How Cyber Thieves Use Your Smart Fridge As Door to Your Data

In 1997, just over 36% of Americans owned a personal computer. Now, 24 years later, consumers face the choice of purchasing smart fridges, toasters, soap dispensers, coffee mugs, microwaves, televisions, speakers, washers, dryers, doorbells, and nearly everything in between.

Even the once modest exercise bike, now in the form of Peloton, holds the ability to connect with your phone, television, and Wi-Fi router. However, while these products do possess these capabilities, some experts in the cybersecurity field question whether they should possess these capabilities.

Security software firm McAfee warned in a blog post last week that Peloton bikes were vulnerable to malware, allowing hackers the ability to install fake apps and steal personal information from users. For some, such an attack could be confined to personal fitness data. For others, such a breach could lead to identity fraud and even a takedown of one's employer.

Cyber hack
"These smart devices come with everything turned on, everything enabled, and very little security," cybersecurity expert Tom Kellermann told Newsweek. "That creates this phenomenon where you can be extorted, you can be stalked, you can be robbed, and your home network can be commandeered to attack your work network." Bill Hinton/Getty Images

"These smart devices come with everything turned on, everything enabled, and very little security," Tom Kellermann, a member of the U.S. Secret Service's Cyber Investigations Advisory Board and head of security strategy at cloud computing company VMware Carbon Black, told Newsweek. "That creates this phenomenon where you can be extorted, you can be stalked, you can be robbed, and your home network can be commandeered to attack your work network."

Any Wi-Fi network can fall to an attack, no matter how high-profile the victim. A network is only as strong as its weakest device. While Kellermann acknowledges that for the average American an attack may seem unlikely, for a hacker, anyone can become an ideal target, he said.

Hackers gain information, extract data, and expand the scope of their attacks through a strategy called "island hopping." In this technique, the malicious actor takes over one network that uses the information from that network to tap into other networks. During this process, they're able to mask their location through operating behind the mask of the victim's network, protecting their own location and implicating the victim.

A smart fridge or smart coffeepot acts as the perfect site for the initial attack. Unlike an Apple device or Google account, the companies producing these devices often do not possess years of experience developing complex code wrapped in layers of industry-leading privacy protection technology. These systems operate as appliances first, providing digital technology second, sometimes running on generic operating systems.

Tom Kellermann
"Pedophiles and stalkers" can hack devices with video and audio-listening capabilities to become, as Kellermann puts it, "present" in the home, Tom Kellermann, chief cybersecurity officer at VMware Carbon Black, told Newsweek. VMware Carbon Black

Kellermann said these devices generally possess "minimal" security functionality and must be treated as rogue technology. He suggests protecting oneself by placing all of them on a single network designated specifically for smart devices.

Through this practice, known as "digital distancing," the individual can protect the more sensitive data stored on phones and laptops. But, consumers should not stop there.

"Pedophiles and stalkers" can hack devices with video and audio-listening capabilities to become, as Kellermann puts it, "present" in the home. This hacking allows them to see and hear through devices across the home as they gain access through a weak device and hop around through the home network.

Amazon-owned Ring home security systems made national headlines when in late 2019 a video surfaced showing a man speaking to an eight-year-old girl through the Ring device in her room where he said things such as "I'm your best friend" and "mess up your room."

In a less visceral but nonetheless impactful development, an authentication bypass vulnerability was found in the chips of Wi-Fi routers made by MediaTek, Qualcomm, and Realtek that rendered networks hosted by the devices vulnerable to attack.

"I personally don't use any smart devices with the exception of my phone," Kellermann said, "and I toggle down when Siri can activate."

While Kellermann may avoid the risk of a smart appliance security breach by avoiding the products all together, for many the convenience and practicality of a smart product outweighs the odds of a potential breach.

Mark Ostrowski, head of engineering for the U.S. East Coast at Check Point Software, a global cybersecurity company, told Newsweek that when deciding on what products to use, consumers must assess each smart product and the potential implications of a breach on a case-by-case basis.

Mark Ostrowski
"If the Sidewalk network of Amazon gets taken over or some people infiltrate it, now they have access to your Alexa devices, and the Alexa devices have your credit card information," Mark Ostrowski, head of engineering for the U.S. East Coast at Check Point Software, told Newsweek. Mark Ostrowski, Check Point Security

Take Amazon's latest product Sidewalk, for example.

Ostrowski said the cybersecurity community reacted "strongly" when news of the product broke. While the device does not require users to share their Wi-Fi password with neighbors, it connects individual nearby networks by meshing them together, allowing smart devices to draw on stronger signals from one's neighbor. In some instances, this can prove to be a major convenience, like when one's smart collar-wearing dog escapes the yard.

"That's like one of the first cases where I could say, 'that's happened to me,'" Ostrowski told Newsweek. "Wouldn't it be great for (a smart device) to let me know where Cooper is?"

However, the implications of Sidewalk extend beyond single instances of practicality, and Ostrowski has concerns.

"If the Sidewalk network of Amazon gets taken over or some people infiltrate it, now they have access to your Alexa devices, and the Alexa devices have your credit card information," he said. "Think about that rolling sort of thing."

Even with products like Sidewalk or Ring being created by a trillion-dollar tech company like Amazon, the risk of a cybersecurity breach remains a reality. Cyberattacks on public and private targets in the U.S. occur every 39 seconds, and cybercriminals rake in an estimated $1.5 trillion annually through their attacks.

The potential for an everyday appliance to fall victim to an attack remains an equal or even greater reality as the American cybersecurity industry continues to face talent shortages with some 359,000 American jobs remaining unfilled.

Staying ahead of a potential cyberthreat requires consumers to be active in taking steps toward prevention. Along with digital distancing, Ostrowski urges users to download the latest updates for their devices as soon as they come out. These updates often address weak spots in the code and keeps users ahead of potential hacks.

us, air, force, cyber, security, exercise
"The American cybersecurity industry continues to face talent shortages with some 359,000 American jobs remaining unfilled." Here, a cyber warfare operations officer watches members of the 175th Cyberspace Operations Group analyze log files and provide a cyber threat update at Warfield Air National Guard Base, Middle River, Maryland, June 3, 2017. J.M. Eddins Jr./Airman Magazine/U.S. Air Force

Beyond the basic anti-virus ware, two-factor authentication, and pop-up browsers, Ostrowski suggests consumers download anti-Ransomware software that protects against hackers holding a user's private data for ransom. He also suggests downloading anti-phishing software that wards off nefarious emails and messages that entice users to share their private information.

Kellermann suggests when creating passwords that consumers enter entire sentences, beyond simple words and phrases. He also said households should have only one administrative user with full control over the settings of devices in the home.

To avoid potential extortion through data ransom, Kellermann urges consumers keep smart devices out of one's bedroom and bathroom, especially those with camera and audio capabilities.

"People just think this is science fiction, that's it's too hard to do, and why would anyone want to do that?" Kellermann told Newsweek. "This isn't science fiction, and it's not hard to do."

And cyber thieves are increasingly targeting individuals in their homes, he said.

"Most criminals of the world have moved online in some way," Kellerman said.
"Ransomware attacks in the future will be attacks that ransom homes, where homes will be crippled, and none of your smart devices and things will work until you pay ransom. That's coming and has already happened in a couple situations."