Pinterest Stumbleupon Whatsapp
Ads by Google

$3599 is a lot of money.

It could get you a decent second-hand car, or a relatively tricked out iMac. You could buy 3599 McChicken burgers, or 2589 McDoubles. Or it could get you the Samsung RF28HMELBSR.

This (snappily-named) fridge has everything. It’s got four doors, a colossal 28 cubic foot of space, and an integrated, 8” WiFi-enabled LCD touchscreen display that allows you to do anything from read the news, to remotely control your Android smartphone.

If it sounds familiar, it’s because it was once featured on my list of the dumbest Smart Home products ever Tweeting Fridges and Web Controlled Rice Cookers: 9 of the Stupidest Smart Home Appliances Tweeting Fridges and Web Controlled Rice Cookers: 9 of the Stupidest Smart Home Appliances There are a lot of smart home devices that are worthy of your time and money. but there are also kinds that should never see the light of day. Here are 9 of the worst. Read More . And did I mention it ships with a massive, gaping security vulnerability?

Smart Fridge, Stupid Mistake

Yes, for all of its sophistication, this fridge shipped with a significant security flaw that could potentially see an attacker surreptitiously harvest Gmail login credentials.

Ads by Google

The vulnerability was first reported in The Register on August 24th, and discovered by UK-based infosec firm Pen Test Parters while participating in an Internet of Things (IoT) hacking challenge at the recent Defcon 23 conference.

The built-in touchscreen on this fridge allows the user to access their own Google Calendar. Connections to-and-from Google’s servers are encrypted using SSL encryption What Is an SSL Certificate, and Do You Need One? What Is an SSL Certificate, and Do You Need One? Browsing the Internet can be scary when personal information is involved. Read More , but Samsung’s implementation of SSL doesn’t check the validity of the certificates.

RF28HMELBSR

This presents a serious security problem, since anyone on the network would be able to launch a “Man in The Middle” What Is A Man-In-The-Middle Attack? Security Jargon Explained What Is A Man-In-The-Middle Attack? Security Jargon Explained Read More attack, and intercept the user’s login credentials in transit. An attacker would also be able to obtain them by spoofing an access point, or through a wireless deauthentication attack.

Samsung have said they’re “investigating into this matter as quickly as possible”, and are presumably working flat out to issue a fix. But this episode does present an interesting demonstration of how badly security can go wrong on the Internet of Things.

(In)Security In A Networked World Of Things

In the past, we’ve talked extensively about the risks posed by the Internet of Things, both from a privacy Why The Internet of Things Is The Biggest Security Nightmare Why The Internet of Things Is The Biggest Security Nightmare One day, you arrive home from work to discover that your cloud-enabled home security system has been breached. How could this happen? With Internet of Things (IoT), you could find out the hard way. Read More  and from a security and sociological perspective 7 Reasons Why The Internet of Things Should Scare You 7 Reasons Why The Internet of Things Should Scare You The potential benefits of the Internet of Things grow bright, while the dangers are cast into the quiet shadows. It's time to draw attention to these dangers with seven terrifying promises of the IoT. Read More . Addressing them is difficult, because when it comes to securing the Internet of things, we encounter a few problems.

Firstly, these devices are not PCs or phones, in the respect that they are uniformly easy to update (Windows 10 will even install updates on your behalf How To Turn Off Automatic App Updates In Windows 10 How To Turn Off Automatic App Updates In Windows 10 Deactivating system updates isn't advised. But if need be, here's how you do it on Windows 10. Read More ), and the vendors behind them are involved and regularly release software and security updates. Many smart home products do not “update” over the air, either requiring you to use complicated or unreliable software packages, removable storage, or simply not allowing you to update the firmware at all.

How do you, for example, update an interconnected coffee pot, or a computerized thermostat? There’s no easy, universal way of doing that.

It’s also important to address the fact that many of these devices are now built by regular folks in their own homes. Arduino and Raspberry Pi have allowed us to introduce network connectivity and computerized logic into places we’ve never thought possible, while products like Microsoft’s Windows 10 for IoT Windows 10 - Coming to an Arduino Near You? Windows 10 - Coming to an Arduino Near You? Read More has made it easier to expose these devices to the wider Internet, simultaneously opening up a world of opportunity and of risk.

samsung-experimentationkit

While many seasoned developers know how to build these devices in a way that’s secure, far too many novice and hobbyist developers do not.

Then we get on to the problem of longevity. Again, this problem that’s uniquely endemic to the Smart Home world. Because while your PC and Phone runs software that’s been built by companies with long histories and deep pockets, most of your Smart Home devices have not.

The overwhelming majority of these companies are early to late stage startups, many of these are in a tentative stage in their development. If they shut down, what happens to the products they’ve already shipped? Who will write software updates and security patches?

As we’ve written about in the past, hardware startups are hard Why Hardware Startups Are Hard: Bringing the ErgoDox to Life Why Hardware Startups Are Hard: Bringing the ErgoDox to Life Here’s a controversial opinion for you: launching a software startup is easy. Hardware, on the other hand? Hardware startups are hard. Really hard. Read More . Already this year, we’ve seen significant layoffs at Leeo and Wink – two of the largest Smart Home startups. Many more – like Lumos – have failed to get off the ground entirely.

But perhaps the biggest and most enduring threat to Smart Home and Internet of Things security is simply that these devices are built to last longer than their manufacturers would prefer. Embedded systems and Smart Home products can work, quite happily, for years and years. Many of these do not work on a subscription service.

Are we to expect Nest and Philips to offer updates for as long as Microsoft supported Windows XP What The Windows XPocalypse Means For You What The Windows XPocalypse Means For You Microsoft is going to kill support for Windows XP in April 2014. This has serious consequences for both businesses and consumers. Here is what you should know if you are still running Windows XP. Read More ?

Out Of The LAN, Into The Fire

These security issues are significantly exacerbated by the fact that many of these devices are connected to the wider Internet and remotely accessible, thereby introducing a smorgasbord of security concerns.

Because when you connect something to the Internet, you then introduce a new attack vector to whoever is so motivated. Instead of having to connect to your home network, someone could simply remotely compromise it.

It’s easier than you think, too. There’s even a search-engine for embedded systems, called Shodan. With just a few keystrokes, you can find systems that have been exposed to the Internet worldwide – from power plants in Japan, to webcams in Holland, and VoIP phones in New York.

samsung-shodan-iot

Simply searching for “Web Cam” exposes thousands of remotely accessible webcams. I didn’t access any however, as that would almost certainly result in me breaking the Computer Misuse Act 1990 The Computer Misuse Act: The Law That Criminalizes Hacking In The UK The Computer Misuse Act: The Law That Criminalizes Hacking In The UK In the UK the Computer Misuse Act 1990 deals with hacking crimes. Twhis controversial legislation was recently updated to give the UK's intelligence organization GCHQ the legal right to hack into any computer. Even yours. Read More .

samsung-shodan-webcam

It’s scary. We’ve started to introduce our homes to the Internet, and it’s trivially easy to find them, and to launch targeted attacks on them. We should be concerned.

So What Can Be Done?

Security flaws, like the one found in Samsung’s Android refrigerator, will always be there. As long as it’s easy for vendors to issue fixes, and they’re constantly being updated throughout the lifetime of the devices, that’s not too much of a problem.

But it’s important we address the other issues. Efforts need to be made to ensure the developers of Smart Home and IoT products know how to develop secure systems. This could be accomplished by greater outreach with the security community.

There are a number of precedents for this. The OWASP (Open Web Application Security Project) project is one that springs immediately to mind.Launched in 2004, this has produced freely-available educational material that teaches developers how to build secure websites, and hackers how to properly test the security of web applications.

owasp-presentation

There’s no reason something similar couldn’t be created for the smart home world, and for Internet of Things developers.

Moreover, we need to ensure that Smart Home systems are updated and maintained, even if the vendors fold. This can be done by mandating everyone releases their code into a source code escrow, where the code is released if the company files for bankruptcy, or otherwise fails to maintain the software in a way that is satisfactory.

And as consumers, we should start to demand more from vendors. We should demand that the devices we purchase are supported with security patches for the lifetime of the product. We should expect that any security issues are resolved quickly and decisively. We should expect that vendors treat security threats with absolute transparency. And we shouldn’t patronize vendors who fail to meet that meager standard.

These are all relatively small changes, but there’s no reason to think they wouldn’t result in more secure Smart Home devices. But what do you think?

If you’ve got any thoughts, or have any horror stories of IoT insecurity, I want to hear about them. Let me know in the comments below, and we’ll chat.

Photo Credits: Arduino Experimentation Kit (Oomlout)IMG_5145 (JWalsh)

  1. fcd76218
    August 31, 2015 at 3:20 pm

    "a colossal 28 cubic foot of space"
    Only 28? Home Depot, and others, sell 31 and 33 cubic foot refrigerators.

    Why does every device that uses electricity have to have WiFi Internet access??????
    Why do my teapot, toothbrush, toilet and A/C have to talk to each other and to other devices in my house and other houses?

    There is actual Smart and dumb Smart. A self-regulating appliance/device that makes up for stupid human mistakes is Smart and has a built-in flat screen TV (not a Smart TV!) I would probably buy. Any appliance/device with an Internet connection is D U M - dumb. I agree with Read and Share - "home appliances that need to be connected to the net for “anywhere, anytime access” really are few and far between." Any such device introduces another attack vector into the house.

    Just as I would not trust the quality of appliances made by software writers, I do not trust the security software written by appliance manufacturers.

    How come "smart appliances" are too stupid to automatically update their software over their Internet connections???

