A Samsung smart fridge has been shown to be vulnerable to hacking, exposing the owner’s Gmail login details.
As reported on The Register, the vulnerability was demonstrated at the recent DefCon hacking conference, where Samsung’s RF28HMELBSR smart fridge was hacked by Pen Test Partners during a challenge.
While the fridge implements SSL, it fails to validate SSL certificates, meaning an attacker can obtain the owner’s Gmail login credentials which the fridge needs to access and download Gmail calendar information (which it uses to display events, notifying everyone in the house via that 8-inch LCD).
“The internet-connected fridge is designed to display Gmail Calendar information on its display,” explains Ken Munro, a security researcher at Pen Test Partners. “It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes updates and those changes are then seen on any device that a user can view the calendar on.”
“While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbours, for example.”
In a blog post, the company wrote: “We also looked at the possibility of faking a firmware update to compromise the unit via malicious custom update. We found the URL scheme to download the file, but we still need to find out a number of parameters to complete the URL. These are not secret things, just difficult to guess, like a code name for the model of the device, likely a serial number, etc.”
More on the IoT