If you happen to own the Samsung RF28HMELBSR, you have a reason to be concerned and probably shouldn’t take the device to your local Starbucks. Researchers from Pen Test Partners found the device didn’t validate SSL certificates, thus making it vulnerable to man-in-the-middle (MITM) attacks.
These kinds of vulnerabilities are worryingly common, and this one probably wouldn’t have made the news if it weren’t for the fact that the RF28HMELBSR is a smart refrigerator with an Internet connection used among other things to display entries from a Google Calendar accounts. (Fridge magnets are so last, century after all.)
Like anyone over the age of 25, I can be a bit of a Luddite when it comes to the Internet of Things: Do your fridge, your washing machine, and your light bulbs really need an Internet connection? Haven’t we been using such devices without any issues for decades? And aren’t we making our homes insecure by giving everything an Internet connection?
While understandable, I don’t think such responses are necessary – and they certainly aren’t helpful. The security community should aspire to be background noise within the world of IT, not to take a prominent position that decides what should and should not be done.
The Internet of Things is growing quickly and, unfortunately, such quick growth often means security becomes an afterthought – it was the same when the use of servers, desktops and smartphones was growing fast.
As security professionals, we should help the IoT industry where we can, from making security part of the design process to making sure systems can and will be patched.
But we shouldn’t tell such vendors those devices shouldn’t be connected to the Internet in the first place. Not only is that arrogant (just because we can’t think of a good reason to connect your fridge to the Internet, doesn’t mean there isn’t one), it also ignores the progress we have made as a security community.
True, the only 100% secure connection is no connection at all, and there may be some limited cases where this is necessary. But in most cases, the security we are able to deliver is good enough. Just like for most people, despite all the risks, their Internet connection and their smartphone work just fine.
Should you happen to stumble upon this blog post in 2025, there is a good chance you wonder how we ever lived in a world where most fridges weren’t connected to the Internet. Hopefully, you also laugh at the idea that we once thought we wouldn’t be able to properly secure such devices.
About the Author: Martijn Grooten is Editor of Virus Bulletin, for whom he organises VB2015, the 25th International Virus Bulletin conference in Prague, later this month. As with most security conferences these days, some of the 50 talks are dedicated on various aspects of IoT security.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock