X

How your home Wi-Fi security could end up in hot water

Say you had a connected tea kettle, and it had an unchangeable password of only six characters.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

Smart devices are becoming an open invitation for hackers into homes.

Taken altogether, they're known as the internet of things, and they're notoriously bad with security. These IoT objects, whether they're televisions, refrigerators or security cameras, often come with flaws related to their online connections and their simple functions. Hacks could allow an attacker to take over your home's Wi-Fi network or co-opt your gadgets for malicious activities.

That's because manufacturers don't always consider security when creating their connected devices. The problem has gotten so bad so quickly that four US senators last month introduced a bill requiring connected devices to reach a minimum standard of security

Watch this: A smart tea kettle could show the boiling point of bad IoT security

Jason Hart, a researcher at Gemalto Security, demonstrated how vulnerable even the seemingly most innocent IoT device can be. He brought in a first-generation iKettle, a Wi-Fi-enabled gadget for your kitchen, which lets you boil water from an app on your phone. It also sends you a notification once the water is ready and keeps the water hot.

We should note that the device, which ended production more than a year ago, has been replaced by second- and third-generation models that have much stronger security. The vulnerability that Hart demonstrated was first discovered in 2015 by researchers from Pen Test Partners, an IoT security firm based in the UK. 

It no longer applies to any iKettles that London-based Smarter is producing or to its updated app, according to Michael Hutchison, a company spokesman. 

The outdated kettle had a hard-coded password of "000000," a security flaw common to many IoT devices, Hart noted.

Once the first-generation kettle was hijacked, Hart was able to control it without any other permissions. He started boiling the water without permission. But obviously worse things can happen.

"The attacker could use the kettle itself to gain access to your home Wi-Fi," Hart said. "Someone could come along and extract your home Wi-Fi remotely, and then use it against your network."

Smarter sells into 27 countries, but the iKettle has never been available in the US.

Correction, Sept. 11 at 9:48 a.m.: This story misstated the status of the vulnerability. It is now outdated.

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

iHate: CNET looks at how intolerance is taking over the internet.