jueves, 17 de diciembre de 2015

Samsung Smarttv and Printers weak password SoftAP wpa2

Samsung SoftAP weak default password

Many devices created by Samsung has an special way to interact called in some cases wifi-direct and in other cases softAP this feature is only some kind of access point with an DHCP server integrated. For example if some user want to print a document using this functionality just must search the SSID of the printer then join his PC or cellphone to it and send the document. With Smarttv occurs something similar but it will show an image or will reproduce video or music.

The vulnerability

Let’s see how look like a password of Softap functionality from a smarttv

If you see this the password always will be a number under 100000000

Here you can see the same example in a printer

Always the security of the softap uses WPA2 but if you capture a handshake using aircrack just sniffing in the air is 100% possible crack the password in less than 14 hours using a modern desktop computer.
So you can send content to the printer and smart tv without anything can stop it.

This code will generate an 800 MB dictionary


count = 0

while (count < 100000000):

   print str(count).zfill(8)

   count = count + 1


Just run this:
python dictgen.py >dictionary.txt

 You can download a sample pcap with a handshake from a printer here or smarttv from here
If you want to test it use aircrack-ng with the previously generated dictionary
The syntax is the following:
aircrack-ng printer.pcap –w dictionary.txt
Now you need to wait a little bit more than a half day to get the password

When finish you will see something like the following image

Now you have ip connectivity with the tv or printer and the clients

You could intercept all files in transit, in the case of printers could have important information as contracts, confidential documents, etc. 

Also you could reproduce arbitrary content in some cases on the smarttv using some dnla/upnp software.

Fix and workaround
Any of the following options could be used.

Option 1- Make your password stronger: It's a good idea change the password using lowers, CAPS and numbers with 8 to 15 characters.

Option 2- Shutting down the service: If you don't use this functionality  just disable it.

Option 3- Download official patch: It depends of your model.
Go to http://www.samsung.com search your patch according your model (if it's available) 

Vulnerable models



May be all Xpress series 
Confirmed in M288OFW

It could affect more models than listed here
Samsung give me a reward :)