Tattling Kettles Help Researchers Crack WiFi Networks In London

New submitter campuscodi writes: Security researchers at Pen Test Partners have found a security vulnerability in the iKettle Wi-Fi Electric Kettle that allows attackers to crack the password of the WiFi network to which the kettle is connected. Researchers say that using this simple trick and information about iKettles, they drove around London, cracked home WiFi networks, and created a map of insecure WiFi networks across the city. The same researchers cracked a Samsung smart-fridge this summer to disclose Gmail passwords. If you have 6 minutes, there's a YouTube video you can watch.

Ok first...

[cayenne8]

...I gotta go google what the fuck an iKettle is? Is this like a crockpot wired to the internet for some reason?

Re:Ok first...

[cayenne8]

Ok..after post found out is it something that boils water remotely.

Seriously, is this a need?

Do you need it that much faster than maybe throwing a cup of water in the microwave on high for a couple minutes, or heating stovetop?

Do you need to fire it up remotely? I just don't even see the need or market for such an item....and I love gadgets for the kitchen.

Re:Ok first...

[fahrbot-bot]

There's an Amazon link for the iKettle Wi-Fi Electric Kettle in TFS , Mr. "I can't read". And it says:

• Save time and remote boil from anywhere in the house
• Set wake up alarms and gain an extra 5 minutes in bed
• Arrive home to the iKettle boiled and ready to pour
• Boil ready notifications allow you to save energy by never having to re-heat
• Avoid that bitter taste and brew at the right temperature. Choose from 65, 80, 95 and 100’c

Talk about solving First World problems - geesh.

Re: Ok first...

[xaxa]

Most British households have an electric kettle, a large jug with a 2-3kW heating element that heats the water to boiling point.

It takes about 2 minutes, or less if there's less water, so I don't see why it benefits from being remote controlled.

Cup of tea, anyone?

Re:Ok first...

[The-Ixian]

Or.... you could click on the link to the article...

I know, I know, this is Slashdot...

Re:Ok first...

[ShanghaiBill]

Seriously, is this a need?

Most products are about filling a desire rather than a need. My wife is a tea connoisseur, spending hundreds of $s on gourmet blends. I could see her buying a device like this, so she could precisely control the timing and temperature. She would certainly buy it if it came with a Python API so she could write her own tea brewing apps.

Re:Ok first...

[ebcdic]

It must be a very slow kettle if you can save 5 minutes by having it boil on schedule.

Re:Ok first...

[selectspec]

Sounds like the iToilet.

Re:Ok first...

[MagickalMyst]

"Seriously, is this a need?"

Of course it is! This is the 21st century. We have "The Internet of Things" now.

Every device must have wifi, at the very least.

I mean, seriously - how did people ever get by in the 20th century with no Internet-ready cookware?

Talk about living in the stone age!

Re:Ok first...

[Thud457]

I don't see anything describing a low/no water safety shutoff. So hackers can turn it to 100C right when you leave the house in the morning and have your house burnt down by lunchtime?

Also, it seems that a wifi control app would be ideal for a sous vide cooker. That shouldn't be much more complicated than a crockpot, why are they so damn expensive?

Re:Ok first...

[MagickalMyst]

"Sounds like the iToilet."

Yep, simply login from your Iphone to flush from anywhere in the world.

Just make sure to share the (strong, secure) password with family/friends/roomies or you'll be in for a load of shit when you get home.

Re: Ok first...

[lister+king+of+smeg]

Most British households have an electric kettle, a large jug with a 2-3kW heating element that heats the water to boiling point.

It takes about 2 minutes, or less if there's less water, so I don't see why it benefits from being remote controlled.

Cup of tea, anyone?

As some one that drinks a lot of tea, why not just use a stove top kettle?

Re: Ok first...

[TechyImmigrant]

Oddly people in the US don't typically have an electric kettle. Yet once they've spent a week with one, they can't live without it. The bummer is the slow rate they boil relative to UK kettles. UK: 250V*13A = 3250W. US: 115V*15A = 1725W. So it takes roughly twice as long.

The worst knock-on effect of this is that people seem happy to get tea from restaurants in the form of not-boiling water in a cup, with a tea-bag on a string for the customer to dunk. If you've never tasted tea infused at the proper temperature, you don't know what you're missing.

I wish for the pre-storage kettle. Put a bunch of low ESR batteries in the base and charge them while not boiling. When someone boils water, combine energy from the mains and the batteries to deliver heat energy to the water.

Re:Ok first...

[vtcodger]

Let me suggest that within three or four years, the Internet Of Things will be redesignated as The Internet Of Horrors due to the lousy security and the lack of real need for remotely controlled toasters, hair driers, toothbrushes and pencil sharpeners. I'm sure that people putting in 80 hour weeks at SV startups with hopes of paying off their student loans and retiring at the age of 27 will be disappointed by that. But I think in the long run, we will all be better off.

Re:Ok first...

[lister+king+of+smeg]

My coffee maker can be set to start at a given time and needs no internet or network connections it simply has a built in clock why complicate things farther? as for reheats the pot is vacuum insulated. It gives me a notification to it beeps.

Re: Ok first...

[Threni]

Why? Why not just boil a kettle?

Re:Ok first...

[TechyImmigrant]

5 extra minutes in bed per day sounds good to me.

Re:Ok first...

[TechyImmigrant]

Talk about solving First World problems - geesh.

I live in the first world. I have first world problems. I have no shame in solving them.

Re:Ok first...

[TechyImmigrant]

Your coffee maker doesn't produce boiling water. Tea requires boiling water. Coffee doesn't.

Re: Ok first...

[cayenne8]

f you've never tasted tea infused at the proper temperature, you don't know what you're missing.

I'd always heard you were NOT supposed to make your tea with boiling water...just under boiling was the correct way to do it...?

I mean, one of my favorite ways to have tea is Sun Tea where you put the bags in a glass jar/container and set out all morning in the hot summer sun and let it make that way.

Wonderful iced tea taste, doesn't get cloudy...and it was never boiled....

Re:Ok first...

[PopeRatzo]

Ok..after post found out is it something that boils water remotely.

Wait, you mean if I have this kettle in my house, I can use it to boil water at work? Sort of like Playstation NowTM except for boiling water?

Technology is moving so fast I can't keep up any more.

Re: Ok first...

[SQLGuru]

Why not just get a coffee maker......if you want coffee, include the grounds. If you want water, don't. Or you know......just nuke the cup of water in the microwave like everyone else.

Re:Ok first...

[CWCheese]

I own a non-wi-fi electric kettle, which takes me a total of less than 10 seconds to walk to and flick the switch each morning to start the boil; 30 seconds if I must fill it from the tap. The internet-of-things seems to be a baseless bunch of nonsense for the purpose of proving something can be done, no matter if it should be done at all. Gosh, just think of those folks who have to literally go out to draw water from a well or river, while simultaneously scrounging wood sticks to build a fire to boil water.

Re: Ok first...

[PopeRatzo]

I'd always heard you were NOT supposed to make your tea with boiling water...just under boiling was the correct way to do it...?

I have been told by someone who knows about tea that the best way to do it is have the teapot on the other side of the kitchen from the kettle. Once the water boils, in the time it takes to carry the kettle to the teapot, the temperature is just right.

The main thing is you don't want to boil the tea.

Re:Ok first...

[Obfuscant]

Arrive home to the iKettle boiled and ready to pour

Having remote controlled heating elements in an unoccupied house or apartment is a recipe for disaster.

How about: walk in the door, flip the switch on the normal pot, kick off the shoes, hang up the coat, turn on the TV, pour a stiff drink, what was the boiling water for again?

Avoid that bitter taste and brew at the right temperature. Choose from 65, 80, 95 and 100â(TM)c

Using water that has sat in the pot all day, losing dissolved gasses and depositing lime for the next pot, getting the bitter taste right back again.

Talk about solving First World problems - geesh.

Especially since many European kitchens already have a hot water heater on-demand and can get almost boiling water right from the tap, if they so choose.

Re: Ok first...

[TechyImmigrant]

I'm now attempting to resist the temptation to build one and retrofit it into my kettle.

3D printed base to store the batteries. A simple charger-switchover circuit, a second element, a temperature sensor and a little micro to tell it when to charge and when to heat.

Try to patent it and this slashdot post will be the prior art to destroy you in court...

Re:Ok first...

[CWCheese]

So then why not buy a timer based electric kettle, fill it at night before sleeping, and wake to a pot of boiled water?

Re:Ok first...

[PopeRatzo]

I live in the first world. I have first world problems. I have no shame in solving them.

It might be time to get some. Shame, I mean.

Re:Ok first...

[TechyImmigrant]

I used to have one of those. But me and my teasmade parted company when I moved to the USA.

Re:Ok first...

[TechyImmigrant]

I live in the first world. I have first world problems. I have no shame in solving them.

It might be time to get some. Shame, I mean.

Only if it's WiFi connected.

Re:Ok first...

[Obfuscant]

Tea requires boiling water.

Absolutely not. Boiling water releases all the dissolved gasses and makes the tea taste flat. You do not boil water for tea, you heat it to a point just below.

The tea leaves don't care if the water is boiling.

Re:Ok first...

[Obfuscant]

Also, it seems that a wifi control app would be ideal for a sous vide cooker. That shouldn't be much more complicated than a crockpot, why are they so damn expensive?

1. Because it has such a pretentious-sounding name.
2. Because it has to come with a 250 page book describing what "sous vide" is.
3. Because Gordon Ramsey doesn't do it, so nobody else wants to, except those who watch pretentious cooking shows with Michelin chefs. (Doesn't Michelin make tires?)
4. Because rich people wouldn't pay for it if it was called "boil in bag".

