These days we are in the IOT revolution. Everyone is flocking to the electronic stores to purchase smart appliances, so they have more convenience in their everyday lives. Security vulnerabilities are being found by security researchers constantly as these new smart devices find their way to the stores. It seems that for every IOT device that is released there is a corresponding security threat that seems to be discovered. It turns out that even a smart refrigerator could be vulnerable to malicious people trying to obtain a user’s personal information. While researching smart refrigerator vulnerabilities I came across a hack that lets malicious users obtain a user’s Google login credentials and I thought that this hack is definitely noteworthy. In this document I will go over who discovered this smart refrigerator vulnerability, details on how this vulnerability is utilized, and what a user can do to prevent being a victim of this security vulnerability.
This hack to find out a user’s Google login credentials through the Samsung smart refrigerator was discovered by security researchers at a security company named Pen Test Partners. These security researchers discovered this hack at an IOT hacking challenge called the Def Con Security Conference (Neagle, 2015). Security researchers at Pen Test Partners went through a bunch of different routes to find vulnerabilities in the Samsung smart refrigerator like firmware attacks, tearing down the mobile app, and TCP services (Venda, 2015). Where the security researchers found the vulnerability was in the smart refrigerators implementation of SSL because it failed to validate the SSL certificates. Since the refrigerator failed to validate the SSL certificates, that led to the ability of performing a man in the middle attack allowing a malicious user to obtain Google login credentials because the refrigerator has a Google calendar application on it letting a user post calendar events and notes on the door of the refrigerator. Having a Google calendar on the door of your refrigerator sounds like a great idea and could be very convenient in organization of tasks and meetings for a user’s family. Unfortunately, the hack discovered by Pen Test Partners makes the Google Calendar a prime target for the user’s personal information.
This smart refrigerator hack is basically a man in the middle attack. A man in the middle attack is when a malicious user is listening for packets between a device and servers communications. Since the SSL implementation in the Samsung smart refrigerator does not validate the SSL certificates, that means that anyone can intercept the information being exchanged by the refrigerator and the server with a packet sniffer like Wireshark. Packet sniffers like Wireshark can intercept information being transmitted over a network, specifically unencrypted information (Nohe, 2018). This hack could be the result of the lack of security testing on the Samsung smart refrigerator where the developers of the refrigerators smart abilities just did not know how to implement SSL correctly. It seems that this hack could be easily fixed with a software update and Samsung has reported that they are looking into the vulnerability (Neagle, 2015). Although having your Google credentials exposed to a malicious user could be a very terrible thing, the malicious user would have to be able to have access to the same network that the smart refrigerator is a part of to be able to execute this attack.
Personally, I would love to have a refrigerator with the kind of functionality that this Samsung smart refrigerator has. The convenience of having my Google calendar presented on the door of the refrigerator with all of my notes and to-do lists could be very beneficial. The first thing you would have to do to prevent this kind of hack from victimizing you is that you have to be very aware of who has access to the network that your refrigerator is running on. I am sure that once Samsung was notified about this vulnerability that they made some updates to the refrigerators system software. Always keep your IOT devices software up to date with the latest software because that is how many security vulnerabilities are combatted. It is a shame that this kind of vulnerability was present in this smart refrigerator because a user’s Google credentials should always be kept confidential and the ability to do a man in the middle attack on a smart refrigerator should be addressed immediately.
Although the man in the middle attack on this smart refrigerator doesn’t seem like a very severe security threat, it is still nonetheless a pretty substantial vulnerability. No one wants their personal information exposed to any malicious users in the technological world and this hack gave malicious users yet another way to deceive the regular users of IOT devices. As I do more and more research on IOT devices and their vulnerabilities, it seems that company’s software engineering practices need to implement more security testing. Samsung is a very big corporation with many customers, and I am sure that they already do plenty of security testing, but this is evidence that even the larger companies need to ramp up their security practices.
Neagle, C. (2015, August 26). Smart refrigerator hack exposes Gmail login credentials. Retrieved from networkworld.com: https://www.networkworld.com/article/2976270/smart-refrigerator-hack-exposes-gmail-login-credentials.html
Nohe, P. (2018, November 29). Executing a Man-in-the-Middle Attack in just 15 Minutes. Retrieved from thessistore.com: https://www.thesslstore.com/blog/man-in-the-middle-attack-2/
Venda, P. (2015, August 18). Hacking DefCon 23’s IoT Village Samsung fridge. Retrieved from pentestpartners.com: https://www.pentestpartners.com/security-blog/hacking-defcon-23s-iot-village-samsung-fridge/