Session Hijacking Attack on SamSung GearFit smartwatch

1. CUP Overview

Companion UI Platform (CUP) is a open library which allows you to display information from a host device, for example a smartphone, on companion devices and devices that use CUP. CUP contains many control widgets named winsets, which is useful to create graphic layouts to display information.
The host device control the companion device’s display by sending request to companion
devices using Bluetooth. CUP Browser is facilitate to display the CUP winset on wearable

devices in many types, and receive interaction events back from the wearable devices.

blog-session-hijacking-1
Figure 1: Cup Overview

The CUP architecture is simply contained:

  • Applications: The applications are built on CUP as main platform.
  • CUP API: Components for creating and showing various layouts on the companion device, including the callback interface.
  • CUP Service: Service used to connect between the host and companion device
    blog-session-hijacking-2
    Figure 2: CUP Architecture.

2. Session Hijacking:

The classes in Scup library use to connect to watch apps are private. So the idea is that we will implement a new public class to create a new illegal connection to other watch apps. Scup uses Scup Communicator class to initiate connection to watch and connection services are only using the package as constructor parameter. We can compromise application by change the target connection.
blog-session-hijacking-3
Figure 3: Scup Communicator Class Diagram
The weakness point is that GearFil watch does not have any authenticated method when application create service connection to connect with watch application. The parameters are only package name and Samsung service name. After host application connect successful to watch app, we create one more new connection to the other application and send the command. Watch app receive the command and perform because it believes that command come from legal application.
Unfortunately, all of connection function in Scup library is private function. We need to
implement a new function by integrating from these functions and build a new library.
blog-session-hijacking-4.PNG
Figure 4: Compromiss Class

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

<span>%d</span> bloggers like this: