Reports indicate that a security flaw in Samsung’s smart fridge might be compromising consumers’ Gmail credentials. And yes, there actually is a smart fridge on the market that comes equipped with a Wi-Fi-enabled smart display that lets users browse the Web and check email. That’s the world now: Every company is racing to be the most innovative in the IoT phenomenon.
White hat security researchers from Pen Test Partners have reported that the smart fridge is vulnerable to what’s called “man in the middle” attacks since it doesn’t have the security in place to validate SSL certificates.
“The Internet-connected fridge is designed to display Gmail Calendar information on its display,” explained Ken Munro, a security researcher at Pen Test Partners, to The Register in the U.K. “It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes updates, and those changes are then seen on any device that a user can view the calendar on.”
“While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can man-in-the-middle the fridge calendar client and steal Google login credentials from their neighbors, for example.”
Once being informed of the potential security issues, Samsung issued a statement: “At Samsung, we understand that our success depends on consumers’ trust in us and the products and services we provide. We are investigating into this matter as quickly as possible. Protecting our consumers’ privacy is our top priority, and we work hard every day to safeguard our valued Samsung users.”