The upside of owning a smart refrigerator, or “connecting your fridge to the Internet of Things,” is that instead of keeping track of your cold-food inventory the old-fashioned way, where you have to manually open the refrigerator door and review its contents yourself, your smart refrigerator will monitor the inventory for you by scanning barcodes and/or RFID chips. And with an online connection you can peruse the contents of your fridge when you're not even home.
The downside is that any computer-controlled device is vulnerable to malware, and any Internet connection can be hacked or broken. This includes smartphones, smart TVs, smart thermostats, smart cameras, smart baby monitors or home security systems, smart cars, and, of course, smart refrigerators.
Smart refrigerator exploit
Security researchers from Pen Test Partners speaking at the DEF CON Hacking Conference announced their discovery of a security exploit that leaves Samsung model RF28HMELBSR smart refrigerators vulnerable to man-in-the-middle attacks (which allow hackers to alter, spy on, or control data while it's traveling between the sender and receiver).
The problem essentially is that, while the refrigerators do implement SSL (secure socket layers) to encrypt connections, it doesn't validate SSL certificates, leaving most connections vulnerable to man in the middle attacks. And in the case of the Samsung RF28HMELBSR, this means that, among other things, hackers can steal fridge owners' Gmail credentials.
Ken Munro, a researcher at Pen Test, said that “The internet-connected fridge is designed to display Gmail Calendar information on its display. It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes updates and those changes are then seen on any device that a user can view the calendar on.”
The problem is, “While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbors, for example."
Pen Test offered a more technical description of how the exploit could work in a blog post titled “Hacking DEFCON 23's IOT [Internet of Things] Village Samsung Fridge.”
And the fridges might still have more security flaws waiting to be discovered. The researchers concluded their blog post by saying that they wanted to do more tests before the conference, but didn't have enough time: “We wanted to pull the terminal unit out of the fridge to get physical access to things like a USB port and serial or JTAG interfaces, but ran out [of] time. However, we still found some interesting bugs that definitely merit further investigation.”