Bluetooth, the standard technology for communicating wirelessly between two devices, has been making its way into the beauty and personal-care realm for some time now. I personally own a Bluetooth-enabled mirror, for example, and a number of dentists I’ve spoken to have recommended electric toothbrushes that use a Bluetooth-connected smartphone app to help track brushing technique and time. The possibilities are endless, really — but according to an investigation by a U.K. security-solutions firm, they should probably end at heated hair tools.
TechCrunch reports that Pen Test Partners decided to look into U.K. styling-tools brand Glamoriser, which makes what it claims is the “world’s first Bluetooth straightener,” aptly named Bluetooth Smart Straightener. According to the brand’s product page, “This isn’t just any straightener — this one can work with your phone.” Users can download the Glamoriser app “to take advantage of personalized heat settings to suit how you style your hair,” as well as set the tool to turn off anywhere from five to 20 minutes after you’ve stopped using it.
But if someone with basic hacking knowledge and malicious intent is smarter than the Bluetooth Smart Straightener, seriously terrible things could happen — things Allure‘s digital deputy director Sam Escobar called “some Final Destination shit” when I told them about it.
In a Pen Test Partners blog post dated July 12, author Stuart Kennedy writes, “We tested to see if we could overheat the device beyond 235C,” or 455 degrees Fahrenheit, the device’s maximum temperature. And while they weren’t able to override the pre-set heat range, “What you can do is override the settings as they are being used. For instance, if somebody was using the straighteners at 120C and had a sleep time of, say, five mins after use, you could change that to 235C and 20 minutes sleep time.”
And because there’s no authentication required, anyone relatively close by can change the heat and time settings to their maximums — or as Kennedy puts it, “If the user goes out of BLE range, your local neighborhood hair straightener hacker can jump in and pump up the temperature.” Pen Test Partners says this is not only a burn risk but also a house-fire risk.
Allure reached out to Glamoriser for comment, but we haven’t heard back yet. If the brand is aware of the issue, it seems nothing has been done to remedy it, as TechCrunch notes the app has not been updated since June 2018. That said, there are no known incidents involving the Bluetooth Smart Straightener, which has a five-star user rating on the brand’s site.