Using a Samsung smart fridge could leave your Gmail account vulnerable to hackers
Security firm, Pen Test Partners has discovered a man-in-the-middle vulnerability in Samsung smart fridges. Using this vulnerability, hackers can intercept smart fridge owners Gmail credentials.
The hack was discovered in Samsung’s RF28HMELBSR fridge which has a Wi-Fi capability that allows a user to show their Gmail calendar on the display. Though Samsung has implemented a Secure Sockets Layer (SSL), the fridge fails to validate the certificates that come as part of the SSL protocol, leaving the device vulnerable to attack. For an SSL certificate to be valid, the browser must receive a valid code back from the website host, something Samsung failed to do.
According to The Register, since the Samsung fridge is not yet available in Europe, the UK-based security consultancy ran out of time at DefCon in its attempts to intercept communications between the fridge terminal and the software update server. The Register report notes that the researchers could finally find potential security problems in its mobile app.
According to Pen Test, “We pulled apart the mobile app and found what we believe is the certificate inside a keystore. We “believe” we did because it is has a name that suggests this. However, it is correctly passworded and we are yet to extract the password that opens the key store. We think we’ve found the password to the certificate in the client side code, but it’s obfuscated and we haven’t got round to reversing it, yet.”
Ken Munro, a partner at Pen Test, clarifies: “While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on…can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbours.”