Samsung smart fridge flaw could see you lose your Gmail logins

Chilling vulnerability discovered at the DefCon hacking conference.

A Samsung smart fridge has been shown to be vulnerable to an exploit which allows an attacker to make off with the owner's Gmail login details.

The vulnerability was demonstrated at the recent DefCon hacking conference, where security experts try to poke holes in all manner of systems and gadgets.

And the Internet of Things is certainly one of the targets of choice these days, as it's still in its early stages (relatively speaking), and the likes of smart home appliances and connected cars certainly have shaky security aspects.

That's definitely the case with the RF28HMELBSR smart fridge from Samsung which, as The Register reports, was hacked by Pen Test Partners during a DefCon challenge.

This is a neat-looking and capacious four-door fridge with a price tag of $3,600 (£2,300) over in the US, and while that money might buy you a trademarked 'twin cooling plus' system and an 8-inch Wi-Fi enabled LCD, it doesn't get you validation of SSL certificates.

In other words, this smart fridge uses SSL but doesn't validate the necessary certificate, meaning a malicious party can engage in a man-in-the-middle attack, and whip away the owner's Gmail login credentials which the fridge needs to access and download Gmail calendar information (which it uses to display events, notifying everyone in the house via that 8-inch LCD).

The attacker must gain access to the network that the fridge is on, but providing he or she can pull that off, those Gmail login details are ripe for the picking.

Pen Test Partners attempted to plunder more from the Samsung kitchen appliance, but failed to intercept data sent between the fridge and its update server. They also tried to mount an attack via a fake firmware update – but didn't have time to pull this off in the end.

In a blog post, the company wrote: “We also looked at the possibility of faking a firmware update to compromise the unit via malicious custom update. We found the URL scheme to download the file, but we still need to find out a number of parameters to complete the URL. These are not secret things, just difficult to guess, like a code name for the model of the device, likely a serial number, etc.”

This particular smart fridge isn't actually available in the UK at the time of writing, but all this underlines the general security worries surrounding smart home appliances.

Also check out: Google's Project Brillo and Weave: what do they mean for your home?