Re:Ok first...

[ShanghaiBill]

You, sir, then need the Goblin Teasmaid.

That only works if you wake up at a fixed time each day. With an IoT teapot, you can link it to a motion detector, and have it turn on when it detects you getting out of bed.

Re:Ok first...

[Speck'sBacon]

Aside from the Brits chiming in on this, I remember Alton Brown swearing by an electric kettle as a multitasker. Aside from water for tea, he recommended it for boiling eggs because of the auto-shutoff feature, which avoids overcooking resulting in a rubbery texture. It has other uses as well, even if it's just to free up a burner on your stove if you're prepping a large meal.

Re: Ok first...

[CanadianMacFan]

The temperature of the water depends on the type of tea. Black tea requires boiling water. White tea and green tea are different. I forget the numbers because I don't drink them. I only know this because I have a tea maker from Breville (and it's amazing) and it has settings for different types of teas. You put loose leaf tea in the basket and after the water is brought to the proper temperature the basket is lowered into the water for the right amount of time (which is adjustable). I used to drink a fair amount of coffee but since getting the tea maker I drink a lot of tea and a little bit of coffee. There are a lot of options when you go to buy loose leaf tea.

Re: Ok first...

[ewibble]

main reason, electric kettles turn off by themselves.

Re:Ok first...

[CanadianMacFan]

I have a Breville tea maker and absolutely love it. It allows you to control the temperature and steeping time. I don't use the feature but I think you can set the time that it will start. I've had it about two years and I use it every day. It's on the expensive side but if you keep an eye on Amazon you can get it on sale but if mine broke I would replace the next day.

Re:Ok first...

[jonbryce]

In Europe, our 230V supply allows us to have 3kW kettles which boil water in just over a minute.

Re: Ok first...

[jonbryce]

Because an electric kettle is much quicker and more convenient. Stove top kettles are only found in museums.

Re: Ok first...

[ColdWetDog]

News for Nerds, Stuff that Matters.

I wonder when Taco started this site if he ever envisioned discussing such seriously domestic endeavors as the instructions for proper tea production.

Re:Ok first...

[ColdWetDog]

Oh great. I get up in the middle of the night to pee and then the stupid thing wanders off and makes tea.

Meanwhile, six hours later.....

Re:Ok first...

[ColdWetDog]

Because of Daylight Savings Time. Twice a year you manually have to correct the clock.

Life is hard.

Re:Ok first...

[ShanghaiBill]

Oh great. I get up in the middle of the night to pee and then the stupid thing wanders off and makes tea.

That is why every teapot needs a programmable API.

if (motionDetected() && (timeDiff(now() - 0700) > 0) && teapot.waterInPot) {
      teapot.turnOnHeatingElement();
}

Re: Ok first...

[jandjmh]

Your answer is interesting mix mostly correct and subtly (but really) wrong.

In most modern US houses the kitchen has 20 amp circuits, but the the standard US plug and outlet (with parallel blades) is only rated at 15 amps.Worse yet, UL and similar safety agencies will not pass (certify) an appliance that draws a continuous load of more than 85% of the plug's rating. So here in the US we are stuck with toasters, hairdryers, space heaters and electric kettles rated at 1500 watts at most (120 x 12,5)

As for the bit about "stupid panicky people" - I have no idea what you are talking about. Homeowners almost never install or change their own breakers, Whatever was in the panel when they bought the house is what they have - the electrician that installed and wired the panel will almost certainly have put 20 amp breakers if the wiring is 20 amp rated (12 gauge).

And I have no idea what is wrong with your breakers, but mine work fine. They don't trip when they shouldn't

Re: Ok first...

[safetyinnumbers]

I don't see why it benefits from being remote controlled

Because the future has turned into something out of a novel co-written by William Gibson and Douglas Adams.

Re: Ok first...

[squiggleslash]

Yes, and they're very useful. Most Americans I've introduced to the concept love them.

Thing is though...

...with the iKettle, do you walk to the kitchen, fill it up with water, plug it in, and then go back to your living room, pick up the laptop, browse to http://my.kettle.local/, log in, and hit the "Boil water" button?

Just asking.

Re:Ok first...

[idontgno]

Yes. We must INTERNET ALL THE THINGS!

Sigh. Once upon a time, a network-attached tea pot was an April Fool's joke. Now it's a market category.

I blame AOL. And the September That Never Ended. Because all the luser mundanes didn't understand that IT'S SUPPOSED TO BE A JOKE. *facepalm*

Re: Ok first...

[nevermore94]

As a fan of both authors, I find that to be one of the funniest and most insightful posts I have read on here in a long time.
I don't have mod points to give you, so you will have to settle for my kudos to you.

Re: Ok first...

