Internet Of Not-So-Smart Things: Samsung's Latest Smart Fridge Can Expose Your Gmail Password

from the I'll-take-my-devices-stupid,-thanks dept

Tue, Aug 25th 2015 3:08am — Karl Bode

The sometimes blisteringly-inane hype surrounding the "Internet of Things" appears to be on a collision course with the sophomoric security standards being employed in the field. As we've seen time and time again, companies were so bedazzled by the idea of connecting everything and anything to the Internet (your hat! your pants! your toilet!) they left device and network security as an afterthought -- if they could be bothered to think about it at all. The result has been smart TVs that share your personal conversations, vehicles that can easily be used to kill you, and a home full of devices leaking your daily habits.

The latest example comes again via Samsung, whose "smart" refrigerators aren't so smart. While Samsung's shiny new refrigerators connect to the Internet, can display your Google Calendar and implement SSL, hackers during a challenge at the recent DEFCON found the refrigerators fail to validate those SSL certificates. That opens the door to all kinds of man-in-the-middle attacks, potentially allowing your neighbor to steal your Gmail login information while sitting on his couch next door:

"The internet-connected fridge is designed to display Gmail Calendar information on its display," explained Ken Munro, a security researcher at Pen Test Partners. "It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes updates and those changes are then seen on any device that a user can view the calendar on."

"While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbours, for example."

On the plus side, this vulnerability was found after Samsung invited hackers to try and find vulnerabilities in the system, showing some proactive thinking. On the flip side, this is the same company whose "smart" TVs were found to be happily sending living room conversation snippets unencrypted over the Internet -- so it's not always clear Samsung listens to feedback, or how many bugs and vulnerabilities go unnoticed. Regardless, the researchers' blog post has a little more detail, noting they may have also found some vulnerabilities in the app's encrypted communication stream with the refrigerator.

These endless IOT security issues may have the opposite effect of that intended: actively marketing the need for many devices to be dumber. And those dumb devices are getting harder to find. Many of the latest and greatest 4K television sets, for example, simply can't be purchased without intelligent internals that integrate functionality the user may not want. So while Wired magazine's endless 1990's obsession with intelligent refrigerators may have finally come to fruition, they may be unwitting pitchmen for how sometimes it's better for things to simply remain utterly analog -- and beautifully, simply stupid.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: gmail, privacy, security, smart fridge, smart refrigerator
Companies: samsung

43 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Howard, 25 Aug 2015 @ 3:32am

I just want a fridge
All I want my (thankfully 'dumb') Samsung fridge to do is chill whatever I put in it. Usually beer.
[ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2015 @ 3:39am

Mmmm .. internet-connected pants .. what could possibly go wrong
[ link to this | view in chronology ]
- Zonker, 25 Aug 2015 @ 1:21pm
  
  Re:
  I have internet connected underpants. They tweet every time I toot!
  [ link to this | view in chronology ]
  - Anonymous Coward, 25 Aug 2015 @ 2:07pm
    
    Re: Re:
    Insta-RAM ?
    [ link to this | view in chronology ]
  - Anonymous Coward, 2 Sep 2015 @ 12:00pm
    
    Re: Re:
    Not many followers though right?
    [ link to this | view in chronology ]
Yes, I know I'm commenting anonymously, 25 Aug 2015 @ 4:36am

It is a Not so(TM) Smart Fridge.
[ link to this | view in chronology ]
scotts13 (profile), 25 Aug 2015 @ 4:43am

Remember the Jeep Cherokee security hack?
I work for a Chrysler dealer. Yesterday, we had training session on the Uconnect internet-enabled electronics systems in our cars. We were told "People don't buy cars these days. They buy car radios; the rest of the car is just to carry the radio around." Know what wasn't mentioned? Security - at all.
[ link to this | view in chronology ]
- Anonymous Coward, 25 Aug 2015 @ 6:55am
  
  Re: Remember the Jeep Cherokee security hack?
  They were wrong, people don't buy radios either. They just buy licenses.
  [ link to this | view in chronology ]
- Groaker (profile), 25 Aug 2015 @ 7:39am
  
  Re: Remember the Jeep Cherokee security hack?
  The ability to hack (don't know if it was done in the wild) cars is not new. It goes back at least a decade, since the "fly by wire" brake, accelerator and other controls started to be connected by radio signals instead of wires.
  
  When I asked the salesman about it, he seemed genuinely surprised and unbelieving. Given that I was able to read him well enough to beat his price into the dirt, I believe he was telling the truth about not knowing about it.
  [ link to this | view in chronology ]
- John Fenderson (profile), 25 Aug 2015 @ 8:03am
  
  Re: Remember the Jeep Cherokee security hack?
  " We were told "People don't buy cars these days. They buy car radios"
  
  This is incredibly hard to believe. In this day and age, do people even use car radios anymore?
  [ link to this | view in chronology ]
  - Anonymous Coward, 25 Aug 2015 @ 9:03am
    
    Re: Re: Remember the Jeep Cherokee security hack?
    ...do people even use car radios anymore?...
    
    If it's got an mp3 input jack: YES.
    
    If it's got a CD player: YES.
    
    If it's got a satellite radio input and subscription: YES.
    
    If it's got bluetooth capability to port your smartphone to: YES.
    
    If it's strictly an AM/FM radio: NO.
    [ link to this | view in chronology ]
    - tqk (profile), 25 Aug 2015 @ 10:08am
      
      Re: Re: Re: Remember the Jeep Cherokee security hack?
      
      ...do people even use car radios anymore?
      
      If it's strictly an AM/FM radio: NO.
      
      Ah. I see the problem. Back in ancient times, autos came with car radios. Now, we have "onboard media entertainment interface systems" (ordinarily called a "stereo") which can also be used as replacement for those old style car radios.
      
      I was beginning to wonder why I was seeing so many lovingly restored classic cars on the roads these days, far more than I used to see.
      [ link to this | view in chronology ]
Sheogorath (profile), 25 Aug 2015 @ 5:16am

[I]t's not always clear Samsung listens to feedback, or how many bugs and vulnerabilities go disregarded.
FTFY, Karl. ;)
[ link to this | view in chronology ]
- Anonymous Coward, 25 Aug 2015 @ 7:46am
  
  Re:
  Partially fixed .. voice your concerns in front of your Samsung "Smart" TV
  [ link to this | view in chronology ]
  - Sheogorath (profile), 25 Aug 2015 @ 10:21am
    
    Re: Re:
    I would, but I don't have one. I've never trusted an Internet connected device I can't firewall.
    [ link to this | view in chronology ]
    - John Fenderson (profile), 26 Aug 2015 @ 6:31am
      
      Re: Re: Re:
      There's no such thing as an internet connected device you can't firewall. My firewall block them by default. I have to specifically change configuration to allow a new device to connect to the internet, and I have total control over who it gets to talk to.
      [ link to this | view in chronology ]
      - Groaker (profile), 26 Aug 2015 @ 10:28am
        
        Re: Re: Re: Re:
        You can believe that, but having had a muiltidisciplinary career, half of which was in various levels of IT, I will paraphrase a wise man: the only safe computer has had its CPU, memory and storage removed and destroyed, is buried in 50 ft of concrete, is surrounded by a moat filled with hungry sharks, and the moat is in turn surrounded by armed guards who are watched 24/7 on CATV from a hidden bunker. And even then I am not certain the computer is safe.
        
        There is only the probability of safety, never an assurance. To suggest only one hole that can not be cured by a firewall -- your router may have suffered the same fate as Ciscos.
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 28 Aug 2015 @ 9:07am
        
        Re: Re: Re: Re: Re:
        Well, yes, that's all a given. "Safe" is not a binary term where you are either "safe" or "not safe". It's always somewhere on a spectrum.
        [ link to this | view in chronology ]
      - Anonymous Coward, 26 Aug 2015 @ 11:56am
        
        Re: Re: Re: Re:
        But can the devices find a neighbor's open wifi?
        [ link to this | view in chronology ]
        
        Groaker (profile), 26 Aug 2015 @ 12:50pm
        
        Re: Re: Re: Re: Re:
        Depends on whether the rogue is an equal opportunity invader, or wants something from you specifically.
        
        Before the Sony rootkit scandal, how many security minded individuals would have hesitated to put an audio CD into their computer's CD player? That insertion didn't have to go through a network firewall, but rather was walked right around it.
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 28 Aug 2015 @ 9:08am
        
        Re: Re: Re: Re: Re: Re:
        "Before the Sony rootkit scandal, how many security minded individuals would have hesitated to put an audio CD into their computer's CD player?"
        
        Nobody who was security-minded would have been affected by the Sony rootkit because they would have disabled autorun years earlier.
        [ link to this | view in chronology ]
        
        Groaker (profile), 29 Aug 2015 @ 6:13am
        
        Re: Re: Re: Re: Re: Re: Re:
        Right you are. I haven't run Windows in more than a decade, and I have forgotten that. That of course is part of the security problem. Those once knowledgeable depending on their memories.
        [ link to this | view in chronology ]
        
        idk, 19 Apr 2018 @ 3:40pm
        
        idk
        idk
        [ link to this | view in chronology ]
Klaus, 25 Aug 2015 @ 5:42am

It's a problem
There'll come a day when all home appliances come equiped with discrete pan/zoom cameras, microphones, GPS, cellular chips to contact their HQ, and internal always-on UPS for the above circuitry.

I'm going to go find a nice log cabin to live in.
http://www.dailymail.co.uk/news/article-3209634/Bethany-Butze-leaves-Harvard-live-near-Manitoulin -Island-Canada.html
[ link to this | view in chronology ]
Violynne (profile), 25 Aug 2015 @ 6:45am

"You're gaining a little weight there, kid. You should work on that."
"How do you know what I weight?"

"Because I can see you, silly. Look at you. Pudgy and filled with nothing but junk food."
"It's amazing you found the time to take your eyes of Candy Crush."

"Will you two shut the hell up already! Trying to watch 'Lord of the Rings' here."

*sigh*

Sometimes, coming home isn't fun. In the olden days, it was listening to kids fighting. Now, it's my goddamn appliances giving me hell.

I'm starting to understand the rants of old people now.
[ link to this | view in chronology ]
- Oblate (profile), 25 Aug 2015 @ 7:24am
  
  Re:
  (Violynne): "Will you two shut the hell up already! Trying to watch 'Lord of the Rings' here."
  
  (Toaster): "Says the Lord of the Onion Rings..."
  
  ---
  
  In a few years we'll be hearing about Smart Scales and Smart Cars communicating, and then the car refuses to drive to fast food. Or maybe there will be a car hack that will make the car complain when overweight people get in ("Ouch!"), make grunting noises when going uphill, and ask "Ummm, we going to the gym?" at least once a day.
  
  Fun times ahead...
  [ link to this | view in chronology ]
  - Anonymous Coward, 2 May 2018 @ 5:48am
    
    Re: Re:
    Gyms will pay car companies to advertise for them.
    [ link to this | view in chronology ]
Sampson (profile), 25 Aug 2015 @ 7:18am

My Smart fridge does not phone home.
I know this for sure because it does not have a WiFi connection.
That is what makes my fridge so smart!
[ link to this | view in chronology ]
- Anonymous Coward, 2 May 2018 @ 5:49am
  
  Re: My Smart fridge does not phone home.
  Does it really not have a wifi connection? How do you know? Did you take it apart?
  [ link to this | view in chronology ]
TDR, 25 Aug 2015 @ 8:45am

Talkie Toaster?
So if things keep going the way they are, we could soon see a real-life Talkie Toaster?

"Howdy doodly-doo! Anybody want any toast?"

"No toast."

"You sure you don't want any toast?"

