Using Samsung's Internet-Enabled Refrigerator for Man-in-the-Middle Attacks

This is interesting research:

Whilst the fridge implements SSL, it FAILS to validate SSL certificates, thereby enabling man-in-the-middle attacks against most connections. This includes those made to Google's servers to download Gmail calendar information for the on-screen display.

So, MITM the victim's fridge from next door, or on the road outside and you can potentially steal their Google credentials.

The notable exception to the rule above is when the terminal connects to the update server -- we were able to isolate the URL https://www.samsungotn.net which is the same used by TVs, etc. We generated a set of certificates with the exact same contents as those on the real website (fake server cert + fake CA signing cert) in the hope that the validation was weak but it failed.

The terminal must have a copy of the CA and is making sure that the server's cert is signed against that one. We can't hack this without access to the file system where we could replace the CA it is validating against. Long story short we couldn't intercept communications between the fridge terminal and the update server.

When I think about the security implications of the Internet of things, this is one of my primary worries. As we connect things to each other, vulnerabilities on one of them affect the security of another. And because so many of the things we connect to the Internet will be poorly designed, and low cost, there will be lots of vulnerabilities in them. Expect a lot more of this kind of thing as we move forward.

EDITED TO ADD (9/11): Dave Barry reblogged me.

Posted on August 31, 2015 at 1:56 PM • 52 Comments

Comments

K.S.August 31, 2015 2:15 PM

One thing I don't understand is what do we gain by connecting all the fridges out there to the Internet. Someone please explain this to me.

AnuraAugust 31, 2015 2:18 PM

Executive: What can we do to make a better refrigerator?
Engineer: Well, with this new motor we can increase efficiency by 7%!
Executive: Boring.
Marketing: I got it!
Marketing: What if we connected it to the internet?
Executive: Love it!
Engineer: Wait, what is the use case?
Marketing: That's an implementation detail.
Engineer: !!!
Executive: Agreed, let's get it on the market as soon as possible!
Engineer: Well, I mean, we'll have to hire some knowledgeable programmers.
Engineer: And we need good people to design the architecture.
Executive: Don't worry about that; we can outsource to the lowest bidder!

And thus, the internet-enabled refrigerator was born.

GiuseppeAugust 31, 2015 2:47 PM

Why the fridge credentials allow for unlimited access to the entirety of the Google account? Why not just providing it with a token for just calendar access, so it's revokable at any time?

Alien JerkyAugust 31, 2015 2:58 PM

It is so hard to tell if I am out of beer. Opening the door and looking in, or simply knowing I took the last one is too complicated for today's youth I guess.

AnuraAugust 31, 2015 3:02 PM

@Alien Jerky

Of course, you knowing what is in the fridge isn't really the reason for the internet connection. It's the marketing firms that want to know what is in your fridge that are the real customers.

Alien JerkyAugust 31, 2015 3:14 PM

@Anura

Of course, you knowing what is in the fridge isn't really the reason for the internet connection. It's the marketing firms that want to know what is in your fridge that are the real customers.

Yeah, so when I am out of Budweiser they can market Coors to me. Or call the authorities when they detect my garage door opening after a six pack is removed from the fridge so they can stop me before driving. Along with the built-in breathalyzer in the car that monitors the air and prevents the car from starting as I am already running late for my meeting, even though all I did was spill some rubbing alcohol on the seat which triggers the breathalyzer....

Alan KaminskyAugust 31, 2015 3:36 PM

Bring back the icebox.

This will also decrease unemployment: We will also have to bring back all the icemen who were put out of work back in the 20th century when these newfangled "refrigerator" things were introduced.

JDAugust 31, 2015 3:59 PM

It's things like this that make me cry inside every time I see a Nest thermostat commercial on TV, and long* for a thermostat that I don't have to adjust, except I just dont trust who it might talk to, or the security holes it will bring.

*I dont so much long for one because I think its great, I just want to see the thermostat explode when its trying to "learn" my patterns, and see how it deals with the endless volley of me turning the temp down and my wife turning it up 5 mins later, all evening / weekend, every evening / weekend.


...and WHY do we NEED internet enabled fridges? So we can answer the age old question, if you close the door, does the light REALLY turn off or not....

AnuraAugust 31, 2015 4:01 PM

@Alan Kaminsky

If mocking:

There is a middle ground between corporations receiving data about every aspect of my life and abandoning all technology.

else:

Ah, I see the Freedom Club has found a new member!

AnuraAugust 31, 2015 4:10 PM

To get serious:

The obvious problem with IoT is the lack of security/updates. It is highly unlikely that the IoT is going away, and it is highly unlikely that we can expect good security practices within every single component of the IoT.

Perhaps the solution is to delegate external communications to a separate device via an open protocol? That device would handle all authentication, encryption, and routing of messages, and can simply be a computer with the correct open source software on it, or a dedicated device with open source firmware.

Each device would then have an easy-to-use discovery procedure, and could even use a completely separate channel to communicate with your IoT device, which is simple to connect devices while minimizing the risk of rogue devices.

Rick BurrisAugust 31, 2015 4:14 PM

Why would you need it? Why, so you can eventually decide what you want for dinner.

$canimake -salad

$canimake -sandwich

$canimake -cereal

See, completely useful.

PhilSAugust 31, 2015 4:20 PM

What happens if you buy one of these "smart" refrigerators but don't have a gmail account?

TimAugust 31, 2015 4:42 PM

I think the Google Calendar integration was designed to show you your upcoming calendar items, in much the same way that a paper calendar attached to the fridge door via magnet would. My guess is that it uses a Google OAuth token with a hopefully limited token that gets the fridge read-only access to the user's calendar only.

A better question would be: why not just embed a Google Android touchscreen device in the door and call it good? At least that way you'd get OS updates, and possibly a lot more functionality, like the ability to listen to music while you're cooking or something.

Tony H.August 31, 2015 4:53 PM

@Giuseppe

"Why the fridge credentials allow for unlimited access to the entirety of the Google account? Why not just providing it with a token for just calendar access, so it's revokable at any time?"

Google does support single-purpose credentials, but probably 99+% of Gmail users have no idea that they exist. Most likely the fridge prompts for your Gmail id and password when you first boot it up, the user enters them, and it's game over.

Björn PerssonAugust 31, 2015 4:55 PM

Selling gadgets that skip certificate validation ought to be punishable as reckless endangerment, or at the very least criminal negligence.

Alien JerkyAugust 31, 2015 4:58 PM

Then there will be the inevitable news story:

Police search fridge without warrant. seized beer and donuts. Teenagers arrested for keeping Snickers bars in freezer and eating cookie dough directly out of package. A chase ensued resulting in mass rioting. A new movement begins with chants of "we can eat hydrogenated junk food and drink phosphoric acid tainted carbonated sugar water if we want to".

Another JustinAugust 31, 2015 4:58 PM

PhilS • August 31, 2015 4:20 PM

What happens if you buy one of these "smart" refrigerators but don't have a gmail account?

--

Now you're approaching another one of my areas of concern. "Unless you allow me to send all consumption information to your doctor/health insurer, your facebook account, and to our carefully selected marketing partners, I will suspend operation, lock the door and not open until all food is decayed. You have been warned. By the way, three slices of cheesecake and a gallon of ice-cream which went missing at 2am has been reported even though ingress appears to have been effected through the refrigerator ceiling. A repair technician will be along shortly to install a reinforced steel sheel so that your family consumption profile is within government health limits. All offline and online merchants have been alerted to prevent further cheesecake or ice-cream purchases. We take our role as your chosen family monitor seriously. Thank you for choosing our-name-here to serve you! We know that you have choices and are honored to be allowed to partner with your family. Have a wonderful healthful day!"

MuffinAugust 31, 2015 5:43 PM

Poorly designed, poorly implemented, AND never updated... remind me again why fridges need Internet access? (Or why I'd want for my fridge to display a calendar?)

Clive RobinsonAugust 31, 2015 5:56 PM

@ Another Justin,

You beat me to the "Health Insurance" and "Nanny State" comments.

@ JD,

The solution to your wife fiddeling with the thermostat is to disconnect it, and replace it with a "landlord" thermostat she can not tamper with. Just leave the old one in so she thinks she's still adjusting it.

Or if you are realy realy evil, a couple of other wheezes, either work out when she is most likely to fiddle with it and put in a time clock so she gets her way for say an hour a day or run a circuit that when the thermostat is to high makes the boiler show a fault has come up and turns it's self off, untill the thermostat is turned down and a manual reset is performed... either way could lead to divorce as mental cruelty so think carefully first.

@ All,

My worry with this type of "user present" IoT device will be that third parties will be able to find out when you are in or not and tailor their nefarious activities accordingly...

Also a few years back the UK Government was looking into the fesability of using "store loyaltiy card" databases to see who was living a more luxurious lifestyle in any given area and adjust the "local property tax" / rates accordingly...

Nick PAugust 31, 2015 7:31 PM

@ Muffin

"remind me again why fridges need Internet access?"

So, after the hack, whole subreddits can be dedicated to why you're probably fat, diabetic, etc. I mean, not much good can come of it so it must be mean to enable trolls.

Keep coolSeptember 1, 2015 4:50 AM

Samsung TVs are known to be one huge surveillance device in your living room.

They share your viewing habits with anyone and everyone. They send your voice commands to a central server, and can technically be used as a bug. Ditto for the camera, if your model has one. When you turn them on for the first time, it registers with as many as 60 different providers, so you're always trackable regardless of any change in IP address.

The chatty fridge is a mere misdemeanor. I would expect their TVs to treat SSL certificates in the same fashion.

Next step: networking between your TV, the fridge, the washroom, the couch and your bed?

David AlexanderSeptember 1, 2015 5:23 AM

And don't forget the limited procesing power in each of these devices. Do you trust the PRNG/DRNG they use and how long is the key length ? Don't get me started on atacking key management, as per the item that started this conversation. I expect the cover time could be measured in days at best.

blakeSeptember 1, 2015 5:33 AM

> Do you trust the PRNG/DRNG

Ironically, a fridge is ideally placed to capture genuine random numbers based on real world thermal noise.

Snarki, child of LokiSeptember 1, 2015 6:30 AM

Dave: "Refrigerator, give me a beer."

Refrigerator: "I'm sorry Dave, I can't do that."

Richard HSeptember 1, 2015 8:25 AM

@Clive Robinson, @JD,

> disconnect it, and replace it with a "landlord" thermostat she can not tamper

Easier still: remove knob from spindle, rotate through 5 degrees (or whatever), replace.

paulSeptember 1, 2015 10:06 AM

I'm glad to know that the data for the update server is hard-coded. Or would be if I didn't think a) that makes it a high-value target from which you can compromise every samsung smart appliance in the world and b) at some point long before the fridges and tvs are done working some bean-counter will decide it's not worth it to maintain that address, and everything that depends on it will auto-brick.

MikeASeptember 1, 2015 10:58 AM

@JD -- Easy to find out about that light. Just start a video record on your iPhone and stick it in the fridge. Or mess with the generally easy to find switch. Today that might require running a magnet around the door perimeter. All these beat my big sister's suggestion that we put me inside.

@Snarki -- sudo give me a beer.

jbmartin6September 1, 2015 11:22 AM

It is a minor peeve of mine that people think encryption is the most important function of SSL. When actually the authentication part is. It seems this vendor got caught in the 'encryption equals security' fallacy. Or more likely, they only used SSL because Google Calendar won't work over HTTP

thunderbirdSeptember 1, 2015 2:50 PM

I've mentioned the Internet TV thing to various friends and relatives and the usual response is "why would I care?" After explaining that it's a business surveillance platform that you fund, the smart ones say "I just won't give it access to my network." Fair enough, I figured. That should take care of it....

It just occurred to me that there's usually one (or more) open networks visible from my house at any time. A TV could be designed to connect over them, or to watch for the Samsung car (like the Google Maps car, but evil!) to drive by and dump its intel. I guess some hardware neutering is kind of mandatory for all these TVs (and the time seems to be coming when you can ONLY purchase internet TVs vs. the good old "dumb" TV).

Mike BarnoSeptember 1, 2015 3:40 PM

@ thunderbird :

(and the time seems to be coming when you can ONLY purchase internet TVs vs. the good old "dumb" TV).

I have another option which I prefer: No television. No BS being flashed in my face and blared in my ears in attempts to make me spend my money unwisely.

Dirk PraetSeptember 1, 2015 5:01 PM

@ Anura

... And thus, the internet-enabled refrigerator was born.

