Smart refrigerator hack exposes Gmail login credentials

[InfoSec News <alerts () infosecnews org>]

http://www.networkworld.com/article/2976270/internet-of-things/smart-refrigerator-hack-exposes-gmail-login-credentials.html

By Colin Neagle
Network World
Aug 26, 2015

A team of hackers recently discovered a man-in-the-middle vulnerability in 
a Samsung smart refrigerator that can be exploited to steal Gmail users' 
login credentials, The Register reported this week.

Hackers from security company Pen Test Partners discovered the flaw while 
participating in an Internet of Things (IoT) hacking challenge at the Def 
Con security conference earlier this month. The smart refrigerator, 
Samsung model RF28HMELBSR, is designed to integrate the user's Gmail 
Calendar with its display. Samsung implemented SSL to secure the Gmail 
integration, but the hackers found that the device does not validate SSL 
certificates, opening the opportunity for hackers to access the network 
and monitor activity for the user name and password used to link the 
refrigerator to Gmail.

"While SSL is in place, the fridge fails to validate the certificate," Ken 
Muro, a security researcher at Pen Test Partners, told The Register. 
"Hence, hackers who manage to access the network that the fridge is on 
(perhaps through a de-authentication and fake Wi-Fi access point attack) 
can Man-In-The-Middle the fridge calendar client and steal Google login 
credentials from their neighbors, for example."

[...]



--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/