The Internet of Things brings with it great promise, but it also carries major risks. The latest such risk: leaky smart refrigerators.
Security researchers at the firm Pen Test Partners found a flaw in Samsung’s smart fridges that lets anyone with the right technical know-how intercept the Gmail username and password of the fridge’s owner.
Ken Munro, one of the researchers, told the Register that the hack—known as a “man-in-the-middle” attack because of the way it intercepts the data—takes advantage of the fridge’s Google Calendar feature.
“It appears to work the same way that any device running a Gmail calendar does,” Munro said. “A logged-in user/owner of the calendar makes updates and those changes are then seen on any device that a user can view the calendar on.”
The internet fridge now has an email address. Say hello please, or fuzz… @IoTvillage @_defcon_ pic.twitter.com/O4u9Ibf3mm
— Ken Munro (@TheKenMunroShow) August 8, 2015
@IoTvillage no SSL cert verification on Samsung Tizen internet enabled fridge/freezer: Wi-Fi MITM FTW! How about some CTF points :-)
— Ken Munro (@TheKenMunroShow) August 8, 2015
By accessing the home’s Wi-Fi network and intercepting the stream of data heading toward the fridge, hackers can steal the data and, in analyzing it, divine the homeowner’s login information.
“Authentificate” your Samsung smart fridge on @_defcon_ open wifi ::] pic.twitter.com/9dgzaWU5L6
— IoT Village (@IoTvillage) August 9, 2015
The researchers weren’t able to perform the hack themselves when they played with the fridge at the annual DEF CON security conference, but they looked at the code for the mobile app that comes with the fridge and discovered that the vulnerability existed.
Can you own our #IoT #Samsung – RF28HMELBSR fridge ::] @_defcon_ pic.twitter.com/OOsPikSpee
— IoT Village (@IoTvillage) July 31, 2015
“The name of a file found in a keystore in the mobile app’s code suggested that it contained the certificate used to encrypt traffic between mobile app and fridge,” the Register explained. If the hackers could acquire the password that protected the certificate, they could fool the fridge into thinking that it was receiving genuine commands, thus opening the door to intercept Gmail data.
Hacking smart appliances isn’t exactly new. In January 2014, the security firm Proofpoint identified what it called the first widespread IoT-based hack, which commandeered televisions and refrigerators to send malicious emails. But as with any technology, the more time researchers spend with smart appliances, the more vulnerabilities they discover. And as their discoveries create a bigger and bigger knowledge base, the pace of their discoveries seems to be increasing.
First-generation technology is almost always fundamentally insecure in major ways, and appliances plugged into the Internet of Things are no different. Many of them are running software that hasn’t been tested in other realms—software, in other words, that hasn’t had all the kinks worked out.
The more quickly people discover vulnerabilities, the less adequate the usual cycle of manufacturers patches and recalls will be. And when it’s your refrigerator instead of your smartphone that’s causing the problem, replacing or repairing it won’t always be so easy.
A Samsung spokesperson told the Register that the company was “investigating into this matter as quickly as possible.”
H/T The Register | Illustration by Max Fleishman