Your Watch Can Watch You! Gear Up for the Broken Privilege Pitfalls in the Samsung Gear Smartwatch

DEF CON 26

Presented by: Hyoung-Kee Choi, Dongsung Kim
Date: Sunday August 12, 2018
Time: 14:00 - 14:45
Location: Track 1

You buy a brand-new smartwatch. You receive emails and send messages, right on your wrist. How convenient, this mighty power! But great power always comes with great responsibility. Smartwatches hold precious information just like smartphones, so do they actually fulfill their responsibilities?

In this talk, we will investigate if the Samsung Gear smartwatch series properly screens unauthorized access to user information. More specifically, we will focus on a communication channel between applications and system services, and how each internal Tizen OS components play the parts in access control.

Based on the analysis, we have developed a new simple tool to discover privilege violations in Tizen-based products. We will present an analysis on the Gear smartwatch which turns out to include a number of vulnerabilities in system services.

We will disclose several previously unknown exploits in this presentation. They enable an unprivileged application to take over the wireless services, the user’s email account, and more. Further discussions will center on the distribution of those exploits through a registered application in the market, and the causes of the vulnerabilities in detail.

Dongsung Kim

Dongsung Kim is a graduate student at Sungkyunkwan University, South Korea. After developing software as a profession for several years, his interests have shifted to Internet security. He participated in bug bounty programs like Jet, The New York Times, United Airlines, and at his own university. His research interests span from reverse engineering to web security. @kid1ng

Hyoung-Kee Choi

Prof. Hyoung-Kee Choi received his Ph.D. in electrical and computer engineering from Georgia Institute of Technology in 2001. He is a professor at Sungkyunkwan University, South Korea. He joined Lancope in 2001 until his leave in 2004, where he guided and contributed to research in Internet security. His research interests span network security and vulnerability assessment.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats