lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1E18A7B1-C810-4241-9D57-83FF31AC8B75@neseso.com>
Date: Mon, 24 Apr 2017 22:10:07 -0300
From: Info <info@...eso.com>
To: fulldisclosure@...lists.org
Subject: [FD] Samsung Smart TV Wi-Fi Direct Improper Authentication

Samsung Smart TV Wi-Fi Direct Improper Authentication

--------------------------------------------------------------------------------
1. Advisory Information

Title: Samsung Smart TV Wi-Fi Direct Improper Authentication
Advisory ID: NESESO-2017-0313
Advisory URL: http://neseso.com/advisories/NESESO-2017-0313.pdf <http://neseso.com/advisories/NESESO-2017-0313.pdf>
Date published: 2017-04-19
Date of last update: 2017-03-13
Vendors contacted: Samsung
Release mode: User Release

--------------------------------------------------------------------------------
2. Vulnerability Information

Class: Improper Authentication [CWE-287]
Impact: Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No

--------------------------------------------------------------------------------
3. Vulnerability Description

Samsung Smart TVs running Tizen OS are prone to a security vulnerability that allows an attacker to impersonate a trusted device to obtain unrestricted access without authentication when connected via Wi-Fi Direct[1].

--------------------------------------------------------------------------------
4. Vulnerable Packages

UN32J5500 Firmware version 1480

Other products and versions might be affected too, but they were not tested.

--------------------------------------------------------------------------------
5. Vendor Information, Solutions and Workarounds

Neseso recommends to remove all the whitelisted devices and avoid using the WiFi-Direct feature.

Contact the vendor for further information.

--------------------------------------------------------------------------------
6. Credits

This vulnerability was discovered and researched by a member from Neseso Research Team.

--------------------------------------------------------------------------------
7. Technical Description

Wi-Fi Direct Improper Authentication

Wi-Fi Direct [1], initially called Wi-Fi P2P, is a Wi-Fi standard enabling devices to easily connect with each other without requiring a wireless access point. It is useful for everything from internet browsing to file transfer, and to communicate with one or more devices simultaneously at typical Wi-Fi speeds. In a scenario where two devices want to connect they can authenticate using  methods such as PIN, Push-Button or NFC.

Samsung TVs has support for Wi-Fi Direct by default and it’s enabled every time the device it’s turn on.  The system uses a blacklist/whitelist access control mechanism to avoid asking the user to authenticate devices every time they try to connect using WiFi-Direct. This access control mechanism uses the MAC address to identify the devices, making easy for an attacker to get the necessary information to impersonate a whitelisted device and gain access to the Smart TV. The user will get notified about the whitelisted device connecting to the Smart TV, but no authentication it’s required. Once connected the attacker have access to all the services provided by the TV, such as remote control service or DNLA screen mirroring. If any of the services provided by the Smart TV, once connected using WiFi-Direct, is vulnerable the attacker could gain control of the Smart TV or use it to pivot and gain access to the network where the Smart TV is connected to.

--------------------------------------------------------------------------------
8. Report Timeline

2017-03-13: Neseso attempted to contact Samsung security contact.
2017-03-17: Neseso attempted to contact Samsung security contact for second time.
2017-03-20: Samsung replied that it’s possible to use the BugBounty site.
2017-03-20: Neseso reply asking for a public key to communicate in a secure manner.
2017-03-20: Samsung send their public key.
2017-03-21: Neseso sent the advisory document.
2017-03-22: Samsung replied they were looking into the issue.
2017-03-27: Neseso asks the vendor if they were able to verify the vulnerability.
2017-03-28: Samsung Smart TV Bug Bounty Team replied they need an attack scenario and explanation about how to reproduce the vulnerability. They also sent their public key.
2017-03-28: Neseso requests a public key that it’s not expired.
2017-03-28: Neseso found a valid public key on the vendor web site and sent the attack scenario description and how to reproduce the vulnerability.
2017-03-30: Neseso asks the vendor if they were able to verify the vulnerability.
2017-03-31: Samsung replied they just started issue analysis.
2017-04-06: Samsung replied they concluded that this is not a security threat to Samsung TV.

--------------------------------------------------------------------------------
9. References

[1] - http://www.samsung.com/in/support/skp/faq/441202 <http://www.samsung.com/in/support/skp/faq/441202>

--------------------------------------------------------------------------------
10. About Neseso

Neseso is an independent security consulting company with more than 10 years of experience in security research and vulnerability assessment.

--------------------------------------------------------------------------------
11. Copyright Notice

The contents of this advisory are copyright (c) 2016 Neseso and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/ <http://creativecommons.org/licenses/by-nc-sa/4.0/>

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