This post on Boing Boing brought to my attention the Pen Test Partners article describing how they hacked a Samsung fridge by using a man-in-the-middle attack to exploit a vulnerability where the fridge wasn’t correctly validating SSL certificates. Basically, by presenting a fake certificate you can convince the fridge that an arbitrary system is actually Google’s servers – at which point the fridge will send any stored Google account credentials it has to the fake server, allowing them to be logged for reuse.
While the actual model of fridge tested is not for sale in the UK, it is available in North America and this vulnerability may not have been patched (no update has been posted on Boing Boing or on Pen Test Partners).
I’m all in favour of a super-connected life, but I also like my connections to be reasonably secure. This is a good reminder of why. You can’t take for granted that the technology in your home is only talking to the people you want it to talk to, and if you let your machines tell your secrets to other people’s machines you’re going to have a bad time.