A white hat security firm has discovered a vulnerability in one of Samsung's smart fridges that exposes owners' Gmail credentials. The flaw was discovered by Pen Test Partners at the most recent Defcon conference in Las Vegas, highlighting a major challenge for developers working in the Internet of Things.
The so-called "man-in-the-middle" exploit allows potential hackers to intercept data as it travels from a server to a device—a fundamental process for most smart devices.
The refrigerator in question, Samsung's RF28HMELBSR, features a tablet-like interface that can display a user's Gmail calendar. In an attempt to securely relay this information to the fridge, Samsung implemented an encryption process called a Secure Sockets Layer (SSL).
However, hackers have shown how the RF28HMELBSR fails to authenticate the SSL certificates on Google's end. For the security layer to work, the fridge needs to receive a valid code back from the website host.
Ken Munro, a security researcher at Pen Test Partners, explained the findings to The Register:
"While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbors, for example."
In theory, anyone on the same WiFi network as the fridge could pose as the Google Calendar app and retrieve a user's Gmail credentials. The flaw, which was first reported Monday morning, has since been communicated to Samsung, which released a statement claiming it is looking into the matter.
It's probably not a serious concern for most owners, but if you have one of these fridges in your house, it couldn't hurt to change your WiFi password. Better yet, simply avoid using the Google Calendar feature until the flaw has been patched.
As smart home tech continues to proliferate, experts expressed fears over whether the manufacturers of dumb, disconnected appliances can protect against modern cybersecurity threats. The fact that this particular flaw came from Samsung—an established electronics and software juggernaut—only serves to highlight the extent of the threat.