$3599 is a lot of money.
It could get you a decent second-hand car, or a relatively tricked out iMac. You could buy 3599 McChicken burgers, or 2589 McDoubles. Or it could get you the Samsung RF28HMELBSR.
This (snappily-named) fridge has everything. It’s got four doors, a colossal 28 cubic foot of space, and an integrated, 8” WiFi-enabled LCD touchscreen display that allows you to do anything from read the news, to remotely control your Android smartphone.
If it sounds familiar, it’s because it was once featured on my list of the dumbest Smart Home products ever. And did I mention it ships with a massive, gaping security vulnerability?
Smart Fridge, Stupid Mistake
Yes, for all of its sophistication, this fridge shipped with a significant security flaw that could potentially see an attacker surreptitiously harvest Gmail login credentials.
The vulnerability was first reported in The Register on August 24th, and discovered by UK-based infosec firm Pen Test Parters while participating in an Internet of Things (IoT) hacking challenge at the recent Defcon 23 conference.
The built-in touchscreen on this fridge allows the user to access their own Google Calendar. Connections to-and-from Google’s servers are encrypted using SSL encryption, but Samsung’s implementation of SSL doesn’t check the validity of the certificates.
This presents a serious security problem, since anyone on the network would be able to launch a “Man in The Middle” attack, and intercept the user’s login credentials in transit. An attacker would also be able to obtain them by spoofing an access point, or through a wireless deauthentication attack.
Samsung have said they’re “investigating into this matter as quickly as possible”, and are presumably working flat out to issue a fix. But this episode does present an interesting demonstration of how badly security can go wrong on the Internet of Things.
(In)Security In A Networked World Of Things
In the past, we’ve talked extensively about the risks posed by the Internet of Things, both from a privacy and from a security and sociological perspective. Addressing them is difficult, because when it comes to securing the Internet of things, we encounter a few problems.
Firstly, these devices are not PCs or phones, in the respect that they are uniformly easy to update (Windows 10 will even install updates on your behalf), and the vendors behind them are involved and regularly release software and security updates. Many smart home products do not “update” over the air, either requiring you to use complicated or unreliable software packages, removable storage, or simply not allowing you to update the firmware at all.
How do you, for example, update an interconnected coffee pot, or a computerized thermostat? There’s no easy, universal way of doing that.
It’s also important to address the fact that many of these devices are now built by regular folks in their own homes. Arduino and Raspberry Pi have allowed us to introduce network connectivity and computerized logic into places we’ve never thought possible, while products like Microsoft’s Windows 10 for IoT has made it easier to expose these devices to the wider Internet, simultaneously opening up a world of opportunity and of risk.
While many seasoned developers know how to build these devices in a way that’s secure, far too many novice and hobbyist developers do not.
Then we get on to the problem of longevity. Again, this problem that’s uniquely endemic to the Smart Home world. Because while your PC and Phone runs software that’s been built by companies with long histories and deep pockets, most of your Smart Home devices have not.
The overwhelming majority of these companies are early to late stage startups, many of these are in a tentative stage in their development. If they shut down, what happens to the products they’ve already shipped? Who will write software updates and security patches?
As we’ve written about in the past, hardware startups are hard. Already this year, we’ve seen significant layoffs at Leeo and Wink – two of the largest Smart Home startups. Many more – like Lumos – have failed to get off the ground entirely.
But perhaps the biggest and most enduring threat to Smart Home and Internet of Things security is simply that these devices are built to last longer than their manufacturers would prefer. Embedded systems and Smart Home products can work, quite happily, for years and years. Many of these do not work on a subscription service.
Are we to expect Nest and Philips to offer updates for as long as Microsoft supported Windows XP?
Out Of The LAN, Into The Fire
These security issues are significantly exacerbated by the fact that many of these devices are connected to the wider Internet and remotely accessible, thereby introducing a smorgasbord of security concerns.
Because when you connect something to the Internet, you then introduce a new attack vector to whoever is so motivated. Instead of having to connect to your home network, someone could simply remotely compromise it.
It’s easier than you think, too. There’s even a search-engine for embedded systems, called Shodan. With just a few keystrokes, you can find systems that have been exposed to the Internet worldwide – from power plants in Japan, to webcams in Holland, and VoIP phones in New York.
Simply searching for “Web Cam” exposes thousands of remotely accessible webcams. I didn’t access any however, as that would almost certainly result in me breaking the Computer Misuse Act 1990.
It’s scary. We’ve started to introduce our homes to the Internet, and it’s trivially easy to find them, and to launch targeted attacks on them. We should be concerned.
So What Can Be Done?
Security flaws, like the one found in Samsung’s Android refrigerator, will always be there. As long as it’s easy for vendors to issue fixes, and they’re constantly being updated throughout the lifetime of the devices, that’s not too much of a problem.
But it’s important we address the other issues. Efforts need to be made to ensure the developers of Smart Home and IoT products know how to develop secure systems. This could be accomplished by greater outreach with the security community.
There are a number of precedents for this. The OWASP (Open Web Application Security Project) project is one that springs immediately to mind.Launched in 2004, this has produced freely-available educational material that teaches developers how to build secure websites, and hackers how to properly test the security of web applications.
There’s no reason something similar couldn’t be created for the smart home world, and for Internet of Things developers.
Moreover, we need to ensure that Smart Home systems are updated and maintained, even if the vendors fold. This can be done by mandating everyone releases their code into a source code escrow, where the code is released if the company files for bankruptcy, or otherwise fails to maintain the software in a way that is satisfactory.
And as consumers, we should start to demand more from vendors. We should demand that the devices we purchase are supported with security patches for the lifetime of the product. We should expect that any security issues are resolved quickly and decisively. We should expect that vendors treat security threats with absolute transparency. And we shouldn’t patronize vendors who fail to meet that meager standard.
These are all relatively small changes, but there’s no reason to think they wouldn’t result in more secure Smart Home devices. But what do you think?
If you’ve got any thoughts, or have any horror stories of IoT insecurity, I want to hear about them. Let me know in the comments below, and we’ll chat.