It has been widely reported online this week is that Samsung’s connected fridge allows malicious people to steal a consumer’s Gmail login credentials provided they can get on the user’s Wi-Fi network.
The exploit, known as a man-in-the-middle attack, is made possible because the Samsung smart fridge lets people link their Gmail calendars to a screen in the fridge’s door so they can see their day’s events.
It’s a handy feature, except when a person logs in, the fridge says it provides SSL encryption, but fails to actually verify that the server on the Google end has the right certificate to actually get the encrypted data. It just hands it over.
The vulnerability was discovered during a hackathon at the Defcon event earlier last month and covered by The Register Monday morning. Pen Test Partners discovered the weakness and blogged about both the vulnerability and how it systematically tried to attack the fridge.
Samsung and LG among others have come under fire for poor security of their connected products before and it leaves doubts about other connected devices.
Samsung has contacted The Register to say that they were looking into the matter: “At Samsung, we understand that our success depends on consumers’ trust in us, and the products and services that we provide. We are investigating into this matter as quickly as possible. Protecting our consumers’ privacy is our top priority, and we work hard every day to safeguard our valued Samsung users.”