A smart fridge has fallen victim to a cyber attack that exposed login details to Google's Gmail, according to security researchers. The breach of the Samsung RF28HMELBSR smart fridge raises privacy concerns for the security of the so-called 'Internet of Things' devices.
The breach was discovered by security firm Pen Test Partners and revealed at the recent DEFCON hacking conference. The researchers took advantage of a flaw in the way the fridge fails to validate SSL certificates, making 'man-in-the-middle' attacks possible.
"The internet-connected fridge is designed to display Gmail Calendar information on its display," Ken Munro, a security researcher at Pen Test Partners, told The Register. "It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes the updates and those changes are then seen on any device that a user can view the calendar on.
"While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentification and fake WiFi access point attack) can man-in-the-middle the fridge calendar client and steal Google login credentials from their neighbours, for example."
Pen Test Partners published a blogpost detailing how the smart fridge can be exploited. In it, the researchers explained that there were other bugs with the fridge that "merited further investigation" but they ran out of time.
In an emailed statement, Samsung said: "At Samsung, we understand that our success depends on consumers' trust in us, and the products and services we provide. We are investigating into this matter as quickly as possible. Protecting our consumer's privacy is our top priority, and we work hard every day to safeguard our valued Samsung users."