Modification Attack on SamSung GearFit

Samsung provides a management application named SamSung Gearfit Manager to manage all essential function on their watch such as: Firmware upgrading,  connection, application managing,…. Therefore, at the first step, we need to understand firmware upgrading procedure by reversing APK file structure. Many common exist tools can be found effortlessly such as: Virtuous Ten Studio, IDA…..

In investigation process, we discovered a strange directory called “firmware” which contained firmware files packed under bin format. These files are used to update Gearfit firmware directly via Gearfit Manager application. In addition, we found plenty of classes liked to these files.

Figure 1: Class Structure of firmware upgrading function

Subsequently, we continued finding whether using checksum function to update smartwatch firmware or not. Fortunately, checksum funcion was available in “UpdateInfo” class.

Figure 2: CheckSum Function.

GearFit’s checksum is Adler32 and it implemented in normal standard support in Android. As the code shown, checksum function only create Adler32 checksum value on buffer byte after reading from firmware file. Consequently, it only ensures integrity while transferring. Based on this vulnerability, we perform modification attack on stored firmware files without concerning about checksum value.The final step is re-pack Gearfit Manager APK file with modified firmware and update this firmware to GearFit smartwatch.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: