Need Your Friend’s Wi-Fi Password? Ask Their Kettle!

A lot of companies are making a big deal out of the Internet of things. The Internet of things is just a fancy phrase for adding Internet connectivity to everything from lightbulbs to tea kettles. Theoretically this could enable some pretty neat functionality but it also means every device in your home could become an attack vector for malicious hackers. Not surprisingly the security record of current Internet of things manufacturers leaves a lot to be desired:

Following our recent demonstration at the Infosecurity Show and with Rory Cellan-Jones on the BBC here’s a write up and more technical detail on the Smarter iKettle hack.


For those of you who haven’t seen the demo in person, here’s how it works.

The brief version:

De-auth kettle from its usual access point. Use aireplay-ng
Create fake AP with same SSID
Kettle joins
Connect to telnet service, authenticate using default PIN of ‘000000’
Enter ‘AT-KEY’
Plaintext WPA PSK is then disclosed
Yes, it’s that easy

Oy vey! For some reasons each market appears dead set on learning the hard lessons the hard way. Software developers learned the mistakes of not taking security seriously. Automobile manufacturers are now learning that lesson. Manufacturers that produce Internet enabled devices will probably be the next in line to learn this lesson.

My advice for everybody is to wait a bit before diving too far into this Internet of things. Let the early adopters suffer the pain and misery of immature products. Then, when the time is right, move in and thank all those poor souls for their sacrifice.