back to article Samsung smart fridge leaves Gmail logins open to attack

Security researchers have discovered a potential way to steal users’ Gmail credentials from a Samsung smart fridge. Pen Test Partners discovered the MiTM (man-in-the-middle) vulnerability that facilitated the exploit during an IoT hacking challenge at the recent DEF CON hacking conference. The hack was pulled off against the …

  1. Andy Non
    Facepalm

    IoT crazy

    Is it just me, but it seems plain crazy to link home appliances to the internet. Why the hell would I want remote control access for my fridge? Seems like the implementation of technology and gadgets for their own sake, which then bring other risks.

    1. Pascal Monett Silver badge

      IoT at the moment is just a collection of "you can do this now !" ad-hoc non-features, like lightbulbs with speakers. The issue being, of course, that makers are desperate to have something they can show as a selling point, whereas security is not easily visible and is expensive to implement properly, so it falls by the wayside.

      Even here, where the maker thought of using SSL (good show), they failed to secure the chain of information completely, thereby leaving a hole.

      Since IoT is absolutely useless at the moment, and anything "smart" is by definition something that phones your private life to the mothership, I am staying well away from all this hoopla for the forseeable future.

      1. Teiwaz Silver badge
        FAIL

        A bright future for IOT?

        "IoT at the moment is just a collection of "you can do this now !" ad-hoc non-features, like lightbulbs with speakers. The issue being, of course, that makers are desperate to have something they can show as a selling point"

        It's as if manufacturers polled the General non-IT population for ideas (on the street - just after closing time).

        "Our survey said..."

        Fridge - Toaster - Lightbulb

        1. BongoJoe

          Re: A bright future for IOT?

          I can't wait for the bath tub soap holding pop-up toaster to start culling the herd...

      2. Simon Harris Silver badge

        Reminds me of the fad that started in the 1980s when everything (pens, keyrings, everything) had to include a digital clock, just because they could.

        1. Teiwaz Silver badge
          Headmaster

          Internet is the new digital clock (or calculator)

          @ Simon Harris

          Damn good point. I used to have a ruler with a digital clock (or was it a calculator?). I might have had a keyring too. Very handy at school for watching your youth tick away in another interminable lesson.

          1. Andy Non
            Facepalm

            Re: Internet is the new digital clock (or calculator)

            The last digital telephone answering machine I bought had a digital clock. It used to flash away merrily insisting the date and time was set. BUT it never time stamped any incoming messages. For that it was necessary to pay a monthly fee to the telephone company. Doh. So what flaming use was the digital clock then?

        2. GrumpenKraut Silver badge

          Today's version is "everything includes LEDs".

          1. Doctor Syntax Silver badge

            everything includes blue LEDs

            FTFY.

          2. This post has been deleted by its author

        3. This post has been deleted by its author

        4. Anonymous Coward
          Anonymous Coward

          And the "Let's fit a bright blue LED to everything"

          and inside the Kettle as well!

          Which doesnt seem to show any signs of going away.

      3. Anonymous Coward
        Anonymous Coward

        @Pascal Monett

        "Since IoT is absolutely useless at the moment, and anything 'smart' is by definition 'dumb'..."

        FFY.

      4. John Brown (no body) Silver badge

        "and anything "smart" is by definition something that phones your private life to the mothership"

        Yeah, my VM Tivo box does that but the phone app that lets me set, change or cancel a recording when I'm out and about with friends and someone tells me about a show I might want to watch, then it becomes an instantly useful IoT device for me. YMMV of course.

        Having said that, my wife in particular is prone to switching off the TV and NOT the Tivo box so it's probably reporting back on all sorts or programmes that we never saw. Unless it's "smart" enough to not report back when the TV is off (HDMI should allow the Tivo to know if the TV is off or otherwise not displaying the Tivo output)

    2. Anonymous Coward
      Joke

      Re: IoT crazy

      Why the hell would I want remote control access for my fridge?

      When I first visited Akihabara in 1983 and saw toasters with built-in FM radios I too thought why would I want that? 30+ years later I don't know how I'd get by without my combined torch-iron-juicer with wi-fi.

      1. Measurer

        Re: IoT crazy

        The man from Del-Monte may have found that usefule

    3. Anonymous Coward
      Anonymous Coward

      Re: IoT crazy

      Why the hell would I want remote control access for my fridge?

      That is what happens when you ask a marketing droid for something "cool"..

      1. Robert Helpmann?? Silver badge
        Childcatcher

        Re: IoT crazy

        Why the hell would I want remote control access for my fridge?

        Because of the "Bring Me Beer" button!

        1. Simon Harris Silver badge
          Pint

          Re: IoT crazy

          "Because of the "Bring Me Beer" button!"

          Like this maybe?

          But with better beer.

    4. Anonymous Coward
      Anonymous Coward

      Re: IoT crazy

      Smart toilet would be a winner, you could link the flush button to the "Empty trashcan" feature in your OS.

      1. Chairo

        Re: IoT crazy

        I’m afraid that already exists. Toto's Washlet remoteW app. Unfortunately only available in the Japanese App store. I wonder why?

        Anyway - guess you can change the rinsing water temperature, strength, position and focus, chose a nice background music, turn on the perfumer, the dryer, control the lid/lid temperature and cover and whatever else + of course flush the toilet.

        This is all very standard for Japanese toilets nowadays. The new thing is that you can use your smartphone instead of a IR remote control. So not such a big leap ahead, really.

        Btw: these toilets obviously don't work if there is no power. which can be a problem after a mayor earthquake. Shit happens.

        1. mhoulden
          Holmes

          Re: IoT crazy

          Background music to play on the toilet sounds like one of the rounds on I'm Sorry I Haven't A Clue. If it starts playing Golden Brown or Raining Blood it might be an idea to see a doctor.

          1. Simon Harris Silver badge

            Re: IoT crazy @ mhoulden

            My choice would be The Dambusters' March...

            or after a particularly hot curry, OMD's Enola Gay.

            1. Simon Harris Silver badge

              Re: IoT crazy @ mhoulden

              Oops - my second choice might be a bit bad taste for.a Japanese singing toilet.

              Johnny Cash's Ring of Fire might be suitable in such a situation.

          2. Captain Queeg

            Re: IoT crazy

            Ok, I'll bite :-D

            Anything by The Skids or maybe Stand by your pan?

      2. Measurer

        Re: IoT crazy

        Ooohhh.... Windows calls it the 'Recycle Bin'. Never do a restore!

    5. Anonymous John

      Re: IoT crazy

      Five years from now,when your fridge runs out of something, it will be able to reorder and send your self-drive car to the supermarket to collect.

      1. Elmer Phud

        Re: IoT crazy

        Nah, the fridge will have an argument with the freezer as the freezer has stuff that could be transferred to the fridge. The overall Menu Planner says it want's something else from the freezer, not the fridge.

        There has been a query from elsewhere as to whether any meal may induce the need for more toliet paper.

        The cupboards are keeping quiet -- this is a white on white goods thing.

        The car is sulking as it's just a glorified shopping trolley.

        Progress.

      2. Teiwaz Silver badge

        Re: IoT crazy

        "Five years from now,when your fridge runs out of something, it will be able to reorder and send your self-drive car to the supermarket to collect."

        Great, then you end up with a huge pile of sour milk cartons in the back of the car as the car and fridge have no way of transferring said order, and the fridge repeats the order for a couple of days running.

      3. Madge
        Happy

        Re: IoT crazy

        A world I find terrifying but... I do love the idea of being able to scan things to an on line supermarket of your choice till you have enough to hit the order button. Then the nice man brings it into your kitchen a few hours later. But not if I'm getting the Home network hacked.

    6. TitterYeNot
      Coat

      Re: IoT crazy

      "Is it just me, but it seems plain crazy to link home appliances to the internet"

      They're the perfect foil for the internet bitTorrent honeypot. When I was accused of torrenting 'Womb Raider', 'Good Will Humping' and 'Shaving Ryan’s Privates' by some scummy law firm because they'd logged my public IP address, I simply replied that unfortunately my 'smart' fridge is a dirty little bastard who is now banned from the internet for a month as punishment, and here's its email address if they want to contact it to take further legal action...

      1. Simon Harris Silver badge

        Re: IoT crazy @ TitterYeNot.

        After those movie titles, I was sure I'd read that they'd logged your pubic IP address.

  2. PNGuinn
    Mushroom

    re Why?

    WHY indeed.

    Patent suggestion: a fridge door manufactured from a new-fangled material called steel which appears to have strange properties in that it attracts certain high-tech devices called magnets.

    Couple this with a thin biodegradable piece of processed dead tree between the above items and an old dying skill called handwriting.....

    Ok - this is a blindingly stupid fail on Sammy's part - equivalent to popping a large print note of sensitive info on the fridge door next to a window fronting on a busy street multiplied by every busy street in the locality. A developer really needs to get taken behind the bike sheds and given a long basic lesson in security with a rather hard rubber hose.

    I do however suggest that <<<anything>>> as daft as mass "connected appliances" is a long series of security disasters qued up to happen.

    Just NO, not on my patch.

    1. Elmer Phud
      Coat

      Re: re Why?

      You could make a fortune selling them things.

      Wipe the opposition off the market -- yes, a fridge magnate!

      1. Evil Graham

        Re: re Why?

        Actually he'd be a fridge magnet magnate.

  3. Teiwaz Silver badge
    Meh

    Not much 'ice' to crack there then.

    I don't see the point of any of the 'smart' anything put out so far.

    Buy a device that has an element to it's construction that may require constant updating only through a company who have every reason not to be bothered to with the expense if they can get away with it?

    IOT me arse, when have you ever had to worry about the fridge doing or not doing something if you are likely to be late home this evening? What's next, Ovens? Just what every householder needs, a Remotely activate potential incendiary device.

    If you really wanted your calender on a screen on the door of your fridge, get a mount for a tablet. These at least have a slightly higher chance of getting a S/W update once in a while.

    1. heyrick Silver badge

      Re: Not much 'ice' to crack there then.

      "These at least have a slightly higher chance of getting a S/W update once in a while."

      Why don't we start a push to try to get World to reject IoT devices where the (entire) firmware isn't open source? Might sound crazy but try reminding people how often their mobile phone gets updated and ask if they are happy spending £££ for a smart fridge that will likely be forgotten in short order? We're used to changing phones often because the technology improves rapidly, but do people really think they'll change their fridge every other year?

      Plus you are stuck relying upon GMail's login working onwards. How many older Youtube enabled devices no longer work correctly (or at all?) because Google periodically alters the API?

      This is when the tech press needs to step up and say "either commit to support the device for its reasonable lifetime (about a decade minimum for a fridge) or open source the firmware - anything less, it is garbage no matter how shiny".

      1. John Brown (no body) Silver badge

        Re: Not much 'ice' to crack there then.

        "We're used to changing phones often because the technology improves rapidly, but do people really think they'll change their fridge every other year?"

        The muttering has already started as early adopters of "smart" TVs now find that half of the apps no longer work. I'm even hearing this from non-IT people, ie average users, whinging about their "new" (ie 2 year old) smart TV gradually losing functionality. People expect a bare minimum of 5 years from big electrics, probably more like 10-15 years.

    2. John Brown (no body) Silver badge
      Facepalm

      Re: .a Remotely activate potential incendiary device.

      Closely followed by EU legislation on maximum temperature setting both to protect us from ourselves and to minimise power consumption.

  4. Anonymous Coward
    Anonymous Coward

    But... everything should be connected 24/7

    all your devices and appliances connected ot the internet all the time

    All your data in the Cloud (just so the spooks can get at it without kicking your door down)

    Didn't you get the message that the marketing people have been spouting forth these past two years?

    not connected to the Hive? Then you have something to hide don't you????

    1. Teiwaz Silver badge
      Black Helicopters

      Re: But... everything should be connected 24/7

      "All your data in the Cloud (just so the spooks can get at it without kicking your door down)"

      But the security services like kicking peoples doors down - it's the new black or something (come to think of it, then they just shoot). The new mandate has changed from 'keep the population safe' to 'keep the population safely locked away'

  5. Scott Broukell
    Meh

    I have patented a similar, though more secure, system for my larder, I calls it the Internet of Tins.

    1. VinceH Silver badge

      I was thinking of connected Christmas Tree decorations. The Internet of Tinsel.

  6. Tom7

    Oh, come on!

    This is BORING! Can we have an interesting security vulnerability now, please? Who on earth looked at this and thought, "Oh, we don't need to verify server certificates! It's not like the rest of the world does it!"

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh, come on!

      AFAIK, the Python HTTP library shipped with Debian 7 doesn't verify certificates still today. It was added in version 2.7.9 only, and Wheezy still uses 2.7.3.

      Due to the complexity involved, and the need of obtaining a cert from a valid CA, far too many implementations used certificates for encryption only, and not authentication.

      So, the 'rest of the world' often doesn't it....

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh, come on!

        "AFAIK, the Python HTTP library shipped with Debian 7 doesn't verify certificates still today. It was added in version 2.7.9 only, and Wheezy still uses 2.7.3."

