The affected fridge is the Samsung RF28HMELBSR. The fridge is equipped with a built-in display that can be used to view, amongst other things, calendar details. The aim is to let the whole household plan their calendar online, putting an end to the scribbled notes found under fridge magnets around the world. Users have to provide the smart fridge with their Gmail details in order to use this feature.
Unfortunately, the fridge fails to validate the SSL security certificates sent by the Google servers at login. This makes it open to man-in-the-middle attacks because the fridge never checks to see that it is actually connected to Google, although SSL is implemented and certificates requested.
The attack, by Pen Test Partners, is explained in a report in The Register. The hackers have to connect to the same Wi-Fi network as the fridge is using but can then use the man-in-the-middle technique to intercept legitimate traffic from the fridge to the Internet and thereby steal the Gmail login credentials.
The UK-based team say that other potential weaknesses and interesting bugs “definitely merit further investigation”. They ran out of time to attempt further hacks, including hijacking communications between the fridge and Samsung software update servers, due to the time-limited nature of the DEFCON conference.
The fridge was part of the DEFCON Internet of Things village and was provided with the message “Can you own our #IoT #Samsung – RF28HMELBSR fridge ::]” The conference is designed to give hackers a chance to play with new devices and expose their weaknesses, allowing manufacturers to remedy faults in patches.
Pen Test Partners wrote in a blog post: “As a team we’re doing more and more IoT research and hacking so this was a great opportunity to work on something we can’t get on our hands in the UK yet. … We wanted to pull the terminal unit out of the fridge to get physical access to things like a USB port and serial or JTAG interfaces, but ran out of time.”
The team adds that it has yet to follow-up on its DEFCON research because the fridge, alongside other Samsung smart models, isn’t on sale in the UK. The hijacked fridge is one of several Samsung Smart Home devices that integrate with the Internet of Things to provide at-a-glance information and easy control from a smartphone app.
The issue represents a growing concern regarding the safety of the Internet of Things. Security flaws will always be found and the Internet-connected homes of the future that are envisioned by the designers of today will be so filled with devices that some people think it inevitable that privacy will be irreversibly compromised.
