Squealing iKettles reveal owner's Wifi passwords
Adding to the list of insecure IoT devices, security enthusiasts have proven that tweeting-Kettles reveal Wifi passwords, as surprise, surprise, they don't have any built-in security.
Squealing iKettles all over London that are designed to pre-boil water - by allowing the white-good to be switched on using an app - are unfortunately, revealing the owner's Wifi password in the process.
Ken Munro of Pen Test Partners says, "If you haven't configured the kettle, it's trivially easy for hackers to find your house and take over your kettle," Munro says.
Munro says that hacking communities have begun using online directories like 192.com to record a house's wifi password, allowing the creation of a Google Map plotted with wifi passwords of houses all over London.
"Attackers will need to setup a malicious network with the same SSID but with a stronger signal that the iKettle connects to before sending a disassociation packet that will cause the device to drop its wireless link. I can sit outside of your place with a directional antenna, point it at your house, knock your kettle off your access point, it connects to me, I send two commands and it discloses your wireless key in plain text," Munro said.
Munro went on to explain that the Android app for the iKettle is easy to crack since all the passwords remain the default ones. The iOS app is slightly more secure but still sets six digit codes that are crackable within hours.
Equating the quality of cyber-security in the year 2000, Munro called the state of security in the Internet of Things "Utterly Bananas".