Easily Hacked Kettle Highlights the Lack of ‘Internet of Things’ Security

An article on the Techdirt website about the ease with which a Smart Kettle can be hacked has highlighted the dire state of device security for the ‘Internet of Things’.

The iKettle by allows users to remotely turn it on from anywhere using a Smartphone App.  However, researchers have pointed out that the Kettle is relatively easy to hack especially if the user has not configured the kettle properly.  The company that produces the iKettle has said its associated Android and iOS APPs would be upgraded to eliminate the security vulnerabilities.  However, there is still the wider problem of ‘Internet of Things’ devices opening up vulnerabilities in people’s home networks, especially where device security is an afterthought.

The advice the researchers give is to not put ‘Internet of Things’ devices on your network unless you are absolutely sure they are secure.

France Wants all Travelling EU Nationals Fingerprinted

Nikolaj Nielsen reports in the EU Observer that France is proposing that all travelling EU nationals should be required to give their fingerprints and possibly also have their faces scanned as part of the Smart Borders programme.

Smart Borders was proposed in 2013 by the EU Commission to allow management of the external borders of the Schengen Member States.  Biometric scanning of visiting non-EU nationals was also included in the scheme.  It has been on hold for a while due to cost concerns; however, an updated plan for the scheme is expected before the end of the year.

In a document submitted by the French delegation it is claimed that an expanded Smart Borders scheme is required to address terrorist threats and gives examples such as the Charlie Hebdo attack in Paris and the recent attack on an Amsterdam to Paris train to justify their proposal.  Further justifications include dealing with migration and managing increasing passenger numbers.

France is of course one of the key powers within the EU and the concern must be that they will be able to force their plans through irrespective of the wishes or objections of the people of the EU, or of other member state Governments.

What 10 million passwords reveal about the people who choose them

A team at WP Engine have conducted an interesting analysis of some 10 million passwords that had been collected from various sources such as leaks and dumps of passwords.   Virtually none of the passwords were still in use so the researchers considered that it was ethical to use the dataset in their research.

The analysis highlights that people tend to choose passwords based on defined patterns and what comes into their mind when asked for a password.  So it is not surprising that in the 50 most used passwords, the most common text-based password is the word password itself.  However, the use of patterns does often make guessing passwords very easy, especially for password cracking software such as HashCat which can make up to 300,000 guess at a password per second.

Other patterns identified were people adding their year of birth to their name to create a password and an interesting sex difference was that the word”love” appeared in women’s passwords more often than in men’s.  Keyboard patterns (e.g. qwerty) also feature prominently in the passwords.  These can appear apparently random, but again they are easy to predicted using software.

Password Entropy

The WP engine team highlight the strength of a password increases with its entropy which is a measure of variation of the characters in the password.  Entropy increases most significantly with the length of the password; however, passwords that appear to have a lot of entropy when an entropy calculation is applied may in practice have none.  For example, “password” has an entropy score of 37.6 bits; however, in practice its score is zero because every word list used by password crackers includes the word password.

Interestingly, adding a number to a password will increase its entropy, but the increase in entropy may not be as significant as it may initially appear.  This is because both adding a number and the actual number added (the most common being 1) is predictable and therefore easily incorporated into a password cracking program.

Overall, the WP Engine article is a recommend read, if only to make sure that any passwords you are using are not amongst the 50 most used passwords!