[jo_ham]

A coffee maker doesn't heat the water to sufficient temperature to make tea.

Re:Ok first...

[jo_ham]

I don't see anything describing a low/no water safety shutoff. So hackers can turn it to 100C right when you leave the house in the morning and have your house burnt down by lunchtime?

Also, it seems that a wifi control app would be ideal for a sous vide cooker. That shouldn't be much more complicated than a crockpot, why are they so damn expensive?

It's a kettle. It has low/no water safety shutoff as a given.

That's like criticising a computer for not advertising that the CPU has a thermal protection system built into it.

Re:Ok first...

[yzf750]

Also, it seems that a wifi control app would be ideal for a sous vide cooker. That shouldn't be much more complicated than a crockpot, why are they so damn expensive?

1. Because it has such a pretentious-sounding name.
2. Because it has to come with a 250 page book describing what "sous vide" is.
3. Because Gordon Ramsey doesn't do it, so nobody else wants to, except those who watch pretentious cooking shows with Michelin chefs. (Doesn't Michelin make tires?)
4. Because rich people wouldn't pay for it if it was called "boil in bag".

Sous Vide means under pressure. Not that pretentious. Michelin makes tires. They also make maps and travel guides, presumably to make people drive more, hence needing tires more often. Providing ratings for restaurants goes along with this. Sous Vide is not about "boiling in a bag" most sous vide cooking is not done at boiling temperatures. Purpose built sous vide cookers are expensive because they are niche products. They also usually have some form of circulation and precise temperature control. Could you rig one up with a PID, element and stirrer? Sure, but to make a UL or other agency listed appliance there is a lot more that goes into it. But hey, don't let that get in the way of your rant...

Re: Ok first...

[SvnLyrBrto]

Most drip coffee makers don't hear the water to a sufficient temperature to make coffee, either.

Bialetti or french press or GTFO.

Re:Ok first...

[TechyImmigrant]

Tea requires boiling water.

Absolutely not. Boiling water releases all the dissolved gasses and makes the tea taste flat. You do not boil water for tea, you heat it to a point just below.

The tea leaves don't care if the water is boiling.

By the time you turn off the boiling kettle and move it to the tea kettle or mug, then pour it through the air, it is a point just below 100C. A little bit of practice helps you get the timing right.

Re: Ok first...

[Hognoxious]

You still get a carry-over of coffee taste. It's slight but it's detectable and it makes anything that isn't coffee taste dreadful.

Re:Ok first...

[Hognoxious]

Sous Vide means under pressure.

No it doesn't.

I bet you don't even know what language it is, you fat cunt.

Re:Ok first...

[Kichigai+Mentat]

I think the point wasn't that you could use their coffeemaker for making tea, but rather the technology to heat water at a predetermined time doesn't, and oughtn't, be more complicated than their coffeemaker.

Re:Ok first...

[Kichigai+Mentat]

Not even. Just install a receiver for a time beacon, like so many wall clocks have.

Re:Ok first...

[Hognoxious]

Yep, simply login from your Iphone to flush from anywhere in the world.

I see what you did there.

Re: Ok first...

[AHuxley]

Re "It takes about 2 minutes, or less if there's less water, so I don't see why it benefits from being remote controlled."
It might be an idea from around the 1970's with product like Teasmade https://en.wikipedia.org/wiki/... "... generally include an analogue alarm clock and are designed to be used at the bedside, to ensure tea is ready first thing in the morning."
So the "remote controlled" or time aspect does has some historical product connections.
Adding a new computer network is just more fun :)

Re:Ok first...

[Obfuscant]

By the time you turn off the boiling kettle and move it to the tea kettle or mug, then pour it through the air, it is a point just below 100C.

But the water has already boiled. The tea leaves don't care if the water is boiling, it's boiling the water that is the mistake. And no, making tea does NOT require boiling water.

In car terms, it doesn't matter if you step on the brake after you see the cop, he's already clocked you at 10 over the speed limit and he can write you a ticket.

Re: Ok first...

[TechyImmigrant]

What is this "prior art" concept you speak of? It sounds antiquated; I'll race you to the patent office.

The prior art is what I thought of this morning (a kettle with rechargeable batteries in the base that speed up the boiling when used by adding to the power from the mains). By posting the idea here in the open, no one else could patent such a thing.

Re:Ok first...

[Obfuscant]

Sous Vide means under pressure.

No. Sous vide is french for "under vacuum" according to at least one source. It is, indeed, a pretentious name, and apparently you need that 250 page book to explain it to you.

As for the rest, whoosh. It may not involve boiling in the bag, but it's still putting stuff in a bag and then into hot water to cook it. Just like all the "boil in bag" stuff that you don't actually have to boil, just bring up to temperature.

Re: Ok first...

[TechyImmigrant]

I'd always heard you were NOT supposed to make your tea with boiling water...just under boiling was the correct way to do it...?

I have been told by someone who knows about tea that the best way to do it is have the teapot on the other side of the kitchen from the kettle. Once the water boils, in the time it takes to carry the kettle to the teapot, the temperature is just right.

The main thing is you don't want to boil the tea.

Yes. Exactly correct. with black tea you need to start with boiling water and then pour it over the tea bags, but take a few seconds between boiling and pouring so the temperature is just right.

Re: Ok first...

[KGIII]

I first noticed one when I was in Australia. I've owned one ever since. I used to use a coffee pot and just use it for water. I'd make instant coffee at times but I usually drank tea. I have an 'instant' hot water tap on my coffee maker in the kitchen but it's nice to not leave my upstairs office for a quick cuppa and whatnot.

Re: Ok first...

[KGIII]

Judging by his post, he probably wired (some) of it by himself and now has "faulty breakers." You know, someone else's fault.

Re:Ok first...

[KGIII]

There's an app for that?!?

$ apt-cache search shame

'Snot in my repo and I'm too lazy to go find my phone.

Re:Ok first...

[someoneOtherThanMe]

Exactly, so you Muricans should, instead of buying IoT kettles, choose a simpler solution of either moving overseas or re-doing the electricity infrastructure in the entire country.

Re: Ok first...

[Barsteward]

get rid of the bags and get an infuser for loose leaf tea that sits in the cup - much better tasting tea. the tea in the bags look like dust scrapped off the floor, for me the bigger the leaf generally the better the taste.

i shake my head in disbelief in someone investing in internet connected appliances, tjhey'll probably only use it when friends come over to look at it.

Re: Ok first...

[dunkelfalke]

That works for tea bags, but (well, for me at least) a FTGFOP (and no, that doesn't mean "far too good for ordinary people") Darjeeling tastes better when stepped at 95 degree Celsius.

Re:Ok first...

[serviscope_minor]

I live in the first world. I have first world problems. I have no shame in solving them.

A fiver says "not being able to boil the kettle from the other side of the house" actually qualifies as one of your problems.

Re: Ok first...

[91degrees]

Because we have an electric kettle!

Near as dammit Every British kitchen (and Hotel room) has one. They're dirt cheap. You can get one for £10. They're faster than an electric stove (when I had an electric cooked I'd boil in the kettle and pour into the saucepan), they turn off automatically when boiled, which is something you can hear from a different room due to the click and change in sound quality.

Re:Ok first...

[jonbryce]

I believe they get a two phase supply, and can use 1 phase for plug-in devices at 120V, or both phases at 240V for things like ovens.

Re: Ok first...

[the_other_chewey]

I've never tasted tea that I wouldn't miss, ...

So you'd miss all tea you've ever tasted? You have amazing
luck with your teas.

[please accept my humble nomination for "misnegation of the day"]

Re:Ok first...

[MoarSauce123]

Was wondering the same thing. Why the heck does anyone need an electric kettle to begin with? Get one out of steel and put it on the stove. And why the frack have it be connected to a network? How long does it take for water to boil in a pot at full heat? A few minutes? Seriously, that is too long for some so that they need a remote starter for their kettle? Anyone who bought one and now has the WiFi password cracked does not deserve any better.

Re: Ok first...

[MoarSauce123]

Huh? A gas stove is way safer than an electric kettle, which is nothing more than a cheap way to get an apartment fire.

You crazy Brits!

[jellomizer]

When will you learn a Wi-Fi enable Tea Kettle is a horrible Idea.
Oh I just got a message from my Wi-Fi enabled coffee machine that my coffee is done.
 

Re:You crazy Brits!

[TechyImmigrant]

When will you learn a Wi-Fi enable Tea Kettle is a horrible Idea.
Oh I just got a message from my Wi-Fi enabled coffee machine that my coffee is done.

But an electric tea kettle is a great idea. Most of the USA hasn't caught on to the electric tea kettle yet. Something that astounds people from the rest of the world when visiting the US. If the iCandy is the gateway drug to get electric kettles into the USA, I'm all for it.

Re:You crazy Brits!

[TechyImmigrant]

Well the 'nice' part is debatable. The rest you say is true.

This case...

This is a case of the pot calling the kettle hacked.

[Puts on sunglasses] Yeah!

so constant singleminded tea-oriented conversation

[Thud457]

This is like Talkie the Toaster, but it's a tea kettle?
And all modern crackpots are wired to the internet these days.

WHAT!?!

[Sir_Eptishous]

An ip assigned kettle?!? WTF?!?!

Are you seriously telling me people would buy this and connect it to their wifi and then "manage" it via an app on their phone.
That has to be the epitome of laziness...

Here is the best part:

Invite friends with the new social features. Send messages and invites through the Smarter app via Twitter, Facebook and more. Get together with friends and family and have a tea together. Make drink requests or ask a friend how they would like their tea or coffee before you forget to add the sugar.

