Everyone wants everything to be “smarter” these days. We want a coffee machine that can order more beans for us when we run out. Or an oven that sends us an alerts once our food is cooked. Samsung currently makes a refrigerator with a Wi-Fi enabled LCD screen that lets users do things like display their Google Calendar conveniently on the door. But such conveniences can come with a price, and last week a group of hacking experts proved that Samsung’s fridge can leave your Google login information vulnerable to digital theft.
Security experts with Pen Test Partners took up a challenge at the recent DEF CON hacking conference to hack one of Samsung’s Smart Home appliances, the RF28HMELBSR smart fridge (in addition to security Samsung might want to talk to their naming department). Though they weren’t able to take total control of the appliance, potentially warming your ice cream to a very unfrozen 33 degrees, they did discover that the refrigerator was vulnerable to what are called “man-in-the-middle” attacks. Specifically, this weakness could be used to steal a user’s Google credentials “from next door or on the road outside.”
The problem stems from the refrigerator’s failure to properly validate SSL certificates. “The internet-connected fridge is designed to display Gmail Calendar information on its display," Ken Munro, a security researcher at Pen Test Partners, told The Register. “While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbors, for example.”
Samsung responded to The Register’s article by saying they are looking into the matter. For now, if you happen to have a RF28HMELBSR, you may want to keep your yogurt in a secure location.