Security researchers have hacked hair straighteners from Glamoriser, according to Pen Test Partners. The UK firm bills itself as the maker of the “world’s first Bluetooth hair straighteners,” devices that users can link to an app so that the owner can set the heat and style settings and switch the straighteners off from within Bluetooth range.
Researchers found it relatively easy to send malicious Bluetooth commands within range, allowing them to remotely control the hair straighteners. The researchers demonstrated that they could send one of several commands over Bluetooth, lowering the temperature to 122°F and raising it as high as 455°F – higher than paper’s burning point. An attacker could remotely alter and override the temperature of the straighteners and how long they stay on.
“Hair straighteners can cause house fires and skin burns if not used safely. We’ve shown that we can tamper with the temperature, so even if used safely by the user, a hacker can make them less safe,” the researchers wrote.
“It would have been so easy for the manufacturer to include a pairing/bonding function to prevent this. Something as simple as a button to push to put the straighteners in pairing mode would have solved it. Instead, we now have a method to set fire to houses.”
As the straightener is a Bluetooth, a malicious actor intending to start a fire would need to be in range in order to exploit this vulnerability, and Lamar Bailey, senior director of security research at Tripwire, said, “the probability of exploration from a hacker is very low, unless you make a sibling or neighbor (if you live in an apartment) mad at you. If you have this device, remember to be nice to anyone who could be within 33 feet of you straightening your hair.”
In order to mitigate the risks of these connected devices being compromised, Ben Goodman, CISSP, senior vice president of global business and corporate development at ForgeRock, said Glamoriser must hold themselves accountable for securely establishing and maintaining the full lifecycle of IoT devices.
“IoT projects often prioritize connectivity and data consumption and look to security and privacy as afterthoughts. IoT is here to stay and the identities of connected devices, services and users and their associated credentials must be trusted and usable across numerous connected ecosystems to prevent man-in-the-middle as well as other types of attacks.”