With each passing year, more and more everyday objects are being outfitted with network connectivity. This type of futuristic world — dubbed The Internet of Things — promises to make our lives a whole lot easier in ways we never imagined possible even just a few years ago.
Of course, with every great technological advancement comes newfound security risks. Case in point: researchers recently uncovered a security flaw in a Samsung smart fridge which can compromise a user’s Gmail credentials. As to why you might need a refrigerator with an 8-inch Wi-Fi enabled display that can browse the web, mirror what’s on your phone, and even run apps, well, that’s a topic for another day.
Security researchers from Pen Test Partners disclosed the mechanics behind their hack at the Def Con Hacking conference earlier this month. The researchers revealed that Samsung’s RF28HMELBSR smart fridge is vulnerable to ‘man in the middle’ attacks because it doesn’t validate SSL certificates.
Speaking to The Register, a researcher at Pen Test Partners explained: “The internet-connected fridge is designed to display Gmail Calendar information on its display. It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes the updates and those changes are then seen on any device that a user can view the calendar on.
“While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentification and fake WiFi access point attack) can man-in-the-middle the fridge calendar client and steal Google login credentials from their neighbours, for example.”
Is this reason to completely shun the Internet of Things as a revolution that’s more problematic than helpful? We wouldn’t go that far, but it does serve as an important reminder to be vigilant about where you upload sensitive data. This is especially important because connected devices seemingly have less robust security than our smartphones, which themselves are not impervious to any number of exploits.
Upon being made aware of the issue, Samsung issued the following statement: “At Samsung, we understand that our success depends on consumers’ trust in us, and the products and services we provide. We are investigating into this matter as quickly as possible. Protecting our consumer’s privacy is our top priority, and we work hard every day to safeguard our valued Samsung users.”
Pen Test Partners detailed the more technical aspects of their hack via a blogpost they published online last week.