Support 100 years of independent journalism.

  1. Science & Tech
22 October 2015updated 30 Jun 2021 8:10am

Kettles are leaking WiFi passwords (and other failures of the Internet of Things)

Whether we're willing to risk our data for the sake of a fancy kitchen utensil may well be a turning point in the story of internet privacy. 

By Barbara Speed

The rise of the “internet of things” (basically, objects connected to the internet) is quietly rubbing the rough edges off our everyday routines. The average smartphone can now be a light switch, control your electricity meter, and turn on your toaster. Soon, if so inclined, you’ll barely need to engage with anything outside an app. 

But what does connecting everything to everything else actually mean? Take the iKettle. It’s a kettle which lets you boil water by touching a button on an app, thereby saving yourself the precious seconds it takes to, er, walk over to it and press a different button. To do so, it connects to your WiFi network. And that’s where things get a little sticky. Because once things are connected, they can also be hacked. 

According to Ken Munro, who works at Pen Test Partners, which basically tests the hackability of different technologies, it’s pretty easy to hack into the iKettle. Over an incredibly comprehensive series of blogposts covering the various incarnations of the iKettle, the company has shown how to hack into the iKettle and turn it on from afar: “If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle”. Part of the problem is that if you set up the kettle with an Android phone, the authentification code is automatically set as the incredibly secure “000000”, unless you reset it yourself. 

This isn’t a new technological problem – journalists and private detectives were able to hack Milly Dowler’s voicemails because, like most voicemail mailboxes, hers was accessible by an automatically set and easy to guess passcode. Yet as Munro demonstrates in a later blogpost, this all gets more serious once your hackable kettle is connected to other things. As he told tech site The Register, the hack can be used to find our your WiFi password: “I can sit outside of your place with a directional antenna, point it at your house, knock your kettle of your access point, it connects to me, I send two commands and it discloses your wireless key in plain text.”. 

Munro then plotted vulnerable iKettles on a map of London to show how easy it would be for hackers to share the data. The security on most Internet of Things products is, he says, “utterly bananas”. 

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. Quick and essential guide to domestic and global politics from the New Statesman's politics team. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. A handy, three-minute glance at the week ahead in companies, markets, regulation and investment, landing in your inbox every Monday morning. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.

This is just the latest in a serious of revelations about how these new connected products are actually relatively insecure: you can hack fridges, and thermostats, and probably toasters, too. Yet as Klint Finley points out at Wiredthe real problem isn’t these objects themselves, but the huge amounts of data they send off to servers which may be equally vulnerable, and also far more attractive to hackers. He writes:

We’re putting ever greater amounts of data into the cloud. Nest knows which rooms in your house you spend the time in, and when. Smart appliances transmit our voice commands to their manufacturers. Car insurance companies deploy tracking devices to gauge driver safety. Fitness trackers know our heart rates and how many steps we take each day. The photos we upload to Instagram may include geographic coordinates. 

Content from our partners
How do we secure the hybrid office?
How materials innovation can help achieve net zero and level-up the UK
Fantastic mental well-being strategies and where to find them

Alone, these data points may seem unimportant – who cares if a hacker knows where you’re standing in your living room? But together, they paint an entire portrait of a life – a life that’s now accessible to anyone with a tech background and an axe to grind. And that’s before you think about how governments could use these “smart” objects and the resultant data. As digital rights campaigner Cory Doctorow told my colleague Ian Steadman last year, it isn’t hard to imagine a dictatorship which turns off protesters’ heating via a smart thermostat during a bitterly cold winter. 

Whether we’re willing to risk our data for the sake of a WiFi kettle may well be a turning point in the story of internet privacy. Either we give up, and accept that our digital footprints will soon exactly mirror our real ones, or we demand more: better security from companies marketing these connected objects, and better education on how to keep your data secure. Meanwhile, it’s worth weighing up whether each new technology is worth the risks it poses to your privacy – a smart thermostat is helpful for your bills and the environment, but perhaps kettles were fine as they were.