Your Watch Can Watch You! Gear Up for the Broken Privilege Pitfalls in the Samsung Gear Smartwatch

Video thumbnail (Frame 0) Video thumbnail (Frame 1586) Video thumbnail (Frame 6539) Video thumbnail (Frame 10072) Video thumbnail (Frame 12350) Video thumbnail (Frame 13550) Video thumbnail (Frame 15327) Video thumbnail (Frame 17317) Video thumbnail (Frame 21421) Video thumbnail (Frame 23346) Video thumbnail (Frame 26112) Video thumbnail (Frame 27442) Video thumbnail (Frame 28493) Video thumbnail (Frame 30887) Video thumbnail (Frame 32993) Video thumbnail (Frame 36225) Video thumbnail (Frame 38455) Video thumbnail (Frame 40233) Video thumbnail (Frame 40942) Video thumbnail (Frame 42083) Video thumbnail (Frame 42862) Video thumbnail (Frame 44253) Video thumbnail (Frame 45074) Video thumbnail (Frame 45787) Video thumbnail (Frame 47627) Video thumbnail (Frame 48586) Video thumbnail (Frame 50453) Video thumbnail (Frame 51698) Video thumbnail (Frame 54627)
Video in TIB AV-Portal: Your Watch Can Watch You! Gear Up for the Broken Privilege Pitfalls in the Samsung Gear Smartwatch

Formal Metadata

Your Watch Can Watch You! Gear Up for the Broken Privilege Pitfalls in the Samsung Gear Smartwatch
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
You buy a brand-new smartwatch. You receive emails and send messages, right on your wrist. How convenient, this mighty power! But great power always comes with great responsibility. Smartwatches hold precious information just like smartphones, so do they actually fulfill their responsibilities? In this talk, we will investigate if the Samsung Gear smartwatch series properly screens unauthorized access to user information. More specifically, we will focus on a communication channel between applications and system services, and how each internal Tizen OS components play the parts in access control. Based on the analysis, we have developed a new simple tool to discover privilege violations in Tizen-based products. We will present an analysis on the Gear smartwatch which turns out to include a number of vulnerabilities in system services. We will disclose several previously unknown exploits in this presentation. They enable an unprivileged application to take over the wireless services, the user’s email account, and more. Further discussions will center on the distribution of those exploits through a registered application in the market, and the causes of the vulnerabilities in detail.
CAN bus Default (computer science) Gradient Multiplication sign Universe (mathematics) Information security Akkumulator <Informatik>
Demon Email Topological vector space Android (robot) Sensitivity analysis System call Code Multiplication sign Source code Sheaf (mathematics) Client (computing) Mereology Proper map Fitness function Sign (mathematics) Hypermedia Object (grammar) Videoconferencing Smartphone Software framework Information Series (mathematics) Extension (kinesiology) Information security Error message Vulnerability (computing) Physical system Source code Service (economics) Email Touchscreen Smart Device Trail Closed set Software developer Fitness function Product (business) Type theory Internetworking Smartphone Right angle Authorization Energy level Quicksort Information security Firmware Slide rule Server (computing) Mobile app Game controller Service (economics) Open source Computer file Connectivity (graph theory) Plastikkarte Focus (optics) Discrete element method Value-added network Product (business) Revision control Latent heat Internetworking String (computer science) Utility software Metropolitan area network Installation art Mobile app Demon Information Kälteerzeugung Code Plastikkarte Computer network Database Directory service Cartesian coordinate system Component-based software engineering Uniform resource locator Error message Web service Object (grammar)
Axiom of choice Logical constant Context awareness Database Client (computing) Data management Mechanism design Web service Kernel (computing) File system Process (computing) System identification Information security Physical system Curve Sampling (statistics) Bit Virtualization Funktionalanalysis Control flow Digital-to-analog converter Mechanism design Type theory Data management Message passing Oval Configuration space Right angle Information security Physical system Spacetime Ocean current Mobile app Service (economics) Computer file Rule of inference Value-added network Interprozesskommunikation 2 (number) Zugriffskontrolle Revision control Latent heat Uniqueness quantification Spacetime Message passing Rule of inference Context awareness Complex analysis Demon Tesselation Client (computing) Database Cartesian coordinate system Interprozesskommunikation System call Kernel (computing) Web service Function (mathematics) Statement (computer science) Object (grammar)
Demon Computer file Connectivity (graph theory) Computer-generated imagery Flash memory Client (computing) Interprozesskommunikation Attribute grammar Element (mathematics) Zugriffskontrolle Web service Uniformer Raum Computer configuration Bus (computing) Uniqueness quantification Process (computing) Message passing Context awareness Demon Validity (statistics) Interface (computing) Uniqueness quantification Client (computing) Element (mathematics) Message passing Process (computing) Personal digital assistant Web service Function (mathematics) Interface (computing) Statement (computer science) Configuration space Object (grammar) Physical system Task (computing)