        So that would be the "Monty Python HTTP library"...

        1. Steve Davies 3 Silver badge
          Coat

          Re: Oh, come on!

          would that be the "monty Python HTTP Library" than keep on emitting SPAM

          coat- with a tin of the stuff in the pocket for emergencies like when the Fridge SSL cert expires and Tesco's won't accept your order.

  7. Ole Juul

    My fridge is my friend

    I've got a 1950's ROY that just keeps on chugging along doing what he does best - keep my food from rotting and my ice cream from melting. Roy doesn't have any allegiances outside of the house. He answers to me alone. I trust Roy.

  8. Tromos
    Joke

    I was in the middle of a game of Crysis on my fridge. I was doing rather well until everything froze.

    1. Adam 1 Silver badge

      Icy what you did there.

  9. Anonymous Coward
    Anonymous Coward

    This would never happen, ain't no man getting between me and my fridge.

  10. Aoyagi Aichou
    Flame

    The things people buy...

    I just don't get it. Smart fridge? Smart TV? Smart clock? What the bloody hell for? Why do people keep buying this rubbish?

    1. Anonymous Coward
      Anonymous Coward

      Re: The things people buy...

      because they are gullible / trying to be hip / both.

      1. Aoyagi Aichou

        Re: The things people buy...

        Can we cure them? Please?

        *sigh*

        1. Teiwaz Silver badge
          Holmes

          Re: The things people buy...

          "Can we cure them? Please?

          *sigh*"

          It's probably incurable unfortunately

          - Or to be more accurate, would require people to learn or think, and most people are vehemently opposed to having to do either.

          1. This post has been deleted by its author

          2. VinceH Silver badge

            Re: The things people buy...

            "It's probably incurable unfortunately"

            Euthanasia?

      2. Anonymous Coward
        Anonymous Coward

        Re: The things people buy...

        I can see a viable discussion for Smart TV's. At least on some level (having access to Netflix, Amazon, Hulu, <enter streaming service here>, etc...), simply, that not everyone has an additional device connected with the capability to access said services. I just don't get it for everything else. Smart Fridge? Toaster? Microwave? Oven? Whatever for?

        I'm not overly concerned with a Smart TV's access to what I'm viewing... the television providers already have and use that (with no way to avoid it). My only concern there comes when they become too "smart" (no thanks on camera or microphone additions... I'm looking at you Samsung)

    2. Fred Flintstone Gold badge

      Re: The things people buy...

      Smart fridge? Smart TV? Smart clock? What the bloody hell for?

      I suspect it's for people who are not as smart as their appliances..

  11. JP19

    I thought...

    Internet connected fridges were only a joke and didn't exist.

    Seems I was half wrong.

  12. Mystic Megabyte Silver badge
    Happy

    Gmail has a calendar?

    I'll put that in my diary.

    1. Anonymous Coward
      Anonymous Coward

      Re: Gmail has a calendar?

      I'll put that in my diary.

      .. at which point the dyslexic amongst us have gone full circle, to the fridge

      :)

    2. Ivan Headache

      Re: Gmail has a calendar?

      I'll put it in my dairy.

  13. Jason Bloomberg Silver badge
    Stop

    But...

    People have been using O2 Jogglers in their kitchen and on top of their fridges for ages as information and calendar displays and I imagine there are some people who have smart phones 'glued' to kitchen cabinets and elsewhere to do the same and similar.

    If people want to do that, or manufacturers want to jump on that bandwagon and sell them what they think is 'even better', I don't see the problem with that. In fact it's one of the few areas where I see "smart" and "IoT" making sense, though I'd say it is not so much either as simply "connected".

    As for criticising the "smart clock" I don't see any real difference between a clock which pulls the time from the airwaves or the internet or why one needs to disparage such a thing. Perhaps some people cannot see the advantage of a clock which adjusts its time to day of week, whether it's a weekday, weekend or holiday, and requires no adjustment as summer time starts and ends but I can. But no one has to have one if they don't want that.

    Yes, there are security, hacking and privacy issues, but they are the same whether the connected device is in, on, or on top of the fridge or elsewhere.

    I really don't think it's worth getting into a Luddite-like tizzy simply because one cannot personally see the use or benefit of such things.

    1. Elmer Phud

      Re: But...

      Most of the posts have not been anything like a luddite tizzy.

      You may have mistaken 'taking the piss' for something else.

