Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/22/2017
10:00 AM
50%
50%

Samsung Pay Leaks Mobile Device Information

Researcher at Black Hat Europe will show how Samsung Pay's security falls short and ways attackers could potentially bypass it.

Mobile users installing Samsung Pay on their devices could have sensitive information stolen by attackers due to a newly discovered weakness in the app that leaks the digital tokens that secure transactions and other technical information such as network traffic logs.

An attacker could capture this information without having to authenticate to the device, according to a Tencent researcher who goes by the name of HC, who at Black Hat Europe 2017 next month will present his findings on the Samsung Pay security weaknesses.

"This information can let the attacker learn much more about the internal mechanisms of Samsung Pay and allow them to use it to their advantage to go even deeper into Samsung Pay," HC says.

The attacker, for example, could take the information and use it to view communication between users and their banks in plain text. With enough information, HC notes, an attacker could create another token to withdraw money from users' bank accounts.

Samsung Pay's tokens are unique alphanumeric identifiers generated via algorithms and designed to eliminate the need to use a credit card or debit card number.

"This is not a vulnerability in Samsung Pay, but a mistake in Samsung Pay's app. The mistake is you don't need privileges to get access to the phone log system," says HC, who has notified Samsung about the issue.

HC conducted his research using a Samsung Galaxy S6 but says all Samsung Galaxy smartphones that feature Samsung Pay may be at risk.

The purpose of HC's presentation is to discuss Samsung Pay's security and how to generate a token without the device being physically present, which is different than a 2016 Black Hat Samsung Pay demonstration by another security researcher, HC notes.

Although HC in his research had aimed to generate a token without a Samsung Galaxy device, he acknowledged he was not able to achieve that goal because of the strength of the encrypted traffic and difficulty in accessing the secure chip to crack the encrypted key.

"It is possible to compromise Samsung Pay with the right tools and skills," HC says, noting in his particular case the desired tools were not immediately available.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19794
PUBLISHED: 2019-12-13
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
CVE-2019-19795
PUBLISHED: 2019-12-13
samurai 0.7 has a heap-based buffer overflow in canonpath in util.c via a crafted build file.
CVE-2019-19796
PUBLISHED: 2019-12-13
Yabasic 2.86.2 has a heap-based buffer overflow in myformat in function.c via a crafted BASIC source file.
CVE-2019-5253
PUBLISHED: 2019-12-13
E5572-855 with versions earlier than 8.0.1.3(H335SP1C233) has an improper authentication vulnerability. The device does not perform a sufficient authentication when doing certain operations, successful exploit could allow an attacker to cause the device to reboot after launch a man in the middle att...
CVE-2019-5260
PUBLISHED: 2019-12-13
Huawei smartphones HUAWEI Y9 2019 and Honor View 20 have a denial of service vulnerability. Due to insufficient input validation of specific value when parsing the messages, an attacker may send specially crafted TD-SCDMA messages from a rogue base station to the affected devices to exploit this vul...