Demon Code Logarithm Multiplication sign Sheaf (mathematics) Client (computing) Proper map Mathematics Web service Malware Blog Semiconductor memory Process (computing) Error message Library (computing) Software developer Point (geometry) Principal ideal domain Funktionalanalysis Measurement Message passing Process (computing) Chain Interface (computing) Right angle Hacker (term) Physical system Resultant Point (geometry) Server (computing) Mobile app Proxy server Diskreter Logarithmus Principal ideal domain Patch (Unix) Vector potential Value-added network 2 (number) Chain String (computer science) Computer hardware Gastropod shell Reverse engineering Message passing Context awareness Rule of inference Demon Graph (mathematics) Demo (music) Inheritance (object-oriented programming) Physical law Ultraviolet photoelectron spectroscopy Cartesian coordinate system System call Uniform resource locator Error message Logic Web service String (computer science) Statement (computer science) Library (computing) Gradient descent
Scripting language Run time (program lifecycle phase) File system 1 (number) Parameter (computer programming) Medical imaging Web service Roundness (object) Formal verification Bus (computing) Process (computing) Category of being Error message Exception handling Physical system Service (economics) Electronic mailing list Shared memory Parameter (computer programming) Category of being Process (computing) Configuration space Ideal (ethics) Data structure Physical system Electric current Firmware Server (computing) Service (economics) Computer file Mathematical analysis Value-added network Uniqueness quantification Software testing Data structure Message passing Validity (statistics) Run time (program lifecycle phase) Interface (computing) Mathematical analysis Hausdorff space Error message Personal digital assistant Function (mathematics) Large eddy simulation String (computer science) Web service Formal verification Gastropod shell Object (grammar) Oracle
Standard deviation Random number System call Service (economics) File format Parsing Parameter (computer programming) Mereology Value-added network Web service Latent heat Object (grammar) String (computer science) Logic Utility software Data structure Category of being Error message Physical system Form (programming) Default (computer science) Service (economics) Parsing Dependent and independent variables Standard deviation Demo (music) Interface (computing) Parameter (computer programming) Flow separation Compiler Message passing Process (computing) Error message Logic Web service String (computer science) Interface (computing) Right angle Object (grammar) Routing Data structure
Point (geometry) Email Default (computer science) Touchscreen Email Service (economics) Touchscreen Interface (computing) Bit Letterpress printing Mereology Performance appraisal Web service Rootkit Interface (computing) Bus (computing) Right angle Error message Position operator Physical system Default (computer science)
Asynchronous Transfer Mode Service (economics) Connectivity (graph theory) Multiplication sign Programmable read-only memory Source code 1 (number) Port scanner Graph coloring Value-added network Subset Product (business) Medical imaging Malware Smartphone Information Implementation output Physical system Personal identification number Beer stein Demon Theory of relativity Trail Inheritance (object-oriented programming) Interface (computing) Forcing (mathematics) Open source Computer network Database Total S.A. Category of being Type theory Uniform resource locator Malware Software Radio-frequency identification Right angle Smartphone Freeware Electric current Force Asynchronous Transfer Mode
Demon Axiom of choice Digital filter Link (knot theory) Computer file Counting Stack (abstract data type) Value-added network Malware Core dump Utility software Information Link (knot theory) Axiom of choice Touchscreen Inheritance (object-oriented programming) Information Key (cryptography) Computer file Projective plane Core dump Data management Network socket Revision control Utility software Table (information) Window Force
Email Email Mobile app Touchscreen Theory of relativity Tap (transformer) Cartesian coordinate system Transmitter Web service Data management Message passing Malware Personal digital assistant Smartphone Message passing Resultant Address space Address space
Email Email System call Matching (graph theory) Demo (music) Code Demo (music) Internet service provider Proper map Web service String (computer science) Web service String (computer science) Right angle Information security Error message
Transmitter Malware Malware Right angle Group action Content (media) Cartesian coordinate system
Email Malware Malware Code Connectivity (graph theory) Core dump Bit
Email Touchscreen Serial port Email Link (knot theory) Touchscreen Link (knot theory) Computer file Code Decimal Connectivity (graph theory) Computer-generated imagery Core dump Mereology Medical imaging Malware Malware String (computer science) Connectivity (graph theory) Process (computing) Information Window
Parsing Greatest element Link (knot theory) Link (knot theory) Demo (music) Key (cryptography) Computer file Field (computer science) Mereology Message passing Web service Password Object (grammar) Berner Fachhochschule / Technik und Informatik Message passing Data structure
Demon Mobile app Server (computing) Service (economics) Computer file Distribution (mathematics) Multiplication sign .NET Framework Client (computing) Value-added network Element (mathematics) Wiki Duality (mathematics) Web service Malware Internetworking Hierarchy String (computer science) Personal digital assistant Formal verification Bus (computing) Diagram Context awareness Mobile app Demon Server (computing) Data storage device Client (computing) Computer network Cartesian coordinate system Proof theory Process (computing) Malware Internetworking Personal digital assistant Configuration space Computer music Right angle Middleware Physical system Sinc function
Email Mobile app Service (economics) Open source Dependent and independent variables Patch (Unix) Mobile Web Dreizehn Client (computing) 10 (number) Value-added network Web service Object (grammar) Repository (publishing) Traffic reporting Error message Physical system Service (economics) Email Distribution (mathematics) Touchscreen Demo (music) Patch (Unix) Kälteerzeugung Data storage device Vector potential Explosion Process (computing) Object (grammar) Information security Oracle
right yeah let's welcome Kim his first time Def Con welcome hello let's hear it [Applause] okay good afternoon thank you for coming to the session I'm very excited to talk you talk to you about our research you're watching watch you have broken privileged people default in the Samsung gear SmartWatch before we begin let me introduce us my name is hong kong kim and we are security research lab called a chai tea from tommy-boy University from South Korea if you have any questions or comments the other one please feel free to contact so yeah first and foremost let's start with why we did this research and the motivation behind as you may well know the beer
series includes samsung's Smart Watch products but apparently a few days ago they changed the name to the Galaxy watch so for now just let's just pretend that didn't happen they are advertised to as offering many useful features including like tracking fitness or receiving your clients calls tax emails and even paying for stuff using your NFC well typically you pair it with your smartphone and via Bluetooth and it comes with Wi-Fi or even LTE Samsung also operates an app marketplace for the gear within Samsung Galaxy apps where anyone can just develop for the watch using the SDKs to achieve all this we share our highly sensitive information with the watch your contact their calendar of your locations emails notifications is more all come from your smart our vice versa and access to such privileged resources must be permitted based on proper access rights so the former for gear SmartWatch consists of two parts so one is the wearable version of Tizen OS open source components and the other is Samsung's close source components built on top of vanilla Tizen so Tizen probably was a little know he's the new face to open source OS developed by Samsung since the OS was envisioned to serve all kinds of devices it has been shipped with many thousands products including your watches including your smartphones probably TVs cameras and even refrigerators previously many researchers actually took a look at Tyson C 2015 Abraham we revealed many problems with Tyson at a time in 2017 man just closed for a zero-day vulnerabilities and which made some media splashes people yes video of analyze portion of the Tyson open source code base so so they claimed there would be more over 20,000 of code errors but this research servers around the Tizen as a OS however we decided to take a look at the gear as a SmartWatch where the smart things actually happened as an extension to your smartphone so that was the motivation so we need to get right into the internals of Tyson's security concepts in this section we will highlight Tizen version 3 in the latest version publicly shipped with a gear SmartWatch products the first cost of this object obviously
so since Kaizen is based on Linux there are typical stuff like files and directories and soft kiss and utilities but in this talk however we're going to focus on two types applications and services so applications use Tizen public or private API to access the sub systems including framework and services and services are special special privilege demons each dedicated to a specific resource like Wi-Fi or Bluetooth and GPS and messaging sensors etcetera these resources are by nature sensitive so some sort of control should be in place to reject unauthorized access so Tyson achieved is by introducing the privilege services must validate if the calling app has this proper wants so similar to Android app developer type in privileged strings in the manifest file for example the right side of the slide you can see the manifest file and there's there are there are some privileges like HTTP Tizen or RG privilege internet or alarm except these are the privilege the app market or Samsung signs the TPK application package and sells it honest elation user accepts permissions on the screen and then the Installer checks and registered the policy in the database and finally after the runtime access is controlled by the policies well Tizen devices many privileges internet Bluetooth Network set or more however only seldom are public to app developers there are also partner and platformed about privileges not for public use to enforce this kind of privileges to the enforces that policies Tizen implements three plus one security
mechanisms the first is the classic deck the UNIX user ID curve ID that you probably are familiar with the second is smack smack is Tyson's choice of kernel-space Mac type mechanism like selinux the specifics are a bit conflict complex but conceptually they are thinking what what this on app receives a unique label a tessellation like user packaged sample app and for every kernel object access the current label or context is checked against rules in Mac database the third is she's Senora Senora is Tyson's user space privilege management payment services ask sinara to check if the Kali application has the privilege tanara identifies the application by its smack label then validates it against the policies within its own Nara database and finally the post one security manager is polished configurator and it reads the policies from the file system and the manifest file and here and there and and it fills the database as we talked about sodac smack sinara can recognize them
now let's talk about how applications actually talk to services d-bus is a widely implemented IPC system for linux like OS that also offers offers useful built-in functions like the discoverability or inspection to put it simply each service statement registers itself to the DB statement then clients dispatch to request messages over a virtual channel Tizen relies heavily are on deep Explorer IPC's asterisk so let me give you some Debus constants using an example or the right a typical device message call sweet and works like this we want to
send a request from a client to a service as the service process already has except registered in this case and the coin process opens connection to the bus and the connection gets assigned a unique busting looks like : something 1.7 in this case so now the client sends a request message to the bus and that message reaches service whose connection also has a unique bus name but also an optional well-known last name urg example service this service name then the request is to invoke set foo method of the object flash or G slash example /l just one the object implements the interface Oh our G example interface which specifies methods like set food get food and finally the resistor service responds with a message oh sorry so to recap in one sentence the
client process is a request from a bus in : 1.7 via the bus to a bus emoji example service to invoke set foo method of the object or diesel object one of the interface alergy example interface yes so the asterisk that's because Tyson's D bus is Cynara where meaning it is patched to natively perform privileges text so upon receiving a message the Daevas daemon in the middle ask sinara for validation but this approach allows divas daemon to control access on messages on the right example shows the pics P assistant first configuration bus configuration file and you can see there is a check element with destination interface never method and and importantly privilege attribute 50 agent so whenever a diva statement receive the message occurs sinara to see if the sender has the privilege then decide to accept or deny the message let's dig a little deeper with an actual
code example how an API call sends a request to service and it's privileged gets validated so we're going to start with location measure API with proper location privilege so let's applicate left upper code shows that the privilege string is in the manifest so the client process logic function below creates a measure handle starts measure and then prints out the result to the law on the right in the shell of the actual device we can see the result is zero as expected which is a success then what happens if there is no privilege then let's try this the same thing then the result will come out negative thirteen a failure the log shows within the same PID the process ID with written within the parent food processes shows a failure sinara check failed location library a library LDS location is possible for this vlog by calling location check sinara function now this is the first privilege check down the chain of a service request now this happens within the same P I did this so by reverse engineering the location library we can pinpoint where this happens since the library is linked to the client within the same process ID client can simply a live patch the instructions so we move the code and write zero to register 0 then we bypass the first check the left code shows a live path and protect to enable right then simply just overwrite the memory when we run this the result is still negative observe negative 1 3 however the log changes a d-bus access denied message still within the same PID is printed out in violation of the privilege HTTP something location so we can see the deepest library lbst most client sends a request to LDS server and the error shows the request access is denied by demo statement which first sinara in the middle this is the second privilege check down the chain so to recap on the top an app using
location API links the location library then the library queries sinara for the first time if that passes d-bus request descent then the d-bus daemon in the middle course Nara for the second time if that passes to location Damon receives a request which could potentially queries in order for the third time then finally the requires two reaches to Hardware below now we didn't discuss the third check we'll talk more about this in the next section so what if the client is a malware so if the client is malware there's no first check anymore so there are two points like a pinpoint that can actually secure the service the second point D was Damon on request is a middle and the Third Point service Damon after receiving the requests if the OS or service developer fails to implement both of them then the violate the violation can happen now we know the background let's move on
to actually finding violaceous to do so let me introduce a simple tool developed named dan the debuff analyzer the the D idea is simple so let's say we send a D bus request to a safe service like L their server we saw with no argument given without the privilege then access denied is gonna get returned but with the privilege though invalid arguments is returned then when you think about it the ever suggest privilege of validations always happen first ahead of any other validation of the request then how about we send the non privilege to request to all of them all the possible methods then the other ones that return any other errors that is not access denied that would imply the policies at least the deepest policies except non-privileged request which could lead to violations so we developed them then automatically evaluates privileged verification of Deva services it spawns a test process on a remote device and then recursively scans the Deva structure it then tries to read every property of every object also calling every method of every interface after one round of analysis then writes three plus three files one of is what is the whole Deva structure flattened into JSON file and the others are properties and messes that require further attention let's discuss how this works
step-by-step so first we gather all possible bus names of services notice that as we discussed we one service can have multiple bus needs one unique or one or more well-known names so from the extractive farmer we gather all names from files on their user share the bus one so as shown on the Left image of system v1 the service from the run time we can't recall the built-in method list names to list all currently available bus things as shown on the right image you can see sorry you need somewhere unique : something something and some are well know like some in this case you are for the first of audio server let that config
