Internet Of Not-So-Smart Things: Samsung's Latest Smart Fridge Can Expose Your Gmail Password

from the I'll-take-my-devices-stupid,-thanks dept

"The internet-connected fridge is designed to display Gmail Calendar information on its display," explained Ken Munro, a security researcher at Pen Test Partners. "It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes updates and those changes are then seen on any device that a user can view the calendar on."



"While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbours, for example."

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

The sometimes blisteringly-inane hype surrounding the "Internet of Things" appears to be on a collision course with the sophomoric security standards being employed in the field. As we've seen time and time again, companies were so bedazzled by the idea of connecting everything and anything to the Internet (your hat! your pants! your toilet!) they left device and network security as an afterthought -- if they could be bothered to think about it at all. The result has been smart TVs that share your personal conversations, vehicles that can easily be used to kill you , and a home full of devices leaking your daily habits.The latest example comes again via Samsung, whose "smart" refrigerators aren't so smart. While Samsung's shiny new refrigerators connect to the Internet, can display your Google Calendar and implement SSL, hackers during a challenge at the recent DEFCON found the refrigerators fail to validate those SSL certificates. That opens the door to all kinds of man-in-the-middle attacks, potentially allowing your neighbor to steal your Gmail login information while sitting on his couch next door On the plus side, this vulnerability was found after Samsung invited hackers to try and find vulnerabilities in the system, showing some proactive thinking. On the flip side, this is the same company whose "smart" TVs were found to be happily sending living room conversation snippets unencrypted over the Internet -- so it's not always clear Samsung listens to feedback, or how many bugs and vulnerabilities go unnoticed. Regardless, the researchers' blog post has a little more detail, noting they may have also found some vulnerabilities in the app's encrypted communication stream with the refrigerator.These endless IOT security issues may have the opposite effect of that intended: actively marketing the need for many devices to be. And those dumb devices are getting harder to find. Many of the latest and greatest 4K television sets, for example, simply can't be purchased without intelligent internals that integrate functionality the user may not want. So while Wired magazine's endless 1990's obsession with intelligent refrigerators may have finally come to fruition, they may be unwitting pitchmen for how sometimes it's better for things to simply remain utterly analog -- and beautifully, simply stupid.

Filed Under: gmail, privacy, security, smart fridge, smart refrigerator

Companies: samsung