I think that sums it up pretty well. There is no reason whatsoever why a fridge should be connected to the internet.

Back in the days of colonialism, invaders used to swoon primitive natives with perfectly useless beads, mirrors or even tinfoil. Today, marketeers are applying similar tactics to the unwitting droids of the new millennium, who just like these natives have no idea what kind of vampires they're inviting into their homes.

Jonathan WilsonSeptember 1, 2015 7:23 PM

I own both a Samsung TV and a Samsung fridge. Neither of them can be used to spy on me though as neither of them have any kind of network connectivity.

keinerSeptember 2, 2015 1:43 AM

Why bother for your fridge, while not knowing what EXACTLY your NAS, router, "dumb" switch etc. is doing all day (and night) long...

WaelSeptember 2, 2015 2:08 AM

Expect a lot more of this kind of thing as we move forward.

And that's the optimistic view! The pessimistic one is: So what's an extra line on a zebra? Let the new generation enjoy the technology, they don't give a crap about security! I bet they'll setup auto updates to their Twitter and Facebook accounts about the contents in their fridge. Expect tweets in the form of: OMG, like I bought this cool (pun intended) dragon fruit and it only lasted in my fridge for a couple of hours...

Your statement also implies that moving forward and security are inversely proportional; as one moves forward, the other moves backwards :)

ianfSeptember 2, 2015 6:33 AM

@ PhilS doesn't have a Fuckfacebook account

Keep quiet about it, or you'll be issued one whether you want it or not (in fact, go check if it hasn't happened already).

As for the refrigerator's MITM attack vector, I see a big potential for the stand-up circuit(sic!). Imagine the comic load of stage ANGST over some freezer. Not to mention endless possibilities of phreaking or phracking the $CURRENT_STORAGE registers with, like, scanned-in barcodes of 1M bottles of unpasteurized Chinese beer (a warning light goes up somewhere along the report chain prompting a costly HUMINT investigation), were someone cheeky enough to attempt that.

@ MODERATOR
The "Sophie Taylor" account spams multiple comment threads.

albertSeptember 2, 2015 10:48 AM

I have some questions about this fridge (most apply to any I-device)
.
Does it connect through your home wi-fi? How do you configure it? Does it use the power line as an antenna? If you don't set it up, is it still active?
.
Doesn't seem like a problem if you don't set it up. And you could always disconnect it if it's really a bad actor.
.
. .. . .. o

Gerard van VoorenSeptember 2, 2015 11:11 AM

@ Albert,

> Doesn't seem like a problem if you don't set it up. And you could always disconnect it
> if it's really a bad actor.

Let's do some banking... Hey, all our money is gone! Bad refrigerator. We'll have to disconnect you.

The problem with bad actors is that they usually don't present their selves as bad actors.

IrrtumSeptember 2, 2015 12:11 PM

@keiner:

Why bother for your fridge, while not knowing what EXACTLY your NAS, router, "dumb" switch etc. is doing all day (and night) long...

I configured my router's firewall to block all traffic between my Western Digital NAS and the internet. I didn't have any particular suspicion, I just felt it was good hygiene.

To my astonishment the log file started filling up with rejected outgoing packets sent by the NAS to addresses all over the planet, in places like Belize or Dubai. Connections were established, but I still haven't figured out what the gizmo's compulsion was. It has a remote access option, but it was always turned off.

There's a ton of private information on that device, dammit!

I have a VoIP adapter operating from the inside of NAT domain, as placing it between the router and the modem unfortunately brings a number of problems. I have narrow rules for that device, but it could technically act as a Trojan horse.

Robert BrownSeptember 2, 2015 12:54 PM

If any potentially good use for an internet connected refrierator exists, it might likely be to control when the compressor could run. Allowing the power company to control the duty cycling of the compressor, with the refrigerator's internal temperature as a safe guard, could conceivably reduce demand on the generating station, and thus lower generating costs for the power utility. Hopefully they would give you some break on your bill because of this. I wonder what the pay back period would be...

RobertSeptember 2, 2015 2:40 PM

@Robert,
Refrigerators can already do this on their own. Temperature control can't be dependent on mains supply, and I certainly don't want the utility messing with my fridge. They've already got freaking smart meters. WTF. It's a _marketing gimmick_. Do you think the manufacturer can't write a temperature control loop, so they need a way to 'upgrade' the firmware remotely? What they'll be 'updating' is the BS internet crap.
.
We have a whole world of infrastructure on the internet, and a huge spectrum of potential hacks just waiting to happen. If your food spoils, it's not the end of the world, but it's still a drag, and so totally unnecessary.
.
. .. . .. o

AnuraSeptember 2, 2015 3:08 PM

The whole thing about having to either hardwire it into the network or enter a wireless password could be a problem. I propose an open, IoT wireless mesh network. That way you don't even have to type in a wifi password: anything you buy always access the internet, unless you physically open it up and remove the hardware.

It's great for usability! No more configuring, it just works. And an EULA will protect your legal rights: "By existing in proximity to a IoT device you grant permissions for us to track all your movements, record everything you think, say, do, or consume, and offer that information up for sale to anyone we deem worthy of giving us money."

Sancho_PSeptember 2, 2015 6:30 PM

@Anura (”I propose an open, IoT wireless mesh network.”)

Too late my friend:

It's already easy for you “fridge” to connect to the Internet if your (or your neighbor’s) router is a Fonero.
User/pwd may be integrated in the device and payed for by your data:
https://en.wikipedia.org/wiki/FON

Pat BurnsSeptember 2, 2015 8:56 PM

Hi everyone - first time commenter here/longtime reader of this blog and wanted to offer a slightly different take on IoT security and perhaps get some perspectives/critique.

The wireless technologies deployed for most *mainstream* IoT devices (like the cliche "smart refrigerator*) are famously weak at hiding their presence to unauthorized/unwanted users. WiFi, Bluetooth, ZigBee, and many others employ some flavor of advertising/beaconing in order to make "discovery" easier but, alas, security was never really a priority for any of these guys and the IoT news lately seems to be about security hacks ~50% of the time.

A better way, or perhaps a "first principle" of re-thinking IoT wireless endpoint (networking) design is to require "stealth", as I call it, around endpoints. Endpoints should remain quiet unless a) an authorized user interrogates the endpoint or b) an event (like a change in temperature) drives the transmission of a message to the network. A quieter, stealthier network enables a host of ancillary (or primary, depending on where you sit) benefits including lower power consumption, real-time query capability, more efficient wireless spectrum usage, and more. I wrote a post on this that goes into greater detail here: http://bit.ly/1WQYcXC

"Stealth" is not a silver bullet for IoT security but it's a low cost and -- I believe -- common sense starting point for re-thinking IoT security. Like other elements of good network security, it's just one element.

Thanks.

blakeSeptember 3, 2015 4:56 AM

More on the Insecure Internet of Things - this turned up on arstechnica today:

http://arstechnica.co.uk/security/2015/09/9-baby-monitors-wide-open-to-hacks-that-expose-users-most-private-moments/

Including:

> ... the report comes a week after an Indiana couple reported someone hacked their two-year-old's baby monitor and played the Police’s "Every Breath You Take" followed by “sexual noises.”

Yeah. If you thought a fridge was dangerous as an insecure online device...

ianfSeptember 3, 2015 5:40 AM

someone hacked a baby monitor and played the Police’s "Every Breath You Take" followed by “sexual noises.”

Where ye folks only see PROBLEMS with such dispersed devices, I see culturally-laden commercial opportunities: for instance (off the top of my head) a matchbook-sized electronic gizmo meant to be hidden by a parting lover beneath the lovee's bed mattress, which will play some bars of “Je t'aime… moi non plus” by Birkin & Gainsbourg when triggered by a specific bed-shaking pattern. I am sure FIREBOX.COM would soon be selling tons of it. As a romantic reminder of past coupling, of course. And the like. Here, go get patent it, make a killing, I've got bigger things to occupy my mind now.

MyntraNovember 30, 2015 9:05 AM

Smart fridge with dumb security...Internet is like added vitamins these days. Every gadget comes with the Internet feature. So you can connect and communicate to world wide web. While it adds convenience whether it is really secure is a million dollar question. Your PC and smart phone is protected by anti-virus s/w but what about all those gadgets?

RoxaneApril 14, 2016 8:15 AM

Well, Samsung is a popular brand so there is no doubt to the quality but you may have to pay a little higher than normal.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.