When it became famous for all the wrong reasons, Smarter Applications’ iKettle seemed to sum up the nascent internet of things (IoT). For one, people scratched their heads as to why anyone would need an IoT-enabled device to boil water. And it was a security blackhole.
In the autumn of 2015, security researchers revealed the iKettle’s weaknesses and how it could be used as a way to gain access to home networks. At the IoTSF conference in London in early December, Gareth Long, CTO of Smarter Applications explained what had gone wrong and how the company changed its approach to design to avoid a second security nightmare.
“The first generation was an outsourced project,” Long said. “The way Smarter was built at the time, there was nothing in the way of resource to manage this the way it needs to be. The first two generations [of kettle] weren’t really IoT. They were just WiFi-connections, direct to the app. It was successful and served its purpose. The problems were yet to come. Clearly, it wasn’t secure enough and reliant on what sort of network security a user has.
“I know people who still use WEP [at home] because their Nintendo DS doesn’t support anything else. People are disabling WPA2 because they have older devices that don’t connect to WEP.”
“The problem we had as well was that the communications protocol between the app and the kettle was very easy to determine. You would have access to everything if you were in the network where it was operating.”
Despite the ease with which the iKettle was hacked two years ago, the impact on the products was far from swift. “What was the impact on us at the time? Not much. Why didn’t it cause a problem? I can only guess based on my own desire to hack at the time. It wasn’t the device to showcase hacking. There were lower hanging fruit.”
Long pointed to internet-connected cameras that wound up being incorporated into botnets. “A kettle is, at the end of the day a kettle. You could turn it on and boil it. The concern at the time was less on the security side of things more on the hackability. Internet hacking was more of a sport. It didn’t affect sales.”
“Now, the impact is much bigger. Now it’s getting frightening,” Long said, largely because there is so much more attention to the problems that face IoT products as a class. “No-one can avoid dealing with this now.”
And the original iKettle’s reputation continues to stalk it. “Old articles are rehashing the story and it’s something that affects us today. Customers do call us and we try to allay their fears.”
“In terms of lessons learned a number of them are basic. Never underestimate the challenge. You are never going to understand everything. You will get pwned at some point. We are learning lessons all the time. But I’ve left organizations where I wasn’t happy about they way they handled security.”
“At Smarter, what they allowed to happen was quite extreme. But their intentions were well-meaning,” said Long.
One issue was with outsourcing a large chunk of the design without putting in place controls over security. “When it comes to outsourcing security, it isn’t understood by a lot of outsourced organizations. If you ask them they say they’ve secured it. You dig more and find they haven’t or haven’t even understood the question. You have to have some defined certification to make sure they are following the due process.
“For the next generation of iKettle, an inhouse [engineering] team was built up from scratch. This time it’s a true IoT product,” Long claimed, and that meant developing support for the product that could be handled from the cloud. A number of IoT suppliers have
come to same conclusion that it is more practical to have IoT systems authenticate against remote services than to try to find ways to manage devices entirely locally. “It can be achieved without people having to hack wide-area stuff and open ports in firewalls.”
Although the applications-engineering team was put together inhouse, the core hardware platform was outsourced. Smarter opted for a platform developed by Electric Imp to form the basis of the third-generation iKettle’s controller.
“We didn’t want to reinvent the wheel. But we needed a platform that gave us the security we needed. We could then start with a secure layer and then ensure that we didn’t weaken it by doing something silly. A lot of the problems went away with a platform that was secure to begin with. Otherwise it’s a very slow process to build things up from scratch.”