In yet another example of a manufacturer of a connected product failing to secure said product, Samsung’s connected fridge allows malicious people to steal a consumer’s Gmail login credentials provided they can get on the user’s Wi-Fi network. The exploit, known as a man-in-the-middle attack, is made possible because the Samsung smart fridge lets people link their Gmail calendars to a screen in the fridge’s door so they can see their day’s events.
It’s a handy feature, except when a person logs in, the fridge says it provides SSL encryption, but fails to actually verify that the server on the Google end has the right certificate to actually get the encrypted data. It just hands it over. This is akin to a club saying it checks IDs only to let people get in without actually looking at the date on those IDs. Thus anyone on the consumer’s Wi-Fi network could pretend to be Google’s calendar service and snag the consumer’s Gmail login credentials. From there the hacker could wreak all kinds of havoc. Fortune has reached out to Samsung to see what it has to say about the vulnerability.
The vulnerability was discovered during a hackathon at the Defcon event earlier this month and covered by The Register Monday morning. Pen Test Partners discovered the weakness and blogged about both the vulnerability and how it systematically tried to attack the fridge.
The best part about the blog post is how clearly it shows off the mindset of someone trying to break the security of a connected product. Failure was only a temporary setback brought about because they hadn’t tried the right passwords or had enough time in this particular setting. For example, check out the confidence in this section (emphasis mine)
We pulled apart the mobile app and found what we believe is the certificate inside a keystore. We “believe” we did because it is has a name that suggests this. However, it is correctly passworded and we are yet to extract the passwordthat opens the key store. We think we’ve found the password to the certificate in the client side code, but it’s obfuscated and we haven’t got round to reversing it, yet.
The challenge here is that connected products are being put out in the market by manufacturers who aren’t necessarily familiar with the importance of security. In some cases, they are legitimately unaware of the threats, but in others they are taking what they feel is a more cost-effective route, believing that they can just add security later. They cannot: Security must be designed in these products from the ground up. A second challenge is that many vendors are relying on consumers to be far more savvy about security than they are.
The Internet connected device industry needs to grow up and do so quickly, before consumers lose trust and regulators decide to get involved. Today it’s a security firm demonstrating a vulnerability, but tomorrow it may very well be a team of blackmailing moralists or a group trying to bring down a company.