TK-Star Q90 Junior GPS Horlage 3.1042.9.8656 SMS Control
2024-7-30 20:35:43 Author: packetstormsecurity.com(查看原文) 阅读量:0 收藏

[Suggested description]
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices.
It performs actions based on certain SMS commands. This
can be used to set up a voice communication channel from the watch to
any telephone number, initiated by sending a specific SMS and using the
default password, e.g., pw,<password>,call,<mobile_number> triggers an outbound call
from the watch.
The password is sometimes available because of CVE-2019-20471.

------------------------------------------

[VulnerabilityType Other]
Remote audio connection without explicit approval

------------------------------------------

[Vendor of Product]
TK-star

------------------------------------------

[Affected Product Code Base]
TK-Star Q90 Junior GPS horloge - 3.1042.9.8656

------------------------------------------

[Affected Component]
Smartwatch

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
An attacker needs to send an SMS to the device's mobile number. Knowledge of the mobile number is required before this vulnerability can be exploited.

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
Dennis van Warmerdam, Jasper Nota, Jim Blankendaal

------------------------------------------

[Reference]
https://www.tk-star.com

Use CVE-2019-20470.


文章来源: https://packetstormsecurity.com/files/179819/tkstarq90-weakcontrol.txt
如有侵权请联系:admin#unsafe.sh