Smart refrigerator hack exposes Gmail login credentials

A bonus feature on a smart home product becomes a security liability.

A team of hackers recently discovered a man-in-the-middle vulnerability in a Samsung smart refrigerator that can be exploited to steal Gmail users' login credentials, The Register reported this week.

Hackers from security company Pen Test Partners discovered the flaw while participating in an Internet of Things (IoT) hacking challenge at the Def Con security conference earlier this month. The smart refrigerator, Samsung model RF28HMELBSR, is designed to integrate the user's Gmail Calendar with its display. Samsung implemented SSL to secure the Gmail integration, but the hackers found that the device does not validate SSL certificates, opening the opportunity for hackers to access the network and monitor activity for the user name and password used to link the refrigerator to Gmail.

See also: Smart home hacking is easier than you think

"While SSL is in place, the fridge fails to validate the certificate," Ken Muro, a security researcher at Pen Test Partners, told The Register. "Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbors, for example."

Samsung reportedly told The Register that it is "investigating into this matter as quickly as possible." However, the hackers said in a blog post that the man-in-the-middle attack wasn't the only potential vulnerability they have found, so Samsung may have its hands full.

This is one of many recent manifestations of the security fears surrounding the smart home, and it's not even the first to involve a smart refrigerator. In January 2014, security firm Proofpoint released a report that found a smart refrigerator had been hacked in the wild and used as part of a spam attack that had hijacked about 100,000 devices in total. 

Other, more alarming smart home hacks have come to light in the past year as well, including the website that aggregated live video feeds of internet-connected home security cameras that used the same default user names and passwords.

Copyright © 2015 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022