Ending Soon! Save 33% on All Access

How This Connected Refrigerator Could Put Your Passwords at Risk If you have Samsung smart fridge, hackers could find a way into your Gmail login information through your Wi-Fi network.

By Stacey Higginbotham

This story originally appeared on Fortune Magazine

ECBC1890 | Youtube

In yet another example of a manufacturer of a connected product failing to secure said product, Samsung's connected fridge allows malicious people to steal a consumer's Gmail login credentials provided they can get on the user's Wi-Fi network. The exploit, known as a man-in-the-middle attack, is made possible because the Samsung smart fridge lets people link their Gmail calendars to a screen in the fridge's door so they can see their day's events.

It's a handy feature, except when a person logs in, the fridge says it provides SSL encryption, but fails to actually verify that the server on the Google end has the right certificate to actually get the encrypted data. It just hands it over. This is akin to a club saying it checks IDs only to let people get in without actually looking at the date on those IDs. Thus anyone on the consumer's Wi-Fi network could pretend to be Google's calendar service and snag the consumer's Gmail login credentials. From there the hacker could wreak all kinds of havoc. Fortune has reached out to Samsung to see what it has to say about the vulnerability.

The vulnerability was discovered during a hackathon at the Defcon event earlier this month and covered by The Register Monday morning. Pen Test Partners discovered the weakness and blogged about both the vulnerability and how it systematically tried to attack the fridge.

The best part about the blog post is how clearly it shows off the mindset of someone trying to break the security of a connected product. Failure was only a temporary setback brought about because they hadn't tried the right passwords or had enough time in this particular setting. For example, check out the confidence in this section (emphasis mine)

We pulled apart the mobile app and found what we believe is the certificate inside a keystore. We "believe" we did because it is has a name that suggests this. However, it is correctly passworded and we are yet to extract the passwordthat opens the key store. We think we've found the password to the certificate in the client side code, but it's obfuscated and we haven't got round to reversing it, yet.

The challenge here is that connected products are being put out in the market by manufacturers who aren't necessarily familiar with the importance of security. In some cases, they are legitimately unaware of the threats, but in others they are taking what they feel is a more cost-effective route, believing that they can just add security later. They cannot: Security must be designed in these products from the ground up. A second challenge is that many vendors are relying on consumers to be far more savvy about security than they are.

The Internet connected device industry needs to grow up and do so quickly, before consumers lose trust and regulators decide to get involved. Today it's a security firm demonstrating a vulnerability, but tomorrow it may very well be a team of blackmailing moralists or a group trying to bring down a company.

Stacey Higginbotham covers tech for Fortune, focusing on chips, broadband and the Internet of Things.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Business News

Did OpenAI steal Scarlett Johansson's voice? 5 Critical Lessons for Entrepreneurs in The AI Era

Did OpenAI steal Scarlett Johansson's voice? OpenAI has since paused the "Sky" voice feature, but Johansson argues that this is no coincidence. In response, Johansson delivers a masterclass for entrepreneurs on navigating the AI era successfully.

Business News

Apple iPhone 7 Users May Be Owed a Slice of a $35 Million Settlement — Here's How to Claim Your Share

Previous (and current, no judgment) iPhone 7 users may be entitled to up to $349. The deadline to file a claim is June 3.


Clinton Sparks Podcast: Global BMX Star Shares His Entrepreneurial Journey

This podcast is a fun, entertaining and informative show that will teach you how to succeed and achieve your goals with practical advice and actionable steps given through compelling stories and conversations with Clinton and his guests.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.