The presentation discusses the Tizen security internals and how privilege violations can impact various system services of the Gear SmartWatch. The speaker introduces a tool called Dan, which automatically evaluates privileged verification of Deva services and identifies potential privilege violations.
- The presentation discusses the Tizen security internals and how privilege violations can impact various system services of the Gear SmartWatch
- The speaker introduces a tool called Dan, which automatically evaluates privileged verification of Deva services and identifies potential privilege violations
- The presentation provides a background on Tizen security internals and the three checkpoints for securing services
- The speaker discusses how the Dan tool works and the steps involved in identifying potential privilege violations
- The presentation concludes with a discussion on the possibility of applying the tool to other Tizen systems and advanced work on bypassing official mitigations enforced by Galaxy S4
The speaker demonstrates how the Dan tool works by using it to scan the Deva structure of the Samsung Gear SmartWatch. The tool identified over 130,000 readable properties and over 2,000 callable methods, but also produced some false positives. The speaker emphasizes the importance of identifying potential privilege violations to ensure the security of system services.
You buy a brand-new smartwatch. You receive emails and send messages, right on your wrist. How convenient, this mighty power! But great power always comes with great responsibility. Smartwatches hold precious information just like smartphones, so do they actually fulfill their responsibilities?
In this talk, we will investigate if the Samsung Gear smartwatch series properly screens unauthorized access to user information. More specifically, we will focus on a communication channel between applications and system services, and how each internal Tizen OS components play the parts in access control.
Based on the analysis, we have developed a new simple tool to discover privilege violations in Tizen-based products. We will present an analysis on the Gear smartwatch which turns out to include a number of vulnerabilities in system services.
We will disclose several previously unknown exploits in this presentation. They enable an unprivileged application to take over the wireless services, the user’s email account, and more. Further discussions will center on the distribution of those exploits through a registered application in the market, and the causes of the vulnerabilities in detail.