Samsung Internet for Galaxy Watch TLS Certificate Validation Vulnerability

A vulnerability exists in the Samsung Internet for Galaxy Watch app, specifically in version 5.0.9, which is available on devices up to the Samsung Galaxy Watch 3. The app fails to properly validate TLS certificates, allowing attackers to impersonate any website visited by the user. This misconfiguration undermines the security of HTTPS, enabling Man-in-the-Middle attacks that could intercept, steal, or modify sensitive information and traffic. The vulnerability arises because the browser does not ensure that a certificate's domain matches the website's domain, accepting any certificate from a trusted Certificate Authority. As a result, an attacker could exploit this flaw to intercept TLS connections by using a fraudulent certificate for a domain they control.

Impact

Exploitation of this vulnerability allows for interception and manipulation of TLS communications, effectively bypassing HTTPS security. This could lead to unauthorized access to sensitive information or the ability to alter incoming and outgoing data. The vulnerability also facilitates Man-in-the-Middle attacks, where an attacker can impersonate a user or a website, potentially causing further harm.

Reproduction

To reproduce this vulnerability, connect a Samsung Galaxy Watch 3 to a WiFi network that redirects traffic to a local port. This can be done using a tool like eaphammer to create a WiFi Access Point. Once the watch is connected to the AP, open the Samsung Internet app and navigate to any HTTPS website. The lack of proper TLS validation will allow the intercepted traffic to be decrypted and manipulated, bypassing the security normally provided by HTTPS.