|(PC- google images)|
A recent update by a team of security researchers have identified potential threat to gmail credentials via the Samsung Smart Fridge.
A ‘Man in The Middle’ (MiTM) vulnerability was discovered during an IoT(Internet of Things) hacking challenge in a recent DEF CON conference. Samsung’s RF28HMELBSR smart fridge was targeted for the confirmation of the potential credential breach to gmail accounts. The fridge implemented SSL, it faces trouble in validating SSL certificates thus giving rise to MiTM vulnerabilities.
The Internet connected device has the ability to automatically download the Google calendar to an on-screen interface and the MiTM vulnerability facilitates the hacker to jump into the same network and steal gmail credentials of its neighbours.
Ken Munro, a security researcher at Pen Test Partners stated that "The internet-connected fridge is designed to display Gmail Calendar information on its display," and thus "It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes updates and those changes are then seen on any device that a user can view the calendar on" he added.
"While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbours, for example."
While the research team failed to breach the software update server and the fridge terminal at DEF CON hacking spree, the mobile app had shown glitches that have potential security problems.
|(pc- google images)|
The coding in the mobile app contains a certificate that enables the encryption of credentials between the fridge and the mobile app. The certificate is correctly passworded, but the credential to the certificate appeared to be stored in the mobile app in an obfuscated form. So, if the codes of the certificates are broken down, it will allow the hacker to send commands to the fridge.
Pedro Venda of Pen Test Partners remarked “We wanted to pull the terminal unit out of the fridge to get physical access to things like a USB port and serial or JTAG interfaces, but ran out of time. However, we still found some interesting bugs that definitely merit further investigation. The MiTM alone is enough to expose a user’s Gmail creds."
This fiasco has created a tensed atmosphere in the Samsung Headquarters. In an open statement, the company ensured that "At Samsung, we understand that our success depends on consumers’ trust in us, and the products and services that we provide. We are investigating into this matter as quickly as possible. Protecting our consumers’ privacy is our top priority, and we work hard every day to safeguard our valued Samsung users.”