What a hair straightener can teach us about IoT Security
A recent article on Threat Posts provides details of a vulnerability in the Glamoriser Bluetooth Smart Straightener. The vulnerability is pretty significant. An attacker can fairly easily gain control of the hair straightener, turn the heating element up to max power, and potentially cause a fire. Discovery of this vulnerability provides us with a clear example of why manufacturers need to more calculating in their responses to the “smart” device trend.
According to product information on the Glamoriser website, the straightener comes with a mobile app that allows the user to control heat settings of the straightener for different types of styling and lock in a favorite setting. However, as it turns out (maybe not surprisingly), their implementation of this feature is anything but “smart”.
According to quotes from the researcher that discovered the vulnerability, Stuart Kennedy, the hair straightener’s Bluetooth Low Energy (BLE) connection lacks some of the basic security features most users have come to expect in Bluetooth devices. There is no pairing function in the straightener’s BLE implementation, meaning any device within range can connect and control the straightener. Sure, the risk may be fairly low due to the distance limitations of BLE, but the threat vector is very real.
An emblematic problem with IoT and Connected Devices
This certainly is not the first time that we’ve seen once innocuous home devices turned into a threat vector. Manufacturers have routinely enabled “smart” functionality but failed to implement basic security features. However, the risks associated with this example lend credence to the warnings of researchers regarding just how serious the problem could be.
As many in the security community already know, manufacturers with no history or previous experience with implementing connected technology are rushing to create “smart” devices. The resulting implementations are often filled with security and functionality gaps. Whether this is a result of a lack of expertise or the need for speed to market (or both) is debatable. But the trend of security issues in newly released “smart” devices is undeniable.
The hair straightener example also stands as a particularly poignant lesson in that the only discernible reason to have a mobile app seems to be just the ability to label their styling tool as “smart”. The desired feature set enabled by the mobile app, being able to identify and set the needed temperature based on hair type and desired style, could have just as easily been implemented without connectivity. Hair straighteners for years have had adjustable temperature controls. Couldn’t an app that allowed the user to look up the correct settings and then manually set them on the device have been enough? Have we really reached the point in lazy consumerism where we need the app to make that adjustment for us? Let alone to the detriment of someone’s safety?
Time To Stop and Think
Sure, smart home devices are all the rage right now. Connected IoT devices are touted as the latest innovations and everyone wants to get on that bandwagon. However, if manufacturers can’t concern themselves with the safety of their consumers, they must at least start considering the risks in terms of their own liability for implementing faulty devices with real security vulnerabilities. How much does the manufacturer stand to loose if they get sued when someone is hurt or killed as a result of a security flaw in their product? The case of the Glamoriser straightener provides the most tangible illustration of those risks we’ve seen to date.
With that risk comes the need for serious investment in R&D before simply launching a product. That investment needs to include analysis of the benefits of the new connected features against the risks of liability if those features turn out to be a security flaw. Manufacturers cannot afford to assume an immeasurable marketing edge will come from simply labeling their product as “smart”. Had such analysis been done in the case of the Glamoriser, it’s doubtful that the ability to set a temperature on the device from your phone would have demonstrated value in the marketplace that outweighed the potential liability of someone’s house being burned down. This isn’t a particularly challenging threat model to build, so how did they get it so wrong?
It seems most manufacturers only pay attention to the threats and risks of their products when there is a palpable demand from consumers. Unfortunately, consumers remain blissfully unaware of these risks until something catastrophic occurs and is publicized widely in the media. Even then market trends show we’re often willing to forgive and forget if it means we can own the latest innovative device. So we, as security researchers, have to find other ways to motivate manufacturers. So far this has proven to be a monumental task. The tide is shifting, more and more manufacturers are becoming aware of the risks and working with the security community. Sadly, it’s most often only after their failures or those of their competition are exposed.
Educating consumers and manufacturers alike seems to be one possible course of action. Security researchers have begun some outreach to the manufacturing community and we’ve made headway in certain markets like the automotive space. However, more can and must be done. There is opportunity for us to be more involved in the manufacturing community. We must look for ways not to scare manufacturers into doing better but to motivate them. Drawing the connections between producing secure products and expanding their business model is the key.
From a consumer perspective it is much the same. We’ve tried scaring people. We’ve talked about all the potential bad things that can happen. For consumers it’s a bunch of noise and they just want that cool new thing. So it’s time we start focusing on how their lives can be more convenient, more trendy, etc. by ensuring that they demand products that are secure and reject the early to market brands that blaze trails with questionable products. We need to make being securely connected the new hot thing.
Leave a Reply