Researchers have found a way to successfully hack connected hair straighteners to turn them on and increase the heating element up to its maximum temperature—causing a serious fire hazard for unsuspecting owners.

Pen Test Partners decided to put the Glamoriser hair straightener through its security paces, given that it has Bluetooth Low Energy (BLE) embedded for connecting to a mobile app. The app allows a user to remotely change the temperature and set a time frame for automatic shut-off of the device.

“For years we’ve been trying to set fire to ‘smart’ things by hacking them. We got some charring on the iKettle, but nothing more,” said Stuart Kennedy, in a Friday posting. “These [straighteners] seemed like a much better candidate for our pyromaniac intent.”

The straighteners have a maximum temperature that comes in above the flashpoint of paper (233C/451F) – so they could definitely set a fire if left in a vulnerable location. And in fact, it’s happened before, no hacking required. Kennedy noted that a U.K. fire service quoted that up to 650,000 house fires have been caused by the accessories.

After downloading the app from the Google Play store, researchers reverse-engineered the code and were able to write a Java script for successfully manipulating the device if it’s already turned on. However, all of that turned out to be superfluous effort.

“That there is no pairing or bonding established over BLE when connecting a phone, [so] anyone in range with the app can take control of the straighteners,” Kennedy said. In other words, there is no security gate whatsoever or individual authentication between the app and the straightener. Through the app, anyone within range of the device can override the settings of the owner – say, increasing the temperature and elongating the automatic shut-off time to its longest duration, which is 20 minutes.

“Yes, this attack requires the hacker to be within Bluetooth range, but it would have been so easy for the manufacturer to include a pairing/bonding function to prevent this,” Kennedy said. “Something as simple as a button to push to put the straighteners in pairing mode would have solved it. Instead, we now have a method to set fire to houses.”

He added that while a mitigation to any real-world attack is the fact that only one app can connect to the device at any one time, this obstacle is likely not a large one in most households.

“The straighteners do not support more than one concurrent phone connection, though I can see a lot of people buying the straighteners and never actually getting ’round to connecting a phone to them, so they’re exposed,” Kennedy said. “Also, if the user goes out of BLE range, your local neighborhood hair straightener hacker can jump in and pump up the temperature.”

Average BLE range is around 10 to 20 meters (though it has a theoretical range of up to 100 meters), so any attack would need to come from someone inside the house (a disgruntled younger sibling, perhaps?) or from someone lurking directly outside. If the latter, there are perhaps other dangers to worry about. But the research points out that once again, internet of things (IoT) devices lack security by design.

“Since this is Bluetooth and requires you to be in range to exploit it, the probability of exploration from a hacker is very low, unless you make a sibling or neighbor (if you live in an apartment) mad at you,” said Lamar Bailey, senior director of security research at Tripwire, via email. “If you have this device, remember to be nice to anyone who could be within 33 feet of you straightening your hair.”

Those devices that use BLE, which is custom-made for low-power IoT sensor applications, is of particular concern, given that unlike the full implementation of the Bluetooth spec, BLE doesn’t require authentication in order to pair devices. Thus, many device-makers fail to take the extra step to build it in.

“Authentication depends entirely on the developers of the device, and experience shows that it is often neglected,” researchers Roman Unuchek and Roland Sako said in a posting last year outlining research on pet trackers last year. In that analysis BLE was found to connect these pet-trackers to the owner’s smartphone, but were left wide open to man-in-the-middle attacks.

Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More