Headline
TK-Star Q90 Junior GPS Horloge 3.1042.9.8656 Default Password
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. When using the device at initial setup, a default password is used (123456) for administrative purposes. There is no prompt to change this password. Note that this password can be used in combination with CVE-2019-20470.
[Suggested description]
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices.
When using the device at initial setup, a default password is used
(123456) for administrative purposes. There is no prompt to change this password.
Note that this password can be used in combination with CVE-2019-20470.
[Vulnerability Type]
Incorrect Access Control
[Vendor of Product]
TK-star
[Affected Product Code Base]
TK-Star Q90 Junior GPS horloge - 3.1042.9.8656
[Affected Component]
Smartwatch
[Attack Type]
Remote
[Impact Code execution]
true
[Impact Information Disclosure]
true
[Attack Vectors]
An attacker needs to send an SMS to the device’s mobile number.
Knowledge of the mobile number is required before this vulnerability
can be exploited.
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Dennis van Warmerdam, Jasper Nota, Jim Blankendaal
[Reference]
https://www.tk-star.com
Use CVE-2019-20471.
Related news
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. It performs actions based on certain SMS commands. This can be used to set up a voice communication channel from the watch to any telephone number, initiated by sending a specific SMS and using the default password, e.g., pw,password,call,mobile_number triggers an outbound call from the watch. The password is sometimes available because of CVE-2019-20471.