Pierluigi Paganini
August 25, 2015
Once again Internet of Things raises security concerns, this time security researchers have discovered a way to steal users’ Gmail credentials from a Samsung smart fridge.
At the recent DEF CON hacking conference, they presented a way to run a MiTM (man-in-the-middle) attack to steal the precious credentials. The experts hacked the RF28HMELBSR smart fridge manufactured by Samsung, the device is one of the Smart Home appliances commercialized by the company.
“The internet-connected fridge is designed to display Gmail Calendar information on its display,” explained Ken Munro, a security researcher at Pen Test Partners. “It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes updates and those changes are then seen on any device that a user can view the calendar on.”
“While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbours, for example.”
The smart fridge can be controlled via their Smart Home app, unfortunately, the mobile application despite implements SSL, it fails to validate SSL certificates, allowing attackers to run man-in-the-middle attacks.
This kind of attacks is becoming even more common, recently we have discussed the Ownstar attack proposed by Samy Kamkar against connected cars, also in this case a number of mobile apps failed to validate the SSL certificate.
The Samsung smart fridge is designed to download Gmail Calendar information, this means that it uses the Gmail credentials to retrieve the information. A hacker who is able to access the same network of the Samsung smart fridge can potentially steal Google login credentials.
The experts from Pen Test Partners detailed the various phases of their penetration testing in a blog post.
In one of the attempts, the security experts tried to serve a bogus update to the Samsung smart fridge, but there were too many parameters to uncover for their tests.
“We also looked at the possibility of faking a firmware update to compromise the unit via malicious custom update. We found the URL scheme to download the file, but we still need to find out a number of parameters to complete the URL. These are not secret things, just difficult to guess, like a code name for the model of the device, likely a serial number, etc.” states the post.
During the tests, the experts have found in a keystore in the mobile app’s a code that suggested them it contained the digital certificate used to establish a secure communication between the mobile app and Samsung Smart fridge.
The certificate is password protected, but the experts noticed the credentials are stored in the mobile app in an obfuscated form.
The expert then focused their efforts to guess the password and use the certificate to authenticate to the fridge and control it over the network.
“We wanted to pull the terminal unit out of the fridge to get physical access to things like a USB port and serial or JTAG interfaces, but ran out of time. However, we still found some interesting bugs that definitely merit further investigation. The MiTM alone is enough to expose a user’s Gmail creds.” added the Pen Test Partners Pedro Venda.
The experts Pen Test Partners are not new to this kind of tests, early this year they discovered that Samsung’s smart TVs send unencrypted voice recognition data and text information across the Internet without encrypting it and allowing hackers to capture them.
Samsung has confirmed that is investigating on the matter, the security of its customers is essential for the success of its products.
(Security Affairs – Samsung Smart Fridge, MiTM attacks)
