Oops: Samsung Fridge vulnerable to Man-in-the-Middle attack / Password Theft

tgauchat · 2015-08-28 17:36:57 UTC

Hopefully Samsung will take advantage of the security smarts at SmartThings and avoid this sort of snafu in future connected appliances…

copyninja · 2015-08-28 18:40:50 UTC

The vulnerability applies using MiTM within the same network. To be fair, if outsiders can connect to your network, you have a bigger security problem.

tgauchat · 2015-08-28 18:45:58 UTC

Unless you’re running your fridge on the Starbucks free WiFi hotspot…

jody.albritton · 2015-08-28 19:06:12 UTC

I once saw a guy with a full sized record player and a typewriter at the coffee shop. If you really want to be a hipster, using your refrigerator to bang out your novel is the new hotness.

copyninja · 2015-08-28 19:08:51 UTC

$3600 for a fridge, affordable.
$30 for internet connection, let’s go stingy with that.
Priorities!

slagle · 2015-08-29 03:23:06 UTC

tgauchat · 2015-08-29 03:31:48 UTC

Keep in mind, seriously, that a significant number of home network users (perhaps even a majority?) have absolutely no clue about security. Windows does offer a warning if you don’t use an encrypted WiFi, but to many folks this means just another damn password to deal with (often quickly forgotten or set to something trivial).

This means that secondary security walls (i.e., SSL certificate verification) are still quite important.

One advantage of ZigBee and Z-Wave is that their encryption and network binding security is entirely automatic and takes no extra effort. When you join a device to the ZigBee or Z-Wave, no extra password is required. That’s what WPS was meant for on WiFi routers – and I’m sure you’re aware of the WPS vulnerabilities in older routers.

viguera · 2015-08-29 03:55:57 UTC

I think a lot of manufacturers have gone a long way to try to account for the laziness and stupidity of most users, as difficult as that is. The days of admin/admin and blank passwords, WEP and open networks are all but forgotten, unless you happen to not have updated your setup in a while – which I admit, is still possible.

But nowadays every internet provider gives you a router preconfigured with a preshared key which is generally some portion of the MAC address, and the same people that are too lazy or inept to set a decent password are also too lazy to change the default, so it’s somewhat more secure.

Granted, you will still have the bored 12 year old next door that will figure out the password, or sniff it out, or just write it down off the label when he comes to visit, but that’s another story.

jody.albritton · 2015-08-29 04:58:50 UTC

Sounds like a plan.

pstuart · 2015-08-29 14:14:36 UTC

Wait you forgot about all the apartment dwellers stealing WiFi cause they are too cheap to pay for it themeselv but buy a $4k refrig that can be brought into Starbucks.

Damn hipsters, get your own internet connection! (The new get off my lawn, old guy statement)