Here’s some news that might curl your hair: A pen testing firm has disclosed a vulnerability in the Glamoriser smart hair straightener that could allow attackers to easy gain control of the device and perhaps create a fire hazard.
The problem involves the Bluetooth Low Energy connection that the straightener uses to communicate with mobile devices running the product’s official mobile device app. Because is no secure pairing or bonding process, hackers within Bluetooth range could take over the device with their own phones, warns the UK firm Pen Test Partners in a blog post today.
“There is no auth on the BLE communications between the device and the phone. Data can be sent to the device at any time as long as it is turned on (via the mains power socket),” the blog post states. “Something as simple as a button to push to put the straighteners in pairing mode would have solved it,” the report later states.
Granted, attacker cannot concurrently take over the device if the proper user is already connected, but users who haven’t yet established a connection or who fall out of BLE range would be susceptible to an ambush.
According to Pen Test Partners, malicious actors could change temperature settings and how long they stay on. There are limits, however: The product is automatically programmed to shut off after 20 minutes and cannot exceed temperatures over 235 Celsius. Nevertheless, the Pen Test Partners team was able to successfully start a fire inside a research environment by using the takeover technique.
SC Media has reached out to UK-based Glamoriser for comment.