The revelation that security failures had been uncovered in a Wi-Fi Kettle, and that they could be exploited to break into your home network, made big headlines this week.
As I read about the story, I recalled a conversation with a friend who thought it was very funny that someone might waste time changing the temperature in his house through his remote-controlled thermostat.
“What’s the real harm?”, he asked.
The neighborhood teens may get a thrill from playing with your thermostat from afar, which may be nothing more than an annoyance, but perhaps criminals could also use internet-enabled devices as a pivot point to grab bigger and better bounties.
In network terms, each item on your network is known as a “node”, and each node is connected to other nodes at distances measured in “hops”. Stop for a moment and think of all the nodes in your network. Now, think about how many hops away each node is to your main computer – the computer, quite possibly, on which you access your email or do your online banking.
A criminal would probably be correct in assuming that the distance from your kettle to your computer is no greater than two hops away. The iKettle is connected to your Wi-Fi-router (first hop), and the Wi-Fi router is probably connected to your computer (second hop).
You can see that someone who can gain access to one of those chattering Wi-Fi devices might then be able to make a short hop to arrive at what is known as “the crown jewels” of your internal network.
Many corporations control this access by using network segmentation to keep online devices away from the sensitive information. Some corporations don’t get this exactly right, leaving them open to even worse problems.
Since most home networks do not use such segmentation, how can a person protect their systems from node-hopping criminals?
First, when purchasing any of these convenient devices, make sure that they require a password if you wish to connect to them.
If they work by simply connecting to your Wi-Fi network with nothing more than your Wi-Fi password, then my advice is to leave that device on the shelf. The device should have some type of interface that allows you to set a separate password to control the device.
Next, make sure you change the default password on the device.
This is one of the few times that I would say you can consider writing down a password, since this is not a password for a web account. In fact, you might be so bold as to write the password on the device itself! If a burglar enters your dwelling, I am fairly certain that he will not stop to log into your kettle to prepare some tea.
Of course, if you want to be super-safe, there’s no harm getting your password manager to securely store your various devices’ different passwords too.
Ideally, the device will allow you to have a strong password. Sadly, in the case of the Wi-Fi kettle, telnet access is controlled by a six digit code – even if you were to change it from the default (“123456”) it wouldn’t take long for a brute force attacker to crack.
This new “everything connected” world, known by many as the “Internet of Things”, or IoT, can be marvelous, but we must treat it carefully, or we can become easy targets for simple exploits.