Chattering Wi-Fi devices are a short hop away from the crown jewels of your network

IkettleThe revelation that security failures had been uncovered in a Wi-Fi Kettle, and that they could be exploited to break into your home network, made big headlines this week.

As I read about the story, I recalled a conversation with a friend who thought it was very funny that someone might waste time changing the temperature in his house through his remote-controlled thermostat.

"What's the real harm?", he asked.

The neighborhood teens may get a thrill from playing with your thermostat from afar, which may be nothing more than an annoyance, but perhaps criminals could also use internet-enabled devices as a pivot point to grab bigger and better bounties.

In network terms, each item on your network is known as a "node", and each node is connected to other nodes at distances measured in "hops". Stop for a moment and think of all the nodes in your network. Now, think about how many hops away each node is to your main computer - the computer, quite possibly, on which you access your email or do your online banking.

A criminal would probably be correct in assuming that the distance from your kettle to your computer is no greater than two hops away. The iKettle is connected to your Wi-Fi-router (first hop), and the Wi-Fi router is probably connected to your computer (second hop).

You can see that someone who can gain access to one of those chattering Wi-Fi devices might then be able to make a short hop to arrive at what is known as "the crown jewels" of your internal network.

Many corporations control this access by using network segmentation to keep online devices away from the sensitive information. Some corporations don't get this exactly right, leaving them open to even worse problems.

Since most home networks do not use such segmentation, how can a person protect their systems from node-hopping criminals?

First, when purchasing any of these convenient devices, make sure that they require a password if you wish to connect to them.

If they work by simply connecting to your Wi-Fi network with nothing more than your Wi-Fi password, then my advice is to leave that device on the shelf. The device should have some type of interface that allows you to set a separate password to control the device.

Wi-Fi enabled kettleNext, make sure you change the default password on the device.

This is one of the few times that I would say you can consider writing down a password, since this is not a password for a web account. In fact, you might be so bold as to write the password on the device itself! If a burglar enters your dwelling, I am fairly certain that he will not stop to log into your kettle to prepare some tea.

Of course, if you want to be super-safe, there's no harm getting your password manager to securely store your various devices' different passwords too.

Ideally, the device will allow you to have a strong password. Sadly, in the case of the Wi-Fi kettle, telnet access is controlled by a six digit code - even if you were to change it from the default ("123456") it wouldn't take long for a brute force attacker to crack.

This new "everything connected" world, known by many as the "Internet of Things", or IoT, can be marvelous, but we must treat it carefully, or we can become easy targets for simple exploits.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

2 Responses

  1. coyote

    October 23, 2015 at 2:54 am #

    TELNET ?! TELNET ? Wow. Pathetic. That's about as nice as I can muster.

    To make it worse is six digits passcode? Writing a simple program that would try every combination would be trivial. Someone who is only learning their first programming language could do it (maybe not connectivity part – although that is also trivial to many [1] – but the point is about how weak six digits only would be).

    'This is one of the few times that I would say you can consider writing down a password, since this is not a password for a web account.'

    The problem is it sets a bad precedent. That's a dangerous thing.

    'If a burglar enters your dwelling, I am fairly certain that he will not stop to log into your kettle to prepare some tea.'

    You'd be surprised what people in that mindset would do. Or put another way: I could see that many would do this type of thing, and I would argue it has probably happened already. People have been known to break into a home and fall to sleep on the couch. Yes, really. No, I don't have a source at this time but it has happened before (including fairly recent I believe, too) and I'm sure will happen many more times.

    'IoT, can be marvelous, but we must treat it carefully, or we can become easy targets for simple exploits.'

    Unfortunately that's all it will be. Does a tea kettle really need to be connected to the Internet? What about that rifle that Graham wrote about a while back (think a rifle)? What about a skateboard? Cars? No, wanting it connected doesn't equate to needing it connected. The more devices connected the more problems there will be – this goes even for computers but especially for things people won't even consider a risk. But they are risks. Try telling that to these manufacturers or the masses. Unfortunately it seems it is here to stay.

    [1] In fact, it could be scripted quite easily (and it probably already exists – scanners that try to log in by numerous passwords would likely be more than sufficient, and there are numerous of these). But it would also be easy to write a program that does it.

  2. Mr. Friend

    December 6, 2015 at 3:56 am #

    "If a burglar enters your dwelling, I am fairly certain that he will not stop to log into your kettle to prepare some tea." I don't know, there are some dodgy folks out.

Leave a Reply