SIK-2016-044


Title:

Logging of Sensitive Information in Gigaset elements App

Report ID

SIK-2016-044

Summary:

  • Vendor: Gigaset elements GmbH
  • Product: Gigaset elements
  • Affected Version: Platform build version name 6.0-2704002
  • Severity: medium
  • Short summary: The Android Gigaset Smarthome elements apps leaks several sensitive and critical information to the log console.

Details:

The Android app named “Gigaset elements” logs different pieces of sensitive user information. The information is written to the log buffer and can be read out through adb logcat. The information contains the user credentials (username/password) for the Gigaset smarthome login. Furthermore, different
communication details like requested URLs, session ids, user tokens or device and system configuration data are logged.
User credentials:
The user’s credentials can be extracted, because the class ObfusString and other classes (whose names are obfuscated in the app’s code) write the credentials to the log output, both in plaintext and in encrypted form.

...
Log.d("OBF", "@:" + arg8);
...

Logcat credentials output:

D/Preferences(18097): GET: [keyUserNameX] ? 'null' => '6/TrCCvyYZL93LPZI/KXS2+/x5hxK/SH'
D/OBF (18097): #:6/TrCCvyYZL93LPZI/KXS2+/x5hxK/SH <== username encrypted
D/OBF (18097): @:teamsiksm2@gmx.de  'lOca3CgiYHOyza4PCeF7gg=='
D/OBF (18097): #:lOca3CgiYHOyza4PCeF7gg== <== password encrypted
D/OBF (18097): @:aaaaaaaa <== password in plaintext

Log output of authorization information:

D/Retrofit(18097): ---> HTTP GET https://api.gigaset-elements.de/api/v1/auth/whoami
D/Retrofit(18097): Cookie:
reefssid=97mshqmvjlu6u5mopke330a32g1hj63dkf4d861lg494vr8dsh4dqjq3ot662sig6rmbc6v5ofkfnd8ojccaa
02kvn7is5bbtm4tj33;
usertoken=5SjNrWLfQQaf2NJM8UamDQ__TIMESTAMP__1469122440:1bQAMi:NHU5_HUSkqVYbKKDi5rupF1MjP8;
D/Retrofit(18097): Authorization: Basic Z2M6LW9WZ1lNaG5IYTRyeXo=
D/Retrofit(18097): User-Agent: GigasetElements-Android/2.6.4 (16070507)

Private information leakage:

{"email":[{"channelId":"teamsiksm2@gmx.de","friendlyName":"","status":"active","notificationGroups ...{"channelId":"APA91bEdUyabOA3pZdIl1AYIejHA8zn2lbdRfxtcMpQFYxl2KJN_MG3mZ4iI56XCOhVP2Xn52sSfc4DuQ8Z3w2Aiy1jZMTS-tOb9bQu2IIuG9jYbMNoZL8w27EAKy-RXfMZMOVelMXi","friendlyName":"Google Nexus 5 - 6.0.0 - API 23 -1080x1920","status":"active","notificationGroups".["call_logs","homecoming","intrusion","system_health"]}
...

Webcam stream URL leakage, logcat output:

Local- FetchedURL:https://gigaset.y-cam.com/live/7C2F80A00B67_Q64NL20X.stream/playlist.m3u8

On older Android devices (version < 4.2) each application could access the log output via other application. A malicious application can dump and steal the critical information from the Gigaset elements app. In newer Android versions this is not possible anymore, except on a rooted device or using a root
exploit. Still, if an attacker has physical access to the device (evil maid attack) he can make a dump of the log and steal the credentials or other logcat information. The leaked Webcam stream can be accessed without any further authentication. In our test environment, we were able to watch the camera’s web stream for an unlimited period of time by just knowing the URL from the leaked log data.

Workaround

Users should disable the USB debugging feature on their devices and use a secure lock screen to prevent evil maid attacks. They should avoid side loading (app installation form external sources) to prevent the installation of malicious applications that can potentially access the log information on older Android
versions.

Suggested Mitigation

Remove logcat output from code in the release version. Configure proguard rules and gradle:

build.gradle:
buildTypes {
  release {
        minifyEnabled true
       proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
   }
}

proguard-rules.pro:

#keep error log
-assumenosideeffects class android.util.Log {
     public static boolean isLoggable(java.lang.String, int);
     public static int v(...);
     public static int i(...);
     public static int w(...);
     public static int d(...);
     public static int e(...);
}

Timeline

  • 2016-07-27 Vulnerability Discovered
  • 2016-08-15 Vulnerability Reported
  • 2016-09-14 Vulnerability Fixed