Re:WHAT!?!

[tysonedwards]

Great! Now I can be micromanaged at home over "your kettle says you steeped your tea for 1m30s at 173 degrees! Savage! This is an Oolong or gods sake!"

Re:WHAT!?!

[TechyImmigrant]

Great! Now I can be micromanaged at home over "your kettle says you steeped your tea for 1m30s at 173 degrees! Savage! This is an Oolong or gods sake!"

Isn't that illegal?
You'll have the tea inspectors round if you aren't careful.

Re:WHAT!?!

[CWCheese]

It's a conspiracy to hasten the end of IPv4 by occupying all available IP addresses with pointless devices

Re:WHAT!?!

[PopeRatzo]

Get together with friends and family and have a tea together.

I have heard that you can do that without a WiFi-enabled tea kettle.

Re:Does Colonel Klink know about it?

[Sir_Eptishous]

Only X'ers and Boomers are going to get that reference...
Good one though.

This is why...

[Captain+Centropyge]

...not everything needs to be a smart device. The only secure devices are those not connected to the internet at all. The more devices people keep inventing that connect to everything else, including the internet, the less secure everything becomes.

STOP adding wi-fi to everything! It's not necessary for things like this. If you're too lazy to boil some water you've got bigger issues to worry about.

Re:This is why...

[AHuxley]

1+ for this. Keep wifi off and use all wired networks if possible to important data storage. If wifi is *really* needed use only for a secure sub set of devices that have nothing of value on them..
Walls and the short distances in city areas do not help :)

Welcome to Io(insecure)T.

[sinij]

Security is a) expensive b) requires sustained effort to maintain. There is absolutely no way to make this work with a market of cheap disposable consumer electronics.

Re:Welcome to Io(insecure)T.

[TechyImmigrant]

Security is only expensive relative to the prices for components that kettle manufacturers dream of.

Relative to your wallet, the cost of the silicon area for some public key and symmetric crypto along with a good RNG is a fraction of a cent up front and a few cents at the end of the producer-consumer chain. This I know because it's my job to design this stuff.

You'd probably be happy to pay a few cents extra per product for all devices to employ good crypto hardware, but somewhere along the chain is some idiot saying security is expensive.

Re:Welcome to Io(insecure)T.

[TechyImmigrant]

Yes the supply of hardware engineers is ok. The supply of cryptographers is low and the supply of cryptographers who can also design production quality silicon designs is horribly low. So we're expensive. But those costs ameliorated over millions of chips isn't high. So for volume products it's ok and usually those chips are available in the market for use in low volume products as well.

Hardcoding keys into silicon without a huge amount of clever obfuscation hardware is indeed idiotic, when extracting one of those keys leads to a BORE (Break Once, Reuse Everywhere) attack.

Re:Welcome to Io(insecure)T.

[serviscope_minor]

Presumably you could do it in software. What's the smallest MCU you could reasonably run public key crypto algorithms on?

Re:Welcome to Io(insecure)T.

[TechyImmigrant]

The small ARMs are plenty capable, as long as you don't do silly things like 4096 RSA.
Ed25519 and Curve25519 are pretty darned lightweight and get you 128 bit brute force bounds which matches AES nicely.

For that kind of thing, Atmel would be the first place I look but there are plenty more. Anything 32 bit will be fine. You might be able to squeeze it into a 16 bit AVR class device, but the ECDH might take a few hundred milliseconds.

I wrote python implementation of all these algorithms (to verify the vectors match for hardware implementations) and Ed25519 and Curve25519 run in non human perceptible time on a desktop. C on a micro will be fine. Just stay away from 8051s.

I could give you exact clock counts for native hardware implementations but then I would have to shoot you.

Re:Welcome to Io(insecure)T.

[serviscope_minor]

Just stay away from 8051s.

Interesting you say that. I've been using one, the CC2541, because it's got a bluetooth radio built in. It's 32MHz with 2-5 cycles per instruction, most clustering towards 2, hardware divider and so on. It's somewhat comparable to an small ATMEL in speed. It's also got an AES128 unit built in so that's very fast.

I've not been using the crypto though.

Re:Welcome to Io(insecure)T.

[TechyImmigrant]

Just stay away from 8051s.

Interesting you say that. I've been using one, the CC2541, because it's got a bluetooth radio built in. It's 32MHz with 2-5 cycles per instruction, most clustering towards 2, hardware divider and so on. It's somewhat comparable to an small ATMEL in speed. It's also got an AES128 unit built in so that's very fast.

I've not been using the crypto though.

It's the 256 bit multiplication with modulo reduction that is a problem for things with limited addressing. It can be done, but it will be a few times slower than something done on 32 bits because there are so many more iterations. So I wouldn't choose an 8051 for that, but that doesn't mean you can't use a modern 8051 if that the processor you're given.

Re:Welcome to Io(insecure)T.

[serviscope_minor]

It's the 256 bit multiplication with modulo reduction that is a problem for things with limited addressing. It can be done, but it will be a few times slower than something done on 32 bits because there are so many more iterations. So I wouldn't choose an 8051 for that, but that doesn't mean you can't use a modern 8051 if that the processor you're given.

Ah OK that makes sense, thanks. There's actually a Nordic chip in the same segment. I'm planning to evaluate it as soon as I get the chance because (a) it's ARM inside and supports GCC (woo! no more IAR!) and (b) it's not Texas. While Texas produce IME some of the better datasheets, their support sucks massive ass.

It's a thumb core I think. I believe that's a sort of 16/32 hybrid instruction set, but all the internal busses, adders and what not are 32 bit. And this particular chip has the single cycle multiplier too.

Re:Welcome to Io(insecure)T.

[TechyImmigrant]

An ARM like that will do fine.
Program it up and tell us how fast it goes. Ed25519 ECDSA and Curve25519 ECDH.
There's reference code all over the internetz.

 

Re:Welcome to Io(insecure)T.

[serviscope_minor]

Just found out that the next version of the Nordic chip has a M4F on board (hard float!!), and runs at 64MHz. I think I'll wait for that one because it's also got most of the RF shite integrated meaning you don't need to piss around with matching and that sort of stuff.

Researchers Use ONE WEIRD TRICK to Hack Your WiFi!

[sexconker]

Researchers say that using this simple trick and information about iKettles, they drove around London, cracked home WiFi networks, and created a map of insecure WiFi networks across the city.

How much more click baity can you get?
And how is this a surprise? EVERY device you allow to connect to your wifi network is allowed to do so. Did you know your phone has a file in it that STORES YOUR WIFI PASSWORDS?!

virus hoax

[orgelspieler]

Remember back in the 90's when those virus hoaxes would go around saying Bill Gates was going to reset the thermometer in your freezer and melt all your ice cream? I see a new rash of those emails going around, about how hackers can make your tea steep at 80C. Oh the horror!!

Re:Researchers Use ONE WEIRD TRICK to Hack Your Wi

[AlecC]

Nonetheless, you need to get file access to such devices to read the passwords. The trick here was that they managed to get the kettle to, effectively, spit out the WiFi password. Until you compromise the network, lots of things may have lots of files inside them, but without physical access you can do nothing. This allowed them to compromise the network without physical access.

Error 418

I'm a teapot

Re:Researchers Use ONE WEIRD TRICK to Hack Your Wi

[sinij]

How much more click baity can you get?

Since you asked.

A group of strange men non-consensualy force their way onto your WiFi. Are your teenage daughters in danger?

Re:Researchers Use ONE WEIRD TRICK to Hack Your Wi

[sinij]

I suppose WPA2 would not go through full re-authentication and instead try to re-establish connection using a shared secret, but I am not certain. Excellent question.

At the very least you will have to spoof SSID and MAC and find a way to effectively jam legitimate router while being further out. This is not a trivial step because legitimate router will keep broadcasting and interfering with your imposer handshake.

WiFi water kettle? Really? Seriously?

[kheldan]

Why the actual fuck does anyone need a gods-be-damned WiFi-enabled kettle in the first place? Too lazy to walk ten steps to the kitchen to turn the thing on? Really? Seriously, we've come to this?

Re:WiFi water kettle? Really? Seriously?

[sinij]

Speak for yourself. I am anxiously waiting for a Facebook-integrated Twitter-enabled IoT flushing toilet.

Re:WiFi water kettle? Really? Seriously?

[Thud457]

... yadda yadda toilet posting to facebook yadda

Well, that certainly improve the quality of facebook.

Re: WiFi water kettle? Really? Seriously?

[ljw1004]

I'd love a smart kettle. Currently I walk into the kitchen, turn it on, and wait 5mins for it to boil. If I could click a button without interrupting my work, it'd save me 5mins a time, 30mins a day, 3 hours a week. That's a lot!

WiFi WTF

[ThatsNotPudding]

I assume these WiFi-enabled kettles are from the Useless As Tits On A Boar range.

Re:WiFi WTF

[cant_get_a_good_nick]

Since boars are mammals, don't they actual do have, you know, mammary glands? and feed their young?

Far be it from me to poke a hole in a good cliche though :)

Re:WiFi WTF

[RPGonAS400]

But it is the sows that feed the young, not the boars!

Seriously

[WallyL]

Seriously, no "418 I'm a teapot" error?

Re: Kettles

Add most of Germany onto your list of kettle users. I don't know anyone who doesn't own one.

Re:Or you know get an instant boiling water tap

[TechyImmigrant]

No. You can get taps that deliver not-boiling water. It's hot and steamy, but certainly not boiling, resulting in substandard tea. You also need a sink. An electric kettle can go anywhere there's a plug.

 

PSK (pre-shared key) needs to die

[Solandri]

A simple pre-shared password makes sense if you intend the network to be publicly accessible. e.g. You run a cafe and want the guests to be able to use your wifi network for Internet access. You can tell each of them the password. Ease of use outweighs security in this use case.

For home and corporate use, a public/private key system makes a lot more sense. There are only a few devices which you intend to give permanent wifi access to your home network (visitors can use your guest network which is protected by a simple password). Authenticate each of these devices with their own credentials using a key or certificate physically stored on the device and never transmitted over the network (the private key). If a device is ever compromised ("I lost my phone!"), you can simply revoke the credentials for that one device (delete the public key from the router) without having to make changes to every other device. This capability is already in most wifi routers - WPA2 Enterprise.

The downside is you need to be running some sort of server to handle these authentication requests. RADIUS seems to be the common one. Routers with a RADIUS server built in are rare, but since the software is free (FreeRAIUS) I expect it'll become more common, easier to use, and eventually replace WPA2 Personal (PSK) as the default security for home wifi routers.

Re:PSK (pre-shared key) needs to die

You run a cafe and want the guests to be able to use your wifi network for Internet access. You can tell each of them the password. Ease of use outweighs security in this use case.

PSK is a bad idea even for that application, but it's the best we have for now. PSK doesn't authenticate the access point. Anyone who knows the key can not only listen to all traffic on the Wifi, they can also impersonate the access point in other places, where a user might not be aware of the risk. The missing protocol is where individual keys are exchanged through Diffie-Hellman key exchange and the access point authenticates against a public hash (could be put in a QR code on the menu or on the wall behind the counter). Optionally the client would have to provide a password, but that would not be used as the key, only as an access control measure. The protocol that's currently closest to this does all that, but uses CA certificates to authenticate the access point. If we can get a standard protocol which replaces that with showing a hash or comparing the hash against a provided hash from a QR code, that would boost Wifi security enormously.

Re:PSK (pre-shared key) needs to die

[Kichigai+Mentat]

Most people don't even know about their Comcast-supplied routers costing them $8/mo and offering a publicly accessible access point to other Comcast subscribers, let alone know the difference between PSK and RADIUS, use WPS, or have the forethought to do proper backup. PSK is here to stay.

Hackable

Of course internet-connected beverage machines are hackable! Read about this back seven years ago! http://www.cnet.com/news/inter...

Re:Or you know get an instant boiling water tap

[CanadianMacFan]

I have one and used it a lot. The water is hot but not boiling (low 90s Celsius). The problem with them is that there is a small tank under the sink which keeps the water hot so you are paying electricity to keep the water hot even if you aren't using it (over the night) and if you want more than a couple of mugs the temperature starts to drop quickly as the hot water gets diluted with the cooler incoming water.

It has been about 10 years since I've looked into them so maybe they have changed since then. I haven't used it in a couple of years since I've found a better solution for my needs. I've got a dedicated tea maker which can also double as a kettle.

Chalky stuff

[Hognoxious]

Boiling water is HARD!

It's not as hard as it was before it was boiled.

Will the technique work with other devices

[140Mandak262Jamuna]

Basically the overwhelm the poor tea kettle with directional antenna and jam it to drop its wifi connection. Then when it tries to reestablish contact they spoof the wi-fi access point and grab the credentials. Why would this not work with other devices? How do the client devices authenticate the wi-fi access point before divulging the network password?

Re:Will the technique work with other devices

[FireFury03]

The password is never supposed to be sent over the air - it is used to generate a cryptographic challenge (from which the password can't be recovered). The problem with this idiotic device is that it allows anyone to telnet into it using a trivially guessable password and it will divulge the wifi password over the telnet connection. So an attacker just needs to convince the kettle to connect to their wifi network instead of the owner's network, eliminating any security the owner's firewall would usually provide.

Not Google so it's okay?

[Flentil]

They were so quick to go after Google for riding around mapping open wifi networks, while these guys are actually hacking router passwords! Yet all people talk about is the WTF factor of a network-enabled electric kettle.

Re:A good reason to kill the whole idea!

[KGIII]

Hmm... Brother makes an inexpensive branded coffee pot and, I think, electric kettles. You might be on to something!

that is incorrect

[Chirs]

General-purpose cord-and-plug connected items are allowed to use the full 15A. (This is why power tools can be 15A.) 14AWG copper conductors are actually rated for 20A for static loads like electric heat, they just downrate them to 15A for general circuits because of the possibility of multiple devices being plugged in at once and to allow for motor loads.

As for why appliances don't use the full allowed amperage...most people don't care so they manufacturers don't either.

That said, it is possible to get 1800W toasters, toaster ovens, coffee makers, etc. in the USA. They're just hard to find and you'll likely end up paying more.