Security Architecture, Endpoint/Device Security, IoT, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Dire straights: Glamoriser smart hair straighteners susceptible to hacking, warn researchers

Share

Here's some news that might curl your hair: A pen testing firm has disclosed a vulnerability in the Glamoriser smart hair straightener that could allow attackers to easy gain control of the device and perhaps create a fire hazard.

The problem involves the Bluetooth Low Energy connection that the straightener uses to communicate with mobile devices running the product's official mobile device app. Because is no secure pairing or bonding process, hackers within Bluetooth range could take over the device with their own phones, warns the UK firm Pen Test Partners in a blog post today.

"There is no auth on the BLE communications between the device and the phone. Data can be sent to the device at any time as long as it is turned on (via the mains power socket)," the blog post states. "Something as simple as a button to push to put the straighteners in pairing mode would have solved it," the report later states.

Granted, attacker cannot concurrently take over the device if the proper user is already connected, but users who haven't yet established a connection or who fall out of BLE range would be susceptible to an ambush.

According to Pen Test Partners, malicious actors could change temperature settings and how long they stay on. There are limits, however: The product is automatically programmed to shut off after 20 minutes and cannot exceed temperatures over 235 Celsius. Nevertheless, the Pen Test Partners team was able to successfully start a fire inside a research environment by using the takeover technique.

SC Media has reached out to UK-based Glamoriser for comment.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.