Every day in every way, our gadgets and home appliances are getting smarter. But they’re still not smart enough to thwart cyber attacks.
Recently, security researchers gained access to the computer inside a Samsung Smart Fridge (Model RF28HMELBSR). That fridge features a 8-inch touchscreen in the door, which lets you view your Web calendar, play Pandora music stations, get weather reports, watch TV, make phone calls, and more.
The Samsung SmartFridge is wide open to you and to hackers (Photo: Samsung).
White-hat hackers at Pen-Test Partners were able to use fake security credentials to intercept communications between the fridge and Google Calendar. Cybercrooks could potentially use a similar technique to steal your Google login names and passwords. However, those thieves would first need to log onto your Wi-Fi network to access the fridge.
That particular Samsung refrigerator has been available in the US since June 2014; it does not run software created by SmartThings, the IoT company Samsung acquired in August 2014. Neither Samsung nor SmartThings had responded to requests for comment at publication time.
The Samsung SmartFridge connects via Wi-Fi to your smartphone and smart TV — and, hopefully, not a hacker’s laptop (Photo: Samsung).
It takes a village
The research was conducted as part of the Internet of Things (IoT) hacking village at the annual DEF CON hackers conference, held earlier this month in Las Vegas. It was far from the only IoT device that got pwned.
Besides the fridge, the hackers also found 25 vulnerabilities in 14 allegedly smart devices, including scales, coffee makers, wireless cameras, locks, home automation hubs, and fingerprint readers.
At press time, the names of all the devices that were hacked and the severity of the exploits were unavailable, pending notification to the vendors, says Ted Harrington, executive partner of Independent Security Evaluators, which ran the IoT Hacking Village.
The list of devices that researchers at DEF CON 23 set out to pwn. Just because the device is on this list, however, doesn’t mean it was successfully hacked (Sohopelesslybroken).
“The IoT Village demonstrated not only critical vulnerabilities in specific devices, but most importantly that these issues are systemic across the entire industry of Internet of Things,” says Harrington. “This is both a technology issue and an industry issue; these issues will only be compounded by the impending widespread adoption of connected devices, if security is not better baked into these devices.”
Why we can’t have nice things
Coincidentally, today Symantec announced that it currently secures more than 1 billion IoT devices — and plans to protect many more — by working directly with hardware and software manufacturers whose technologies power many popular smart gadgets. Early adopters of Symantec’s Embedded Critical Systems Protection include chipmaker Texas Instruments and Wincor Nixdorf, a German company that provides hardware and software for major retail chains and banks.
“With a lot of attacks, hackers are able to log into an IoT device anonymously and manipulate it however they want,” says Shankar Somasundaram, Symantec’s Senior Director of Internet of Things Security. “You can solve that problem by authenticating your identity and encrypting your communications. We’re talking with a lot of consumer device manufacturers and chip makers about how to embed this security at the device and chip level.”
Depending on the device and the manufacturer, it may take anywhere from six months to two years before more secure IoT gadgets are widely available, he estimates. In the meantime, protecting your smart devices means being a little smarter yourself, he says.
“Take basic precautions,” Somasundaram advises. “Make sure your Wi-Fi network is secured with WPA encryption and that your router is not using its default password. In the case of the smart fridge, be careful about what kind of information you put in your Google Calendar and what you sync it with. You don’t have to stop buying smart devices, you just have to be more careful about how you use them.”
Note: Article updated to correct information about the number of devices Symantec secures.
More stories about security: