The Extensive Data Collection of Your Smart Fridge

Tuesday - May 9 2023, 14:15 UTC - 1 year ago

An investigation into the data collected by a Samsung refrigerator has provided insight into just how much data these IoT devices can contain. From Bluetooth devices to smart user accounts, a surprisingly large amount of details are stored, many of which can lie unseen until an investigation starts. Police use of this data is starting to grow, and it's becoming an increasingly important part of crime scene evidence.

Do you know how many internet-connected devices there are inside your home? I certainly don’t. These days, it could be almost anything: a thermostat, a TV, a lightbulb, an air conditioner, or a refrigerator. But what I do know, thanks to some of the conversations I’ve had over the past few weeks, is just how much data they’re producing, and how many people can access that data if they want to. Hint: it’s a lot.

I’ve been speaking to people who work in a field called IoT forensics, which is essentially about snooping around these devices to find data and, ultimately, clues. Although law enforcement bodies and courts in the US don’t often explicitly refer to data from IoT devices, those devices are becoming an increasingly important part of building cases. That’s because, when they’re present at a crime scene, they hold secrets that might be invisible to the naked eye. Secrets like when someone switched a light off, brewed a pot of coffee, or turned on a TV can be pivotal in an investigation.

Mattia Epifani is one such person. He doesn’t call himself a hacker, but he is someone the police turn to when they need help investigating whether data can be extracted from an item. He’s a digital forensic analyst and instructor at the SANS Institute, and he’s worked with lawyers, police, and private clients around the world.Smartphones and computers are the most common sorts of devices police seize to assist an investigation, but Epifani says evidence of a crime can come from all sorts of places: "It can be a location. It can be a message. It can be a picture. It can be anything. Maybe it can also be the heart rate of a user or how many steps the user took. And all these things are basically stored on electronic devices." .

Take, for example, a Samsung refrigerator. Epifani used data from VTO Labs, a digital forensics lab in the US, to investigate just how much information a smart fridge keeps about its owners.

VTO Labs reverse-engineered the data storage system of a Samsung fridge after it had primed the appliance with test data, extracted that data, and posted a copy of its databases publicly on their website for use by researchers. Steve Watson, the lab’s CEO, explained that this involves finding all the places where the fridge could store data, both within the unit itself and outside it, in apps or cloud storage. Once they’d done that, Epifani got to work analyzing and organizing the data and gaining access to the files.

What he found was a treasure trove of personal details. Epifani found information about Bluetooth devices near the fridge, Samsung user account details like email addresses and home Wi-Fi networks, temperature and geolocation data, and hourly statistics on energy usage. The fridge stored data about when a user was playing music through an iHeartRadio app. Epifani could even access photos of the Diet Coke and Snapple on the fridge’s shelves, thanks to the small camera that’s embedded inside it. What’s more, he found that the fridge could hold much more data if a user connected the fridge to other Samsung devices through a centralized personal or shared family account.

None of this is necessarily secret or undisclosed to people when they buy this model of refrigerator, but I certainly wouldn’t have expected that if I were under investigation, a police officer could access the data from my fridge.