How This Connected Refrigerator Could Put Your Passwords at Risk
In yet another example of a manufacturer of a connected product failing to secure said product, Samsung’s connected fridge allows malicious people to steal a consumer’s Gmail login credentials provided they can get on the user’s Wi-Fi network. The exploit, known as a man-in-the-middle attack, is made possible because the Samsung smart fridge lets people link their Gmail calendars to a screen in the fridge’s door so they can see their day’s events.
It’s a handy feature, except when a person logs in, the fridge says it provides SSL encryption, but fails to actually verify that the server on the Google end has the right certificate to actually get the encrypted data. It just hands it over. This is akin to a club saying it checks IDs only to let people get in without actually looking at the date on those IDs. Thus anyone on the consumer’s Wi-Fi network could pretend to be Google’s calendar service and snag the consumer’s Gmail login credentials. From there the hacker could wreak all kinds of havoc. Fortune has reached out to Samsung to see what it has to say about the vulnerability.
The vulnerability was discovered during a hackathon at the Defcon event earlier this month and covered by The Register Monday morning. Pen Test Partners discovered the weakness and blogged about both the vulnerability and how it systematically tried to attack the fridge.
The best part about the blog post is how clearly it shows off the mindset of someone trying to break the security of a connected product. Failure was only a temporary setback brought about because they hadn’t tried the right passwords or had enough time in this particular setting. For example, check out the confidence in this section (emphasis mine)
We pulled apart the mobile app and found what we believe is the certificate inside a keystore. We “believe” we did because it is has a name that suggests this. However, it is correctly passworded and we are yet to extract the passwordthat opens the key store. We think we’ve found the password to the certificate in the client side code, but it’s obfuscated and we haven’t got round to reversing it, yet.
The challenge here is that connected products are being put out in the market by manufacturers who aren’t necessarily familiar with the importance of security. In some cases, they are legitimately unaware of the threats, but in others they are taking what they feel is a more cost-effective route, believing that they can just add security later. They cannot: Security must be designed in these products from the ground up. A second challenge is that many vendors are relying on consumers to be far more savvy about security than they are.
The Internet connected device industry needs to grow up and do so quickly, before consumers lose trust and regulators decide to get involved. Today it’s a security firm demonstrating a vulnerability, but tomorrow it may very well be a team of blackmailing moralists or a group trying to bring down a company.
Entrepreneur Editors' Picks
These Co-Founders Are Using 'Quiet Confidence' to Flip the Script on Cutthroat Startup Culture and Make Their Mark on a $46 Billion Industry
My 7-Year-Old Daughter Started Selling Eggs. Here's What She Taught Me About Running a Startup.
Why You Need to Become an Inclusive Leader (and How to Do It)
Career Transitions You Can Make in Your 40s and 50s
Billionaire Naveen Jain Is an Expert at Disrupting Fields He Has No Experience In. His Secret Sauce for Building Multi-Million Dollar Companies? 'You Have to Come as Naive.'
4 Principles to Develop Next-Level Leadership at Your Company
This Filipino American Founder Is Disrupting the Beverage Aisle by Introducing New Flavors to the Crowded Bubbly Water Market