You’d wonder why someone would need a Bluetooth-enabled hair straightener of all things but one does exist. Glamoriser, a company based in the United Kingdom, sells what it claims to be the “world’s first Bluetooth hair straightener.” Users can link the device to an app in order to set heat and style settings. It can also be used to switch off the straighteners within Bluetooth range remotely. Turns out, it’s pretty easy to hack as well.
That’s the thing about making every device “smart.” Once it becomes a connected device, the door is open just enough for hackers to try and force their way through. Pen Test Partners security researchers were able to do just that with the Bluetooth hair straightener. They could easily send malicious Bluetooth commands within range and thus remotely control someone’s straighteners.
The researchers showed how they could send a malicious command to set the temperature to either the upper or lower limit of the device which is 122°F and 455°F respectively. Since there’s no authentication option for the straighteners, this allows an attacker to remotely change and override the temperature and the duration for which the device is to stay on.
They point out that if a malicious command is sent to the device and it’s kept at the maximum temperature for 20 minutes, it could pose a serious fire hazard. The only upside here is that since the straighteners only allow one concurrent connection, a hacker will only be able to target the device as long as the owner hasn’t connected their phone to it.
Filed in Hacking. Source: pentestpartners
. Read more about