Smart hair straightener can spark more than just a beauty trend
Connectivity can be a gift or a curse, depending on the products it is added to, but it can also be just a marketing ploy to raise some unnecessary waves and boost sales.
Some devices can cause physical damage if not handled correctly or if they lack safeguards to prevent unauthorized control, warn the user of imminent risk, or take action automatically to prevent a disaster.
One device where connectivity adds the prospect of misfortune is a hair straightener. A company in the U.K. added Bluetooth connectivity to such a product called Glamoriser. An accompanying app gives users control over the heat settings and the device’s idle time, and they can use it to turn off the device remotely.
The problem is that anyone within Bluetooth range of the product can control it, Stuart Kennedy of Pen Test Partners discovered. Capable of heating up to 235 degrees Celsius (451F), Glamoriser can set things on fire.
Kennedy found there is no authentication for the Bluetooth communication between Glamoriser and a smartphone. This means someone can feed it instructions with no obstruction. And, despite some precautions on the device, there is plenty of room to set things on a track for disaster.
The Glamoriser smart straightener can stay on for up to 20 minutes; if the owner needs more, they need to press a physical button. When set to the highest temperature, this is enough time to start a fire – the burning point for paper, for instance, is 233C (451.4F).
“What you CAN do is override the settings as they are being used. For instance, if somebody was using the straighteners at 120 °C and had a sleep time of say 5 mins after use, you could change that to 235 °C and 20 mins sleep time,” Kennedy explains.
While fire is possible because the vendor failed to implement Bluetooth pairing, the smart straightener can connect to only one phone at a time. The Bluetooth range is also a limitation for a potential attack.
A practical joke gone wrong may be more plausible than a malicious attack. The prankster has a better chance of influencing the victim in a way that interrupts the connection between the straightener and its owner’s phone to allow a device takeover.
IoT makers should take heed of the advice from the infosec community about adding standard security safeguards to their products. In the case of Glamoriser, a Bluetooth pairing function would be enough to make it safer and not fuel statistics of fires started by the dumb version of this type of beauty product.
Image credit: GlamoriserBluetooth Glamoriser hair straightener IoT