14 DAY TRIAL // British security firm Pen Test Partners has uncovered a security hole that allows malicious actors to perform MITM (Man in the Middle) attacks on Samsung smart fridges.
The research was carried out for the DEFCON 23 conference that took place in Las Vegas a few weeks back, and security researchers were able to hack a Samsung RF28HMELBSR refrigerator and obtain the owner's Google credentials.
Why would a fridge be handling Google authentication, you might ask. Because the fridge is part of Samsung's recent line of IoT (Internet of Things) products for smart homes, and it comes equipped with an Internet connection and a display screen, which can show to-dos and tasks pulled from a Google Calendar account.
According to the researchers, "whilst the fridge implements SSL, it FAILS to validate SSL certificates."
This exposes the smart fridge to man in the middle attacks, allowing a perpetrator to intercept and steal Google login details.
They stole Google logins and little else
The researchers said, however, that they were unable to hack the fridge in various other scenarios, and in some cases, Samsung did have strong security policies in place.
For example, the fridge has validation procedures set in place for SSL certificates when contacting the update servers and it does not interpret HTML tags when displaying Google Calendar entries on the display screen.
Additionally, the researchers weren't able to fake a firmware update and couldn’t use Samsung's Smart Home app to do anything "shady" either.
Since this whole "hack" was just for one of the DEFCON security workshops, they eventually ran out of time, but something tells us they'll return to this project and continue with their plans of pulling "the terminal unit out of the fridge to get physical access to things like a USB port and serial or JTAG interfaces."
