How This Connected Refrigerator Could Put Your Passwords at Risk If you have Samsung smart fridge, hackers could find a way into your Gmail login information through your Wi-Fi network.

By Stacey Higginbotham

This story originally appeared on Fortune Magazine

ECBC1890 | Youtube

In yet another example of a manufacturer of a connected product failing to secure said product, Samsung's connected fridge allows malicious people to steal a consumer's Gmail login credentials provided they can get on the user's Wi-Fi network. The exploit, known as a man-in-the-middle attack, is made possible because the Samsung smart fridge lets people link their Gmail calendars to a screen in the fridge's door so they can see their day's events.

It's a handy feature, except when a person logs in, the fridge says it provides SSL encryption, but fails to actually verify that the server on the Google end has the right certificate to actually get the encrypted data. It just hands it over. This is akin to a club saying it checks IDs only to let people get in without actually looking at the date on those IDs. Thus anyone on the consumer's Wi-Fi network could pretend to be Google's calendar service and snag the consumer's Gmail login credentials. From there the hacker could wreak all kinds of havoc. Fortune has reached out to Samsung to see what it has to say about the vulnerability.

The vulnerability was discovered during a hackathon at the Defcon event earlier this month and covered by The Register Monday morning. Pen Test Partners discovered the weakness and blogged about both the vulnerability and how it systematically tried to attack the fridge.

The best part about the blog post is how clearly it shows off the mindset of someone trying to break the security of a connected product. Failure was only a temporary setback brought about because they hadn't tried the right passwords or had enough time in this particular setting. For example, check out the confidence in this section (emphasis mine)

We pulled apart the mobile app and found what we believe is the certificate inside a keystore. We "believe" we did because it is has a name that suggests this. However, it is correctly passworded and we are yet to extract the passwordthat opens the key store. We think we've found the password to the certificate in the client side code, but it's obfuscated and we haven't got round to reversing it, yet.

The challenge here is that connected products are being put out in the market by manufacturers who aren't necessarily familiar with the importance of security. In some cases, they are legitimately unaware of the threats, but in others they are taking what they feel is a more cost-effective route, believing that they can just add security later. They cannot: Security must be designed in these products from the ground up. A second challenge is that many vendors are relying on consumers to be far more savvy about security than they are.

The Internet connected device industry needs to grow up and do so quickly, before consumers lose trust and regulators decide to get involved. Today it's a security firm demonstrating a vulnerability, but tomorrow it may very well be a team of blackmailing moralists or a group trying to bring down a company.

Stacey Higginbotham covers tech for Fortune, focusing on chips, broadband and the Internet of Things.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Starting a Business

Starting a Nonprofit Business

If you have a passion for a cause, starting a nonprofit could be for you.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Devices

The Last Pen You'll Ever Have to Buy — Never Run Out of Ink Again With the ForeverPen

The world's smallest inkless pen is durable, portable, and built to last.

Side Hustle

After This 26-Year-Old Got Hooked on ChatGPT, He Built a 'Simple' Side Hustle Around the Bot That Brings In $4,000 a Month

Dhanvin Siriam wanted to build something that made revenue from ChatGPT, and once he did, he says, "It just caught on."

Leadership

The End of Bureaucracy — How Leadership Must Evolve in the Age of Artificial Intelligence

What if bureaucracy, the very system designed to maintain order, is now the greatest obstacle to progress?

Business News

A New Hampshire City Was Named the Hottest Housing Market in the U.S. This Year. Here's the Top 10 for 2024.

Zillow released its annual lists featuring the top housing markets, small towns, coastal cities, and geographic regions. Here's a look at the top real estate markets and towns in 2024.