    The usual excuse for why there are so many exploits and so much malware for Windows is that hackers create malware for the largest user base. Once IoT becomes popular, it will make Windows look like a piker. While Windows has hundreds of millions of installs, IoT will have hundreds of billions. Anybody who can spell "malware" will be attacking Smart device, Smart appliances, Smart homes and Smart cars. Especially with the manufacturers of all that stuff unable to provide even the most rudimentary security.

    "So What Can Be Done?"
    How about admitting that IoT can never be made secure and forgetting the whole thing?
    How about not trying to cram a WiFi transceiver into every device and tool we own?

    • Ryan Dube
      September 4, 2015 at 4:46 am

      I have to agree that some companies are getting a bit silly with how and where they decide to integrate products with the Internet. I honestly can't think of any reason I need my stove or refrigerator internet-enabled, when I can just bring my tablet into the kitchen to look up whatever I like, find whatever recipes I want, time my cooking with plenty of great apps out there - I mean....yes, it's silly.

      However, I can't agree that IoT should be completely dumped. You can't toss the baby with the bathwater, because there are actually MANY really good, useful reasons to integrate the Internet into some appliances, mostly for control purposes like HVAC & fans, temperature controls, locks and security, lighting, outdoor land management appliances, and much more. There's a time and a place for IoT, but not every single thing needs connectivity.

      • fcd76218
        September 4, 2015 at 12:52 pm

        "mostly for control purposes like HVAC & fans, temperature controls, locks and security, lighting, outdoor land management appliances"
        How about getting out of our La-Z-Boy lounger and changing the settings manually? How difficult is that?

        I would agree with you except for one tiny, minor shortcoming of IoT - SECURITY. When I said that IoT should be dumped, it's not because it is a bad idea but because, currently, it cannot be made sufficiently secure. That is why I am surprised that you consider "locks and security" something that should be IoT enabled. AFAIAC, using WiFi-enable locks to control access is like leaving the key under the door mat.

  2. Tom Lowe
    August 31, 2015 at 1:36 am

    If history is any guide, it will take federal legislation to force manufacturers to do what they should have been doing all along. Most people do not know that it took federal legislation to force manufacturers of refrigerators to make them openable from the inside, so that children playing around refrigerators in vacant lots would not be trapped and suffocate.

    If the manufacturers of smart refrigerators or other appliances that are open to the Internet cannot ensure that their products are secure, then they probably should not be selling those products. An online refrigerator is about the silliest thing imaginable, anyway.

    The poet William Blake once wrote that you never know what is enough until you know what is more than enough. This stuff is clearly more than enough.

    • fcd76218
      August 31, 2015 at 3:29 pm

      "If history is any guide, it will take federal legislation to force manufacturers to do what they should have been doing all along."
      If history is any guide, it will take years to pass any legislation. By the time it is passed, it will already be obsolete. The legislation will be written by lobbyists for the appliance industry and have so many loopholes that it will be worthless.

      How can we trust the government to pass any meaningful security legislation if 1) they cannot secure their own databases, and 2) they insist on having backdoors in every security program?!

  3. Read and Share
    August 30, 2015 at 11:18 pm

    To me, home appliances that need to be connected to the net for "anywhere, anytime access" really are few and far between. What do I have that takes a while between turning on and enjoying that I wish I could do so remotely and ahead of time? Maybe the AC -- although that's hardly critical. OK, maybe my next AC, I will look into those that come with good, secure Android apps.

    As for the rest... fridge, coffee pot, stove, etc., etc. -- no thanks. I'm happy enough with local control.

    I do look forward to the day when truly powerful and battery-efficient PC's come in the size of phones -- so that most all of us will own just one computer instead of 3 or 4 in different sizes. And with that one phone-size computer, I think I will be as connected as I'd ever want to be. No need to ask my fridge or my coffee pot about the weather.

    • Ryan Dube
      September 4, 2015 at 4:50 am

      I agree - a central device as powerful as any computer, that you can carry with you and use anywhere. Smartphones are almost there - but not the typical power of the PC, which is what I understand you're saying.

      The one area I do see benefit is in-home controls. These devices don't need to be connected to the external internet, but wouldn't it be cool if they were connected to your "control devices", so that your oven can show you a picture of what that roasting chicken in the oven looks like, then you can just take out your phone (or that awesome future portable computer) and type in that you'd like it to cook for 10 more minutes. All from the comfort of your couch, or your office...

      I think there's some benefit to appliances being "connected", but the companies that are coming with these things seem to have very little creativity and innovation on staff.

  4. Pat Burns
    August 30, 2015 at 7:39 pm

    A fundamental weakness of nearly all wireless IoT technologies is how comically easy they are to discover. WiFi, Bluetooth, ZigBee, Thread, and others engage in an outdated form of "beaconing" or "advertising" their existence, regardless of whether they have something relevant to share with the network. Better to re-think endpoint design with the principle of "stealth" in mind for IoT endpoints to enable real-time queries or event-driven messaging as the default comms mode. Some more detail on this here http://bit.ly/1WQYcXC

Leave a Reply

Your email address will not be published. Required fields are marked *