anyway, back to the device…

Looking at the characteristics, it writes to the YM_SetUp handle during “pairing”:

We were expecting it to have no “pairing” at all. If that had been the case, we could have connected to any kettle once the users phone went out of range, for example when they left the house.

A cheap Chinese kettle had better security than some much more expensive Western brands had previously. Wow!

But then we realised that the kettle wasn’t actually particularly smart – all the app allows one to do is set the temperature. One has to press a button on the kettle to make it actually boil! Oh dear.

Effectively, all it does is the same as the Sage not-very-smart-kettle that has physical buttons to do exactly the same: