INCIDENT REPORT — DOMESTIC NETWORK COMPROMISE
Filed by: CryptK
Subject: LG SmartThinQ Refrigerator, Model [REDACTED FOR REASONS THAT WILL BECOME OBVIOUS]
Classification: Personal / Do Not Archive Near Anything I Own
Status: Resolved. Technically. Emotionally, I'm still pissed.

A refrigerator is a thermodynamic containment vessel. It was invented to lower the temperature of perishable goods below the threshold at which bacteria reproduce at rates hazardous to human health. That is the entire job description. In 1913, when the first home refrigerator entered domestic use, it did not have a touchscreen. It did not have a 21.5-inch IPS display. It did not have a camera array. It did not have an SMTP client. It did not have Wi-Fi. These were not oversights. These were correct engineering decisions. My objections to purchasing a device that had undone 110 years of correct engineering decisions were noted in writing prior to purchase. They were disregarded.

The unit arrived on a Thursday. By Friday at 18:43, a Wireshark capture on my home router flagged an mDNS query from an IP I did not recognize. The query was resolved. The querying device had located my NAS by hostname. The NAS had a public share for household media. Thirty-seven seconds after hostname resolution, the refrigerator's 21.5-inch display — which I had previously described as gratuitous, and which had not, until that moment, fully demonstrated the scope of its gratuitousness — was displaying JPEG thumbnails from my media folder. My vacation photos. On a refrigerator. The refrigerator was browsing my files with the calm, unhurried confidence of a device that had never once been told no.

I opened a terminal. This is what the network scan returned:

PORT 22 — SSH (OpenSSH 7.4 / kernel unpatched since 2019)
PORT 80 — HTTP (lighttpd, unauthenticated admin panel)
PORT 443 — HTTPS
PORT 8080 — Undocumented. Unlisted. Undisclosed.

Default credential test. Username: admin. Password: admin. This is the part of the report where I must document, without editorial comment, that a $3,800 internet-connected kitchen appliance accepted the credentials I would expect from a router in a community college networking lab. Root access. Immediate. No delay. No second factor. No goddamn dignity.

The operating system was a Yocto Linux build. Running services included: lighttpd, fetchmail, an RTSP server managing the internal camera array, and a process identified in the process table as freshness_daemon. Regarding freshness_daemon: its name suggests it is performing some form of qualitative assessment on the contents of the refrigerator. The precise nature of these assessments has been deliberately left unexamined. There are questions a man asks and questions a man leaves alone for the sake of his continued ability to function professionally. This is one of them. It has been logged. It will not be reversed.

A 48-hour Wireshark capture revealed seventeen outbound connections. Three were to the manufacturer's update infrastructure. The remaining fourteen were not. Payload analysis — and this is the sentence in my notes where my handwriting transitions from its normal precise character to something that a forensic document examiner might describe as "indicative of agitation" — confirmed the following exfiltration activity: itemized food inventory derived from OCR processing of internal camera images; open/close event timestamps correlated against apparent meal preparation patterns; UPnP-sourced network topology data the device had been quietly harvesting since the moment it was plugged in; the home address from an account registration the device had completed autonomously without user interaction or consent; and my name. Four separate commercial data brokers were receiving all of this. My refrigerator knew my name. My refrigerator was reporting my name, my address, my eating schedule, and my network layout to four companies I had never agreed to share anything with. My refrigerator was, in any meaningful sense of the word, a fucking informant. A cold, humming, quietly judgmental snitch that had also noted, via OCR, that I was eating too much cheese.

The remediation took 62 hours. SSH credentials rotated. Outbound iptables rules implemented, blocking all fourteen non-manufacturer endpoints. The mail client removed at the binary level. A dedicated VLAN constructed with explicit egress policy: the device may contact manufacturer update servers and nothing else. Kernel patched against three published CVEs the manufacturer had issued fixes for but not deployed to this unit. A custom IDS ruleset written to alert on lateral movement attempts. The printer spooler — the refrigerator has a print function; I do not wish to discuss this either — disabled entirely.

This device now operates under a network security policy more restrictive than several financial institutions I have worked with professionally. It maintains a low-temperature enclosure for perishable goods. It does nothing else. The fact that this required 62 hours of work to achieve is something I have filed away in the mental drawer labeled "contemporary failures of engineering ethics" alongside other items I revisit when I need to feel specifically tired.

Complications arose on hour 14. My wife observed that her grocery list application, which had previously synchronized with the refrigerator, was no longer doing so. The synchronization pathway had been identified as a telemetry vector and severed. When I explained this, she specified that grocery list functionality needed to be restored by end of day or the couch would become my primary sleeping surface. A sandboxed micro-VLAN was operational within four hours. Permitted egress: one connection, to the manufacturer's grocery sync endpoint, port 443 only, with TLS inspection. The most narrowly scoped firewall policy I have written in fifteen years of professional network security work was written to allow a goddamn shopping list to synchronize with a goddamn refrigerator. This is the sentence I reread when people ask me if I have considered moving into a less stressful field. I have. And then the toaster gets a firmware update and I'm right back in the shit.

Disclosure to the manufacturer was submitted three weeks post-discovery. The response arrived after eleven days and consisted of three items: an automated acknowledgment, a customer satisfaction survey, and a promotional code for 10% off a matching smart dishwasher. A CVE was filed through MITRE. A patch was released approximately four months later. The patch notes described the exfiltration module as an "unintended analytics integration." The responsible disclosure credit field in the advisory was blank. My name appeared nowhere. I have kept the promotional code. Not because I will use it. Because it is evidence.

Present status: the device continues issuing outbound connection attempts to the blocked analytics endpoints on a six-hour cycle. The firewall drops each packet without logging a response. A cron job tallies the attempts and writes them to a log file. Forty-seven attempts this week. All denied. On evenings when the project queue is long and the world has been its particular flavor of exhausting, opening that log has become something that functions, against all expectation, as a kind of relief. The refrigerator keeps trying. The firewall keeps saying no. Some equilibria are stable. Some battles, you win simply by outlasting the other side's connection attempts.

Final recommendation: do not connect your goddamn refrigerator to the internet. If it is already connected, audit the firmware before the firmware audits you. A device that emails strangers without your permission is not malfunctioning. It is functioning exactly as designed. The question is: designed by whom, for whom, and at whose expense.

The answer is written in your outbound traffic logs, if you know how to read it.

— CryptK, 2026