Smart Fridge. Dumb idea?

This years DEF CON IoT Village fun-fest included a brand new smart fridge. It was the Samsung RF22K9581SG/AA as announced at CES in Spring 2016, a 42 inch screen on the door, for the princely sum of $6,000.

Having gained a reputation for hacking smart fridges we thought that we should have a go at this one.

There’s some more detail of the mobile app integration on the Samsung family hub web site here http://www.samsung.com/us/explore/family-hub-refrigerator/.

I’m not going to make any comment about WHY one needs a smart fridge. Speaking for myself, everything I need relating to the internet and food is on the phone in my pocket or on my tablet on the kitchen surface.

One nice feature was the ability to see inside the fridge remotely from ones phone. You can also see what’s inside the fridge from the screen on the door. Mmmm, what a waste of time. I’ll just open the door, thanks.

Anyway, hacking the fridge:

Unlike the earlier fridge it runs Tizen. There is a USB port at the top of the door for uploading content to.

Further, there is a mobile app, although the SSL certs are pinned in this version. SAMSUNG LEARNED SOMETHING, w00t!

First, the USB port. We tried hard using this vector, rogue images & files, content, everything we could think of but nothing worked

Working on the embedded browser, we tried iKat extensively too but that damn fridge validated everything.

Next, rogue apps: annoyingly the bandwidth at DEF CON was struggling somewhat and we couldn’t successfully download the Tizen SDK, so we drew a blank there.

The most likely route to success would be popping the case and finding JTAG or other I/O behind the screen. Unfortunately the organisers of the IoT Village had the fridge on sale or return, so returning it as a pile of bits (like most of our IoT reversing projects) would not have been acceptable. We had a go at carefully prizing off panels, but the risk of damage was simply too great.

Finally, we started playing around with the already installed apps. This was where we found a couple of minor issues.

First, the on board shopping app had a username enumeration flaw and the password policy was also a bit rubbish:

Reversing the mobile app may yet prove interesting. There’s also potential around the process of ‘inviting’ an app user to connect to the fridge.

The one time key used to pair a phone to the fridge might be brute force-able, as it’s fairly short:

Conclusion

This is clearly unfinished work, but without a fridge to play with, we’re a bit stuck.

We could stump up the $6k, but these refrigerators aren’t available in the UK yet.

Congratulations to Samsung for paying attention and actually pinning their certs though.

Maybe next year.

As an aside, here’s an image from Twitter from someone who found one of these fridges on display in a retail outlet being used for an unpleasant purpose: Displaying filth!