Pinterest Stumbleupon Whatsapp

$3599 is a lot of money.

It could get you a decent second-hand car, or a relatively tricked out iMac. You could buy 3599 McChicken burgers, or 2589 McDoubles. Or it could get you the Samsung RF28HMELBSR.

This (snappily-named) fridge has everything. It’s got four doors, a colossal 28 cubic foot of space, and an integrated, 8” WiFi-enabled LCD touchscreen display that allows you to do anything from read the news, to remotely control your Android smartphone.

If it sounds familiar, it’s because it was once featured on my list of the dumbest Smart Home products ever Tweeting Fridges and Web Controlled Rice Cookers: 9 of the Stupidest Smart Home Appliances Tweeting Fridges and Web Controlled Rice Cookers: 9 of the Stupidest Smart Home Appliances There are a lot of smart home devices that are worthy of your time and money. but there are also kinds that should never see the light of day. Here are 9 of the worst. Read More . And did I mention it ships with a massive, gaping security vulnerability?

Smart Fridge, Stupid Mistake

Yes, for all of its sophistication, this fridge shipped with a significant security flaw that could potentially see an attacker surreptitiously harvest Gmail login credentials.


The vulnerability was first reported in The Register on August 24th, and discovered by UK-based infosec firm Pen Test Parters while participating in an Internet of Things (IoT) hacking challenge at the recent Defcon 23 conference.

The built-in touchscreen on this fridge allows the user to access their own Google Calendar. Connections to-and-from Google’s servers are encrypted using SSL encryption What Is an SSL Certificate, and Do You Need One? What Is an SSL Certificate, and Do You Need One? Browsing the Internet can be scary when personal information is involved. Read More , but Samsung’s implementation of SSL doesn’t check the validity of the certificates.


This presents a serious security problem, since anyone on the network would be able to launch a “Man in The Middle” What Is A Man-In-The-Middle Attack? Security Jargon Explained What Is A Man-In-The-Middle Attack? Security Jargon Explained Read More attack, and intercept the user’s login credentials in transit. An attacker would also be able to obtain them by spoofing an access point, or through a wireless deauthentication attack.

Samsung have said they’re “investigating into this matter as quickly as possible”, and are presumably working flat out to issue a fix. But this episode does present an interesting demonstration of how badly security can go wrong on the Internet of Things.

(In)Security In A Networked World Of Things

In the past, we’ve talked extensively about the risks posed by the Internet of Things, both from a privacy Why The Internet of Things Is The Biggest Security Nightmare Why The Internet of Things Is The Biggest Security Nightmare One day, you arrive home from work to discover that your cloud-enabled home security system has been breached. How could this happen? With Internet of Things (IoT), you could find out the hard way. Read More  and from a security and sociological perspective 7 Reasons Why The Internet of Things Should Scare You 7 Reasons Why The Internet of Things Should Scare You The potential benefits of the Internet of Things grow bright, while the dangers are cast into the quiet shadows. It's time to draw attention to these dangers with seven terrifying promises of the IoT. Read More . Addressing them is difficult, because when it comes to securing the Internet of things, we encounter a few problems.

Firstly, these devices are not PCs or phones, in the respect that they are uniformly easy to update (Windows 10 will even install updates on your behalf How To Turn Off Automatic App Updates In Windows 10 How To Turn Off Automatic App Updates In Windows 10 Deactivating system updates isn't advised. But if need be, here's how you do it on Windows 10. Read More ), and the vendors behind them are involved and regularly release software and security updates. Many smart home products do not “update” over the air, either requiring you to use complicated or unreliable software packages, removable storage, or simply not allowing you to update the firmware at all.

How do you, for example, update an interconnected coffee pot, or a computerized thermostat? There’s no easy, universal way of doing that.

It’s also important to address the fact that many of these devices are now built by regular folks in their own homes. Arduino and Raspberry Pi have allowed us to introduce network connectivity and computerized logic into places we’ve never thought possible, while products like Microsoft’s Windows 10 for IoT Windows 10 - Coming to an Arduino Near You? Windows 10 - Coming to an Arduino Near You? Read More has made it easier to expose these devices to the wider Internet, simultaneously opening up a world of opportunity and of risk.


While many seasoned developers know how to build these devices in a way that’s secure, far too many novice and hobbyist developers do not.