second we recursively introspects the services that means gathering their structure objects interface method etc per the demo specifications each service can respond with its object structure when the deepest standard message introspect is requested the response is well formatted of XML as shown on the right example and this is the route object of system D and you can see the interfaces methods and method arguments in child objects
now in this step we try to read every property value to do that we use dadiba standard method to get all on every object but then uses the utility called the d-bus standard which is one of the default utilities but however the responses from get all method as shown on the left they are not quite well formatted for an easy processing so we made a custom bison part of executed compiler get all that Jason to convert the strings to into Jason compliant form as shown on the upper right next step the most important one we try to call every method of every interface for all the objects when doing this we use random arguments it's jurors thing so that the actual logic is not yet executed this is not executed as shown above something like several strings of just one then an error would be returned as we discussed since the privilege that the privilege gets validated the validated first we ignore the message that returned access denied so they they actually check their what they are actually acting so they are safe but with any other error we assume the methods are callable now finally we hash every object to
remove duplicates then print out the readable properties and call our methods Oh that was then that we got that out of the way let's move on to the fun part of allman abilities we ran our then with the target device samsung gear support it took about an hour then then there is also like this and there were 269 bus things from which there were over 130,000 readable properties and over 2,000 colorful methods this does not include the first default interfaces such as 2d bus there's a lot of methods but we do have some false positives because of the third check we mentioned the log shows some services check sinara some services themselves explicitly check Cynara you can see on the right sinara check fail but let's not call it self does not return any deepest error so then the tool categorized in column or at this point we started to manually examine each method the 2000 of them and it turns out it was worth it so we
discovered many system services that allow previously privilege of violations mel there without any privilege could take over Wi-Fi and Bluetooth screen notification email and so many more it sounds a bit scary now so now let's take a look at them one by one
first we found the deepest API for WPA supplicant was fully exposed for those who don't know this is a free software implementation for a total of nine which can be easily found on linux systems Tizen bills is own API and Damons on top of WPA supplicant but we found every method is call a ball and every property is readable and that includes creative interface remove me interface scan don't pierce can't suppress start get pin pit if you're fine connect and more now this exposure violates Tysons many Network related privileges and also location related private ones to know let me give you some more example on that well many companies run a database from which GPS coordinates can be publicly obtained if two components are known the SSID of nearby Wi-Fi networks and there's signal values so even though location privileges love the location privilege isn't granted or even the location then daemon is itself completely turned off the malware can take can track the device by taking over Wi-Fi on the right example we acquire the bssid of the first known Wi-Fi network starting with 98 d7a and the signal value of negative 51 so using Google's geolocation API we have the GPS color or coordinate which is our lab
next we have Bluetooth the product X dot PT and product x bt for two of dices own services for controlling bluetooth these services partially exposed methods where malware can silently accept incoming Bluetooth pair requests or silent through force Bluetooth discovery moved or prompt a pair request system UI to do fishing now on the right we have an example so we're never malware calls the method in the background or at any time the UI in the first image pops up so when the user Scrolls down they see the actual name of the paired smartphone this system interface is suppose supposed to be one of the Bluetooth parent messes where the user manually manually types it's a pin however if the user the she sees the UI without any initiation or without even entering the Bluetooth discovery mode then user would think like that's weird what does this pin mean well just my phone that's the name of my phone so I guess I should punch in my pin then the value just gets returned to the malware
now besides Project X there is another daemon for Bluetooth blue z wz is a the underlying Bluetooth stack for Linux and we found that this api's are partially exposed as well a malware can silently force devices to disconnect gather information epsilon there is a bonus though then that's aged HCI dump we found on some devices there is no restriction on HCI topic utility as you can see on the right what that means is that any mailer or any user it can simply dump the incoming outgoing butas packets with no super user privilege now by combining the two a malware can start dumping HT packets and force the pair devices the disconnect which will automatically reconnect with a new link key then extract the key from the table needless to say these problems violate eyes and booties related also private privilege
