Hacked Bluetooth hair straighteners are too hot to handle

What do cigarettes, candles, and faulty electrical appliances have in common with one another?

The answer is they are among the top causes of house fires in countries such as the US and UK.

However, it seems there is another often overlooked cause that should be near the top of the fear list – hair straighteners.

They get hot (235 degrees Celsius, or 455 degrees Fahrenheit) and are easy to leave turned on inadvertently, which together explains why Hampshire Fire and Rescue estimates that up to 2016 they have been responsible for as many as 650,000 house fires in the UK alone.

All of which brings us to one particular expensive hair straightener product, the Glamoriser Smart Bluetooth straightener, which according to Pen Test Partners offers up yet another dismal example of how not to implement the Internet of Things (IoT) in an already risky product.

What merry hell?!

As its name implies, it uses Bluetooth Low Energy (BLE) to communicate with an Android Glamoriser app and, as with a growing number of previously dumb and perfectly satisfactory consumer products, it’s SMART – by now most readers will know what’s coming next.

Correct: Pen Test Partners researcher Stuart Kennedy found enough weaknesses to remotely override the product’s chosen temperature setting as someone is using it. Writes Kennedy:

For instance, if somebody was using the straighteners at 120°C and had a sleep time of say 5 mins after use, you could change that to 235°C and 20 mins sleep time.

That is, raise the temperature and keep it at this level for longer than would be realised by its owner, assuming an attacker running the control app was sufficiently close to connect to it across Bluetooth.

We should make it crystal clear that neither this nor any other aspect of the product is documented as having contributed to a house fire, but the potential for trouble is implicit.

IoT again

What went wrong when the Glamoriser had the smart stuff added?

It’d be easy to point out the lack of authentication between the smartphone app and the straightener itself, but the bigger problem was simply how easy it was for the researcher to work out how to send the device commands via Bluetooth.

The log files that are part of its software design were far too open, allowing anybody with a little time on their hands to infer the commands to do dangerous things.

In fact, it seems a hacker might not even need to do that – they could just fire up the app on their own phone and do the whole thing from there as long as the owner wasn’t connected or is out of range. Concludes Kennedy:

Yes, this attack requires the hacker to be within Bluetooth range, but it would have been so easy for the manufacturer to include a pairing/bonding function to prevent this.

It’s not dissimilar to the case of hot tub hacking, another IoT calamity researched by Pen Test Partners earlier this year, or the Nokelock ‘smart’ padlock in May.

The problem with too many insecure IoT devices is that their creators treat them like dumb devices rather than computers. Too few stop to think through the consequences of putting those devices-that-have-become-computers in the hands of hackers with bad intentions, and so basic computer security concepts, like the principle of least privilege, are ignored.

Pen Test Partners doesn’t say what response it got when it disclosed the security issues to the maker of this product, but hopefully it shouldn’t be hard to fix by re-engineering the app. Our advice if you own this product is to look for an update (the most recent is currently dated June 2018).