"I don't want any toast. No one around here wants any toast. Not tow, not ever. No toast!"

"How about muffins?"

"No muffins! We don't like muffins 'round here. No muffins, baguettes, bagels, or tea cakes! No hot cross buns and definitely no smeggin' flapjacks!"

"Ah, so you're a waffle man!"

If so, we may be looking at some cases of first-degree toastercide in the near future.
[ link to this | view in chronology ]
- Sense of Humor, 25 Aug 2015 @ 9:05am
  
  Re: Talkie Toaster?
  I love it--at least when the kids are out of the house, I will have someone [thing} to talk to
  [ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2015 @ 9:13am

An Acronym Change Seems In Order
The Internet Of Things Might be better described as the Interactively Dynamic Internet Of Things. Thus we can hear breathlessly written PR articles on the capabilities of the IDIOT-enabled Samsung fridge. And so on.

/long way to go for a stupid joke
[ link to this | view in chronology ]
- Sheogorath (profile), 25 Aug 2015 @ 1:53pm
  
  Re: An Acronym Change Seems In Order
  /long way to go for a stupid joke
  Not really. I actually thought it was pretty clever once I finally got it (too many flamers using all caps on this site).
  [ link to this | view in chronology ]
- blue skies (profile), 26 Aug 2015 @ 4:46am
  
  Re: An Acronym Change Seems In Order
  omg I so want this acronym :D :D
  [ link to this | view in chronology ]
Andrew D. Todd, 25 Aug 2015 @ 9:29am

Logical Conclusion.
Of course, the fun really begins when the smart refrigerator is tied into PeaPod.

"Hal, where's a Coke?"

"I'm sorry, Dave, I can't let you do that. You're drinking too much Coke. I bought you some broccoli instead."
[ link to this | view in chronology ]
Uriel-238 (profile), 25 Aug 2015 @ 10:36am

What does God need with a space ship?
Why does the refrigerator need my gmail account info?

Where's Captain Kirk to ask these questions?
[ link to this | view in chronology ]
TimothyAWiseman (profile), 25 Aug 2015 @ 10:49am

I don't want most of my equipment on the Internet
There are certainly some things that benefit from being connected to the internet, but I do not need my refrigerator or most other appliances connected. It adds unnecessary complexity, and things should be kept as simple as possible.
[ link to this | view in chronology ]
Rekrul, 25 Aug 2015 @ 11:15am

Security always comes last, usually after they've created some gaping security hole by adding a feature that was never needed in the first place, all in the name of convenience.

Anyone remember Outlook Express's preview pane that would happily open any attachment it found in a message? Or the auto-run system that would automatically execute whatever instructions it found on removable media?
[ link to this | view in chronology ]
Anonymous Coward, 26 Aug 2015 @ 5:34am

Internet available in televisions, what could go wrong?
[ link to this | view in chronology ]
GEMont, 27 Aug 2015 @ 5:25pm

Is it stupid to buy smart?
Smart Appliances.

Hmmmmmm....

Smart also sorta means intelligent....

What is it that the NSA calls all that stuff they gather into haystacks for analysis in order to get the drop on whoever they deem to be the bad-guys of the week.....?

Oh yeah. Intel, or more properly, Intelligence.

Don't suppose there's any connection.....

Smart TV = Intelligence Gathering TV

No way they'd be that deviously obvious, right....

---
[ link to this | view in chronology ]
- tqk (profile), 28 Aug 2015 @ 6:04pm
  
  Re: Is it stupid to buy smart?
  Smart TV = Intelligence Gathering TV
  
  Just like the NSA's hasystack, it's wrong to call this "Intelligence Gathering." It's "*Data* Gathering." It's not *intelligence* until someone sifts *the data* for *the intelligence* contained within.
  
  It's really annoying to me this's still misunderstood.
  [ link to this | view in chronology ]
  - GEMont, 29 Aug 2015 @ 12:41am
    
    Re: Re: Is it stupid to buy smart?
    Methinks ye may be laboring under the misconception that the CIAF BIN SADOJ "holds the data in digital storage and only analyzes it when certain criteria are present and only examines the metadata surrounding the captured data and eliminates any identifying information and content immediately on all US citizen data captures..."
    
