Eliciting interest from a wide range of security experts, the annual DEFCON hacking convention is one of the world’s principal sources of cutting-edge security research. Amongst the number of security loopholes and bypass techniques presented this year, one of the most impactful revealed that user’s Gmail credentials can be swiped from an Internet-connected Samsung fridge, demonstrating just how unsecure the early IoT really is.
Security firm Pen Test Partners performed a man-in-the-middle (MiTM) vulnerability against a RF28HMELBSR smart fridge during an IoT hacking challenge. The fridge is part of Samsung’s line of remotely controlled Smart Home appliances, all of which are controlled using a Smart Home app. The fridge is also designed to download and display Gmail Calendar information on its LCD display, and although it implements SSL, its failure to validate SSL certificate permited hackers to install fake firmware updates with malicious code that intercept the connection between Google’s servers and the unit.
“The internet-connected fridge is designed to display Gmail Calendar information on its display,” explained Ken Munro, one of the security researcher at Pen Test. “It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes updates and those changes are then seen on any device that a user can view the calendar on.”
“While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbors, for example.”
There was one exception to the MiTM exploit: it could not intercept the communications between fridge terminal and its update server, nor could the team procure a unit for further testing, as the model is not yet available in the UK where they are based. They did, however, discover a potential security flaw while digging through the mobile app as a file found within the keystore of the app’s code contained the certificate used to encrypt and authenticate the encrypted traffic between the fridge and app. The team has found what they believe to be the certificate key hidden within the client side code, but have not made the time to reverse engineer it yet.
Pedro Venda, on of the Pen Test Partners researchers added: “We wanted to pull the terminal unit out of the fridge to get physical access to things like a USB port and serial or JTAG interfaces, but ran out of time. However, we still found some interesting bugs that definitely merit further investigation. The MiTM alone is enough to expose a user’s Gmail creds.”
Source: TheRegister
Advertisement
Learn more about Electronic Products Magazine
