Samsung Smart Refrigerator Hacked, Left Gmail Login Credentials Vulnerable

Image Source: Samsung

Did you ever think that your refrigerator could be hacked? Welcome to the world of the Internet of Things (IoT) where our everyday items are being equipped with Internet connectivity.

All of these technological advancements and smarter devices are supposed to make our life easier, but now it seems like these revolutionary devices are making us more vulnerable to cyber attacks.

As it turns out, recently at the DEFCON Black Hat security conference, a group of security researchers demonstrated an attack where they exploited a vulnerability found in Samsung smart refrigerator.

The vulnerable refrigerator is a Samsung’s new smart fridge, RF28HMELBSR, a 36-inch wide and 28 cubic feet 4-door refrigerator that comes pre-equipped with an 8-inch Wi-Fi-enabled LCD as well as the counter-height FlexZone drawer.

All those features sound fascinating but think again. Why would you need a Wi-Fi enabled smart fridge? To post a check-in status on Facebook informing your friends what food products you are storing in your refrigerator? Or maybe to browse the Internet and check your emails while searching for food? Well, we can discuss that in the comments section below, anyway, let’s get back to the topic.

That Wi-Fi enabled LCD equipped in the refrigerator we are talking about might be helpful for some, but it is actually hackable and puts your Gmail login credentials at risk of being exploited, security researchers behind Pen Test Partners revealed in their blog post earlier this month.

The security analysts spend hours to find a vulnerability within the app installed in the refrigerator and the mobile app (PlayStore link) developed by Samsung to wirelessly control the refrigerator, and found out that they were able to conduct a man-in-the-middle attack to gain access to the Gmail login credentials, if they have an access to the Wi-Fi connectivity.

Even though the software in the fridge does provide SSL (Secure Sockets Layer) encryption to establish an encrypted link but in reality, it completely failed to validate SSL certificates. This means that anyone with some knowledge about hacking could pretend to be Google and gain access to the victim’s login credentials.

“Whilst the fridge implements SSL, it FAILS to validate SSL certificates, thereby enabling man-in-the-middle attacks against most connections. This includes those made to Google’s servers to download Gmail calendar information for the on-screen display.”

Apart from that, security researchers even attempted to find vulnerabilities within the refrigerator’s firmware as well as the pre-installed Google Calendar app but failed to find any due to lack of access.

Nevertheless, they added that man-in-the-middle (MITM) attack alone is enough to exploit user’s Gmail login credentials and gain access to the account.

Samsung, after knowing about the vulnerabilities in their product, told TheRegister in a statement that: 

At Samsung, we understand that our success depends on consumers’ trust in us, and the products and services that we provide. We are investigating into this matter as quickly as possible. Protecting our consumers’ privacy is our top priority, and we work hard every day to safeguard our valued Samsung users.

In the end, I would say that if, in future, your account is hacked and anyone asks about it then you could proudly tell him or her that your refrigerator is responsible. 

Watch the product demo below:

Related Posts