CVE-2019-20473 - OpenCVE

An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. Any SIM card used with the device cannot have a PIN configured. If a PIN is configured, the device simply produces a "Remove PIN and restart!" message, and cannot be used. This makes it easier for an attacker to use the SIM card by stealing the device.

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Tk-star	Q90 Junior Gps Horloge Firmware Q90 Junior Gps Horloge

Configuration 1 [-]

AND

cpe:2.3:o:tk-star:q90_junior_gps_horloge_firmware:3.1042.9.8656:*:*:*:*:*:*:*

cpe:2.3:h:tk-star:q90_junior_gps_horloge:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.eurofins-cybersecurity.com/news/connected-devices-smart-watches/	Third Party Advisory
https://www.tk-star.com	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-02-01T20:13:13

Updated: 2021-02-01T20:13:13

Reserved: 2020-02-17T00:00:00

Link: CVE-2019-20473

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-02-01T21:15:13.747

Modified: 2021-02-05T20:23:28.840

Link: CVE-2019-20473

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. Any SIM card used with the device cannot have a PIN configured. If a PIN is configured, the device simply produces a \"Remove PIN and restart!\" message, and cannot be used. This makes it easier for an attacker to use the SIM card by stealing the device."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-02-01T20:13:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.tk-star.com"}, {"tags": ["x_refsource_MISC"], "url": "https://www.eurofins-cybersecurity.com/news/connected-devices-smart-watches/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-20473", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. Any SIM card used with the device cannot have a PIN configured. If a PIN is configured, the device simply produces a \"Remove PIN and restart!\" message, and cannot be used. This makes it easier for an attacker to use the SIM card by stealing the device."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.tk-star.com", "refsource": "MISC", "url": "https://www.tk-star.com"}, {"name": "https://www.eurofins-cybersecurity.com/news/connected-devices-smart-watches/", "refsource": "MISC", "url": "https://www.eurofins-cybersecurity.com/news/connected-devices-smart-watches/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-20473", "datePublished": "2021-02-01T20:13:13", "dateReserved": "2020-02-17T00:00:00", "dateUpdated": "2021-02-01T20:13:13", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tk-star:q90_junior_gps_horloge_firmware:3.1042.9.8656:*:*:*:*:*:*:*", "matchCriteriaId": "577BCAEA-0DF3-42A0-8662-5155D9C208D7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tk-star:q90_junior_gps_horloge:-:*:*:*:*:*:*:*", "matchCriteriaId": "3DBB04DB-ED55-4752-8D25-E6EFD8448648", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. Any SIM card used with the device cannot have a PIN configured. If a PIN is configured, the device simply produces a \"Remove PIN and restart!\" message, and cannot be used. This makes it easier for an attacker to use the SIM card by stealing the device."}, {"lang": "es", "value": "Se detect\u00f3 un problema en los dispositivos TK-Star Q90 Junior GPS horloge versi\u00f3n 3.1042.9.8656. Cualquier tarjeta SIM utilizada con el dispositivo no puede tener un PIN configurado. Si un PIN es configurado, el dispositivo simplemente produce un mensaje \"\u00a1Remove PIN and restart!\", y no puede ser usado. Esto le facilita a un atacante usar la tarjeta SIM al robar el dispositivo"}], "id": "CVE-2019-20473", "lastModified": "2021-02-05T20:23:28.840", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-01T21:15:13.747", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.eurofins-cybersecurity.com/news/connected-devices-smart-watches/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.tk-star.com"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}