Then we get on to the problem of longevity. Again, this problem that’s uniquely endemic to the Smart Home world. Because while your PC and Phone runs software that’s been built by companies with long histories and deep pockets, most of your Smart Home devices have not.

The overwhelming majority of these companies are early to late stage startups, many of these are in a tentative stage in their development. If they shut down, what happens to the products they’ve already shipped? Who will write software updates and security patches?

As we’ve written about in the past, hardware startups are hard Why Hardware Startups Are Hard: Bringing the ErgoDox to Life Why Hardware Startups Are Hard: Bringing the ErgoDox to Life Here’s a controversial opinion for you: launching a software startup is easy. Hardware, on the other hand? Hardware startups are hard. Really hard. Read More . Already this year, we’ve seen significant layoffs at Leeo and Wink – two of the largest Smart Home startups. Many more – like Lumos – have failed to get off the ground entirely.

But perhaps the biggest and most enduring threat to Smart Home and Internet of Things security is simply that these devices are built to last longer than their manufacturers would prefer. Embedded systems and Smart Home products can work, quite happily, for years and years. Many of these do not work on a subscription service.

Are we to expect Nest and Philips to offer updates for as long as Microsoft supported Windows XP What The Windows XPocalypse Means For You What The Windows XPocalypse Means For You Microsoft is going to kill support for Windows XP in April 2014. This has serious consequences for both businesses and consumers. Here is what you should know if you are still running Windows XP. Read More ?

Out Of The LAN, Into The Fire

These security issues are significantly exacerbated by the fact that many of these devices are connected to the wider Internet and remotely accessible, thereby introducing a smorgasbord of security concerns.

Because when you connect something to the Internet, you then introduce a new attack vector to whoever is so motivated. Instead of having to connect to your home network, someone could simply remotely compromise it.

It’s easier than you think, too. There’s even a search-engine for embedded systems, called Shodan. With just a few keystrokes, you can find systems that have been exposed to the Internet worldwide – from power plants in Japan, to webcams in Holland, and VoIP phones in New York.


Simply searching for “Web Cam” exposes thousands of remotely accessible webcams. I didn’t access any however, as that would almost certainly result in me breaking the Computer Misuse Act 1990 The Computer Misuse Act: The Law That Criminalizes Hacking In The UK The Computer Misuse Act: The Law That Criminalizes Hacking In The UK In the UK the Computer Misuse Act 1990 deals with hacking crimes. Twhis controversial legislation was recently updated to give the UK's intelligence organization GCHQ the legal right to hack into any computer. Even yours. Read More .


It’s scary. We’ve started to introduce our homes to the Internet, and it’s trivially easy to find them, and to launch targeted attacks on them. We should be concerned.

So What Can Be Done?

Security flaws, like the one found in Samsung’s Android refrigerator, will always be there. As long as it’s easy for vendors to issue fixes, and they’re constantly being updated throughout the lifetime of the devices, that’s not too much of a problem.

But it’s important we address the other issues. Efforts need to be made to ensure the developers of Smart Home and IoT products know how to develop secure systems. This could be accomplished by greater outreach with the security community.

There are a number of precedents for this. The OWASP (Open Web Application Security Project) project is one that springs immediately to mind.Launched in 2004, this has produced freely-available educational material that teaches developers how to build secure websites, and hackers how to properly test the security of web applications.


There’s no reason something similar couldn’t be created for the smart home world, and for Internet of Things developers.

Moreover, we need to ensure that Smart Home systems are updated and maintained, even if the vendors fold. This can be done by mandating everyone releases their code into a source code escrow, where the code is released if the company files for bankruptcy, or otherwise fails to maintain the software in a way that is satisfactory.

And as consumers, we should start to demand more from vendors. We should demand that the devices we purchase are supported with security patches for the lifetime of the product. We should expect that any security issues are resolved quickly and decisively. We should expect that vendors treat security threats with absolute transparency. And we shouldn’t patronize vendors who fail to meet that meager standard.

These are all relatively small changes, but there’s no reason to think they wouldn’t result in more secure Smart Home devices. But what do you think?

If you’ve got any thoughts, or have any horror stories of IoT insecurity, I want to hear about them. Let me know in the comments below, and we’ll chat.

Photo Credits: Arduino Experimentation Kit (Oomlout)IMG_5145 (JWalsh)

Leave a Reply

Your email address will not be published. Required fields are marked *