Kettles are leaking WiFi passwords (and other failures of the Internet of Things)

Whether we're willing to risk our data for the sake of a fancy kitchen utensil may well be a turning point in the story of internet privacy. 

Sign Up

Get the New Statesman's Morning Call email.

The rise of the "internet of things" (basically, objects connected to the internet) is quietly rubbing the rough edges off our everyday routines. The average smartphone can now be a light switch, control your electricity meter, and turn on your toaster. Soon, if so inclined, you'll barely need to engage with anything outside an app. 

But what does connecting everything to everything else actually mean? Take the iKettle. It's a kettle which lets you boil water by touching a button on an app, thereby saving yourself the precious seconds it takes to, er, walk over to it and press a different button. To do so, it connects to your WiFi network. And that's where things get a little sticky. Because once things are connected, they can also be hacked. 

According to Ken Munro, who works at Pen Test Partners, which basically tests the hackability of different technologies, it's pretty easy to hack into the iKettle. Over an incredibly comprehensive series of blogposts covering the various incarnations of the iKettle, the company has shown how to hack into the iKettle and turn it on from afar: "If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle". Part of the problem is that if you set up the kettle with an Android phone, the authentification code is automatically set as the incredibly secure "000000", unless you reset it yourself. 

This isn't a new technological problem - journalists and private detectives were able to hack Milly Dowler's voicemails because, like most voicemail mailboxes, hers was accessible by an automatically set and easy to guess passcode. Yet as Munro demonstrates in a later blogpost, this all gets more serious once your hackable kettle is connected to other things. As he told tech site The Register, the hack can be used to find our your WiFi password: "I can sit outside of your place with a directional antenna, point it at your house, knock your kettle of your access point, it connects to me, I send two commands and it discloses your wireless key in plain text.". 

Munro then plotted vulnerable iKettles on a map of London to show how easy it would be for hackers to share the data. The security on most Internet of Things products is, he says, “utterly bananas”. 

This is just the latest in a serious of revelations about how these new connected products are actually relatively insecure: you can hack fridges, and thermostats, and probably toasters, too. Yet as Klint Finley points out at Wiredthe real problem isn't these objects themselves, but the huge amounts of data they send off to servers which may be equally vulnerable, and also far more attractive to hackers. He writes:

We’re putting ever greater amounts of data into the cloud. Nest knows which rooms in your house you spend the time in, and when. Smart appliances transmit our voice commands to their manufacturers. Car insurance companies deploy tracking devices to gauge driver safety. Fitness trackers know our heart rates and how many steps we take each day. The photos we upload to Instagram may include geographic coordinates. 

Alone, these data points may seem unimportant - who cares if a hacker knows where you're standing in your living room? But together, they paint an entire portrait of a life - a life that's now accessible to anyone with a tech background and an axe to grind. And that's before you think about how governments could use these "smart" objects and the resultant data. As digital rights campaigner Cory Doctorow told my colleague Ian Steadman last year, it isn't hard to imagine a dictatorship which turns off protesters' heating via a smart thermostat during a bitterly cold winter. 

Whether we're willing to risk our data for the sake of a WiFi kettle may well be a turning point in the story of internet privacy. Either we give up, and accept that our digital footprints will soon exactly mirror our real ones, or we demand more: better security from companies marketing these connected objects, and better education on how to keep your data secure. Meanwhile, it's worth weighing up whether each new technology is worth the risks it poses to your privacy - a smart thermostat is helpful for your bills and the environment, but perhaps kettles were fine as they were. 

Barbara Speed is comment editor at the i, and was technology and digital culture writer at the New Statesman, and a staff writer at CityMetric.