    They, um.... lied about all that.
    
    Of course they did. Its what they do best.
    
    They have an unlimited budget provided by the millions of tax payers in five countries. Like an iceberg, 99% of their operation is completely clandestine and completely unknown to the public and most officials.
    
    The daily capture is analysed by a massive tax-payer purchased array of military super-computers as it comes in, for sorting into the various areas of "action-ability".
    
    Everything that gets a rating higher than zero is re-examined by a bigger computer array and then recycled through the system and anything rated over 5 gets sorted by importance and then is examined by people, within minutes to hours of the data arrival.
    
    This is an ongoing process, which is for the most part jobbed out to hundreds of civilian companies in foreign countries, like India, which were created specifically for this purpose by 5-I. Different companies deal with different data input types - telephone, email, television, cell phone, snail mail, wireless, and soon refrigerator, toaster and Barbie Doll data....
    
    Everything gets stored on a variety of formats and is re-examined by mega-computer arrays daily to compare it to other recent and old similar data and it is all then re-evaluated according to its association with other data and then goes through the daily standard procedure for data of that classification level again. Three shifts a day, 7 days a week and its all paid for by the tax payers of the 5-I nations.
    
    At the end of each day, the gathered Intelligence is sent up the ladder for executive analysis and re-examination on home based super-computers.
    
    How do I know this?
    
    Because given the funds, that's how I'd do it. :)
    
    "It's really annoying to me this's still misunderstood."
    
    Its not misunderstood.
    
    Its misinformation.
    
    ---
    [ link to this | view in chronology ]
    - GEMont, 29 Aug 2015 @ 2:19pm
      
      Re: Re: Re: Is it stupid to buy smart?
      What people fail to realize, is that the Home Surveillance Program is the primary program, and all of the peripheral PR programs such as the TSA and the Border Watch and all the other Terrorist and Drug catching programs are pure hollywool.
      
      The only Drug Program that is real is the one that eliminates/disrupts distribution channels of any competitor drug merchants such as non-dues-paying cartels in un-invaded countries, like China.
      
      All the rest are merely associated member reminders - pay the vigorish or suffer the consequences of a military assault on one or more of your production facilities.
      
      The Border watchers have already been shown to be little more than a free wage operation for friends and family members of politicians, using computers so old they can't even play decent games.
      
      The one and true fascist program is the one that steals personal data from every computer in America, for the purposes of blackmail/extortion of civilians and businesses, theft of ideas and innovations, prevention of competition and general profiteering by the billionaires in power and behind the scenes.
      
      Their equipment is probably 20 years ahead of anything commercially available, and their bases are unknown to all but a handful of people in high places who work entirely behind the scenes and have a zero public profile as far as press and Who Is Who sources are concerned. Many are not even American. Many are Royalty.
      
      Try an experiment.
      
      Consider momentarily that you are a generally unknown private billionaire asshole with access to absolutely unlimited funds provided by the taxes of five nations and a global drug/prostitution/gambling and entertainment empire, and your goal is to completely subvert the laws of every nation on earth so that you and your billionaire friends around the world can better control the world economy like a giant business - Earth Inc..
      
      How would you go about it?
      
      If you're a little short on starting ideas, just look around you at the recent exposures of the CIAF BIN SADOJ operations, as well as those of the Snoop and Scoop agencies of the other four 5-I nations. :)
      
      Keep in mind that the general public has been trained to disregard the words of anyone who has not proven themselves reliable and smart by becoming wealthy first, so you have no fear of anyone in the non-rich general public causing you any grief that cannot be resolved as easily as one discards a used coffee cup, through the use of blackmail, character assassination and/or falsified evidence of a crime, leading to incarceration or death of any such nuisance, and that, the only people you actually fear are your fellow billionaires.
      
      ----
      [ link to this | view in chronology ]