Oops: Samsung Fridge vulnerable to Man-in-the-Middle attack / Password Theft


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #1

Hopefully Samsung will take advantage of the security smarts at SmartThings and avoid this sort of snafu in future connected appliances…


Are you ready for this?
(Jason Mok) #2

The vulnerability applies using MiTM within the same network. To be fair, if outsiders can connect to your network, you have a bigger security problem.


(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #3

Unless you’re running your fridge on the Starbucks free WiFi hotspot… :wink:


(Jody) #4

I once saw a guy with a full sized record player and a typewriter at the coffee shop. If you really want to be a hipster, using your refrigerator to bang out your novel is the new hotness.


(Jason Mok) #5

$3600 for a fridge, affordable.
$30 for internet connection, let’s go stingy with that.
Priorities!


(Tim Slagle) #6

(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy) #7

Keep in mind, seriously, that a significant number of home network users (perhaps even a majority?) have absolutely no clue about security. Windows does offer a warning if you don’t use an encrypted WiFi, but to many folks this means just another damn password to deal with (often quickly forgotten or set to something trivial).

This means that secondary security walls (i.e., SSL certificate verification) are still quite important.

One advantage of ZigBee and Z-Wave is that their encryption and network binding security is entirely automatic and takes no extra effort. When you join a device to the ZigBee or Z-Wave, no extra password is required. That’s what WPS was meant for on WiFi routers – and I’m sure you’re aware of the WPS vulnerabilities in older routers.


(Amauri Viguera) #8

I think a lot of manufacturers have gone a long way to try to account for the laziness and stupidity of most users, as difficult as that is. The days of admin/admin and blank passwords, WEP and open networks are all but forgotten, unless you happen to not have updated your setup in a while – which I admit, is still possible.

But nowadays every internet provider gives you a router preconfigured with a preshared key which is generally some portion of the MAC address, and the same people that are too lazy or inept to set a decent password are also too lazy to change the default, so it’s somewhat more secure.

Granted, you will still have the bored 12 year old next door that will figure out the password, or sniff it out, or just write it down off the label when he comes to visit, but that’s another story.


(Jody) #9

Sounds like a plan.


(Patrick Stuart [@pstuart]) #10

Wait you forgot about all the apartment dwellers stealing WiFi cause they are too cheap to pay for it themeselv but buy a $4k refrig that can be brought into Starbucks.

Damn hipsters, get your own internet connection! (The new get off my lawn, old guy statement)