    2. Teiwaz Silver badge
      Mushroom

      Re: But... I like luddite tizzys

      I would argue knowledgeable IT people are the modern Luddites - to a certain extent. They generally know when to apply IT as a solution to a problem and when it is not required to solve the problem or excessive, even downright unhelpful.

      Of 'Smart' clocks I've not seen that much criticism in this thread, a clock that does not need adjusted does sound potentially useful (although maybe not for me, I often trip on the lead for my alarm clock, kick it across the floor or in some way disconnect it from the mains on my bleary way to the bathroom in the morning - a 'smart clock' with no power is the same as a 'dumb' clock with no power in this case. There are other ways to get a clock to set the time other than running it off the Wi-Fi and having it potentially connected to everything else on the planet.

      Manufacturers are, however, generally unwilling to leave the devices functionality at merely slightly more efficient, which is the main problem with 'Smart' devices, I could predict calendar integration - so your alarm would know when you had to get up every day, and this is where it all starts to go wrong.

      In my opinion 'Smart' devices should be nothing more than an appliance with a control port into which it is possible to plug an optional network connected to a control box. We kinda have that already with the Google TV dongles. Something you can cheaply throw away without the use of a heavy lifting mechanism when the manufacturer inevitably gets bored of supplying S/W updates to kit after three or so years.

      1. Anonymous Coward
        Anonymous Coward

        Re: But... I like luddite tizzys

        I've got a battery-powered Travel clock radio. It runs on AA batteries - 1 for the clock, 2 for the radio, but I don't use the radio; so, 1 AA battery, which also powers the loud alarm beeper.

        I've had it about 15 years - but it's more like 20 years old. The battery lasts at least 3 years. It keeps excellent time.

        Actually, now that I think about it, it's possibly one of the greatest pieces of kit in the history of technology!

  14. Androgynous Cupboard Silver badge

    One silver lining from this one

    The hacking contest was sponsored by Samsung - this is definitely progress.

  15. Dan 55 Silver badge

    Academic anyway

    I give it three years before Google changes the calendar API and Samsung doesn't update the fridge.

  16. jake Silver badge

    Am I the only one ...

    ... who has noticed that anything labeled "smart" is targeted at people who have absolutely zero idea how the technology works, and thus are the most vulnerable?

    1. Anonymous Coward
      Anonymous Coward

      Re: Am I the only one ...

      Surely that's to be expected, or it is self selective? - I would imagine that people most often buy things in the hope of acquiring what it is they perceive the item provides (the very point?) and hence why marketeers aim it at that demographic. Thus, idiots by 'smart' devices and the un-stylish buy the items perceived as stylish. Put differently, practically all marketing is about driving demand for people's needs/desires, not what they "already have".

  17. Ken Moorhouse Silver badge

    Chilling Revelations

    When is Disney going to do a new Fantasia, inspired by the IoT?

    https://youtu.be/cWZJcKM8pO0

  18. Pete4000uk

    I needed a laugh

    Made my day

  19. DerekCurrie Bronze badge
    Facepalm

    Entirely PREDICTABLE!

    We knew the IoT was a security leak infested mess over a year ago. SURPRISE! The IoT really really really is a mess of security holes.

    NOT ready for prime time. Shame on you Samsung and all the other upcoming IoT security hole vendors yet to be revealed. You made the IoT dangerous. Good gawd, how predictable. (o_0)

  20. Captain DaFt

    Ahem

    "Protecting our consumers’ privacy is our top priority, and we work hard every day to safeguard our valued Samsung users.”

    BULLSHIT!!

    If that was true, they'd have done the proper testing to ensure glaring mistakes like this weren't in the product before it went to market.

    The real message is: "Protecting our profit is our top priority, and we work hard every day to safeguard our valued Samsung brand. So, here's some feelgood bullshit to placate our consumers.”

  21. Yugguy

    A noticeboard

    We have a noticeboard in the kitchen. When anyone notices something getting low in the fridge, or indeed the grocery cupboard, or the bread bin, or the cleaning stuff cupboard or indeed any other kitchen area, we write it on there. When we do the shopping list at the end of the week we transfer the contents of the noticeboard to it.

    In the last year this has cost us, ooh feck all, as I get the marker pens from work.

    And you can't hack a plastic whiteboard.

    Online grocery shopping? AWESOME - saves us loads of time.

    Smart fridge? Smart cupboards? Get bent.

  22. MarkW99

    Why would anyone want to hack a fridge?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019