Skip to content

Plaintext Storage of WiFi Credentials - Samsung Cloud Sync

I am writing to report a security vulnerability I have discovered in the Samsung Cloud synchronization process for WiFi credentials on Samsung devices. This issue concerns the exposure of sensitive information, which I believe warrants immediate attention.

This is not device specific but it happens because of the application and should therefore happen on all devices

Vulnerability Details:

Summary: Samsung Cloud syncs WiFi passwords in plaintext, which are then stored on the device and can be accessed by any individual or process with root access. Affected Service: Samsung Cloud WiFi Profile Synchronization. Affected Devices: Samsung devices running on Android 13 (further testing on other versions required). Impact: Potential for unauthorized access to WiFi credentials if root access is obtained by a malicious actor.

Steps to Reproduce:

Synchronize a Samsung device with Samsung Cloud with the WiFi profile option enabled. Obtain root access to the device (note: this is for demonstration purposes and to outline the risk; root access is understood to be a privileged state). Execute the following adb command:

adb shell 'su -c cat /data/data/com.samsung.android.scloud/cache/com.samsung.wifi.profile_sync.txt' \
    | jq -r '.records[] | {record_id: .record_id, s: (.data | fromjson? // empty)}'

Observe that the WiFi SSID and password are displayed in plaintext in the output.

Proposed Resolution:

To mitigate this vulnerability, I recommend the following measures:

Eliminate the storage of WiFi passwords in plaintext on the device. Even with root access, it's a security best practice to encrypt sensitive data at rest. Implement additional layers of encryption for sensitive data synchronization processes, so that WiFi passwords are never exposed in a human-readable format. Consider additional security measures to safeguard data even in cases where devices are rooted, recognizing that such scenarios are a heightened risk. Personal Note:

I understand the gravity of security issues and have reported this with the intention to contribute to the security of Samsung's services and the safety of its user base. I hope you will find this report helpful in initiating prompt remedial action.

Proof of Concept (PoC):

{
  "record_id": "31DC7396883DB981871032DB894CCEE7",
  "s": {
    "s": "\"Telia5GHz-00000\"",
    "k": 3,
    "p": "\"<password>\"",
    "a": 1,
    "h": 0,
    "m": 3
  }
}
{
  "record_id": "7A6E822EC787695B2CB0F8A2CC18BF9B",
  "s": {
    "s": "\"ASUS_A8_2G\"",
    "k": 1,
    "p": "\"<password>\"",
    "a": 1,
    "h": 0,
    "m": 3
  }
}

where s = ssid and password = p.

Expected Correct Behavior or Workaround:

The correct behavior would entail storing WiFi profiles in an encrypted format that is not readable in plaintext, even with root access. A potential workaround to prevent exposure is for users not to sync their WiFi profiles with Samsung Cloud until a fix is implemented.