Skip to main content
DEAL WATCH: Keurig K-Express | 22% off $69.99

Keurig has changed the face of coffee, and snagging one of these for less than $70 is a solid deal. Read Review

BUY NOW
Refrigerators

Samsung Smart Fridge Vulnerable to Gmail Hack

A security flaw could hand hackers your Google login.

The tablet interface of the Samsung RF28HMELBSR Credit: Reviewed.com

Recommendations are independently chosen by Reviewed's editors. Purchases made through the links below may earn us and our publishing partners a commission.

A white hat security firm has discovered a vulnerability in one of Samsung's smart fridges that exposes owners' Gmail credentials. The flaw was discovered by Pen Test Partners at the most recent Defcon conference in Las Vegas, highlighting a major challenge for developers working in the Internet of Things.

The so-called "man-in-the-middle" exploit allows potential hackers to intercept data as it travels from a server to a device—a fundamental process for most smart devices.

{{amazon name="Nest Learning Thermostat, 2nd Generation", asin="B009GDHYPQ", align="right"}} The refrigerator in question, Samsung's RF28HMELBSR, features a tablet-like interface that can display a user's Gmail calendar. In an attempt to securely relay this information to the fridge, Samsung implemented an encryption process called a Secure Sockets Layer (SSL).

However, hackers have shown how the RF28HMELBSR fails to authenticate the SSL certificates on Google's end. For the security layer to work, the fridge needs to receive a valid code back from the website host.

Ken Munro, a security researcher at Pen Test Partners, explained the findings to The Register:

"While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbors, for example."

In theory, anyone on the same WiFi network as the fridge could pose as the Google Calendar app and retrieve a user's Gmail credentials. The flaw, which was first reported Monday morning, has since been communicated to Samsung, which released a statement claiming it is looking into the matter.

Related content

  • feature

    The Internet of Things Is Neither Dystopian Nor Utopian
  • A close-up of the Midea MRF29D6AST French-door refrigerator sitting outside our fridge testing labs.

    review

    Midea MRF29D6AST French-door Refrigerator Review

It's probably not a serious concern for most owners, but if you have one of these fridges in your house, it couldn't hurt to change your WiFi password. Better yet, simply avoid using the Google Calendar feature until the flaw has been patched.

As smart home tech continues to proliferate, experts expressed fears over whether the manufacturers of dumb, disconnected appliances can protect against modern cybersecurity threats. The fact that this particular flaw came from Samsung—an established electronics and software juggernaut—only serves to highlight the extent of the threat.

{{brightcove '4354208326001'}}

Up next