next we take over the screen to Tyson's choice of windows manager is the Enlightenment project among many exposed methods dumps pop we winds somehow if this method dumps the windows into PNG files as you can see right now this problem violates Tizen screenshot private privilege and then we have the notification
service this service doesn't only manage notification data but also can do stuff on behalf of the users tap on the screen so this service is also partially exposed as a result email there can remove all the notifications or launch an application on the phone read all the incoming messages internal data and so on now in this case privilege like notification to push on are violated but there is no privilege assigned to this kind of invasive behavior no application should actually be able to do this then finally we have emails the remail
consumer manages the users mailbox data just like the notification it also lets anyone do stuff a mailer can launch the email app on their smartphone modify email messages and most importantly send any email using the user's email address so messaging and email related private privileges are violated but the most problematic thing is how
this service actually handles private methods actually sending an email request does get rejected but how on the right we have the code first we have the string we mail private send mail no T then it does string compare and nothing more if it's not match the error shows up ID is different but if it's a match then we're through there is no proper privilege check in place and the only security here is that one string check now let me give you a actual demo that combines many of the problems we discussed into one neat little package
you can see our mailer has no privilege you know then we are building it and launching it on the target device on the right the package is being loaded and the malware will look like a simple watch base application there you go now the phone receives of Google
Hangouts notification that the data is handed over to the watch that then let's
say the user puts do you have in the background and after a bit of waiting the malware will start to run the code then the user is now checking the email it's waiting for a while
and the first it disconnects the Bluetooth connection to the phone then executes HCI dump for losers packets for a while then yes
soon the connection will re-establish with new link key then the malware will allow the data like that then it also acquired the notification data
now it starts to send the data to the attackers email using the the users email account it also captures the screen and says the email image image data now we are at the attackers screen emails should arrive soon there you go it's taking a while and one thing to notice is that the emails are coming from the phone you can see the notifications start to pop up on top of the phone and and the watch and watch this now we are receiving the images each image is a window it's one and there's a code so and this data is one part HCI pcap file and the other
part adjacent object so that this just
parts it the json object is the internal data of the notification service so you can see the message in the middle so my room password is something in the middle now finally examining the HTI pica file shows the new link key like at the bottom and that's the demo
then why did all this happen so we went through the configuration files to get a glimpse of it first we have notification service you can see there are only three checks elements listed they try something but many other messes are simply missing in the case of Wi-Fi we can get a clue from the Tizer wiki the left diagram shows where how it was designed on top of WPA supplicant there are ties as conmen daemon and net config daemon and then on top of that there's the application while the middleware is protected by their configuration files that would be a supplicant configuration simply doesn't exist and why is that because how it actually works is on the right diagram Debus is not an hierarchy like the supposed design on the left the services are on the same bus so they only to be secured and it was neglected
finally we went to the galaxy apps store since dmoz client API are officially supported through the Enlightenment we were able to develop a proof of concept we were able to submit an app called bit watch the app watch face app watch place app only has Internet related privileges but it dumps to notifications internal data and sends it to a remote server the M was submitted with some obstacle to hide some strings and went through the verification process on detected as a malware it went on sale for a brief amount of time until we took it out
we reported this research to Samsung in April they were quick to respond with many patches committed to the Tizen open source reporter and some firmware updates were at least now let's wrap up to recap in this
session we discussed a ties insecurity internal and around the objects and privileges we focused on where they are valid we talked about the three checkpoints to client process the Sonora where team of Damon and the service process then we discussed Dan which uses access denied error message as an Oracle to discover potential privilege violations and finally we disclosed privilege violations that impact many system services of the gear SmartWatch Wi-Fi Bluetooth screen notification and email additionally we showed up the possibility of distribution via the official store so where can we go from here there may be some questions can this tool be applied to other tip Tizen systems like PV for refrigerators or how about other demo systems like the Linux we can also think about some more advanced working on techniques to bypass official mitigations enforced by galaxy apps or that's it for the session I would like to thank professor zombie tread for his guidance just a leave for the insurance research ready bear for the appropriately and going home to depart and just I'm off for the advice and that's it if you have any questions I would like to answer them thank you for listening