Samsung smart fridge could make your Google login vulnerable


People stick all kinds of important things on the fridge, from artwork to sticky-note reminders. Samsung knows this, so it incorporated a screen onto its RF28HMELBSR Wi-Fi-enabled fridge. The LCD screen can display your Gmail calendar, so you can scope out your early-morning meeting situation as you make your coffee. It’s helpful but also hackable, according to The Register.

Earlier this month, Pen Test Partners found out the smart fridge is vulnerable after an IoT Village challenge at Def Con. The security consultants looked at the fridge’s mobile app and explained in a blog post that using what’s called a man-in-the-middle attack, a third party could gain access to the owner’s Gmail login information, if they were on the user’s Wi-Fi network. While the fridge provides SSL encryption, it gives the data to the Google server without verifying that it has the appropriate certificate, meaning someone else could pretend to be Google and get the login info.

“While SSL is in place, the fridge fails to validate the certificate,” Pen Test Partners security researcher Ken Munro tells The Register. “Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbours, for example.”

During the hackathon, the team tried several other means of hacking the fridge, including faking a firmware update, but failed.

In a statement, Samsung said, “At Samsung, we understand that our success depends on consumers’ trust in us, and the products and services that we provide. We are investigating into this matter as quickly as possible. Protecting our consumers’ privacy is our top priority, and we work hard every day to safeguard our valued Samsung users.”