With the help of 3 critical vulnerabilities left by Tinno. If an attacker manages to get a physical access to your device, he has multiple ways to get your data. Let's assume as a hypothesis that the device is protected by a PIN code and the developer options are disabled 2/
-
-
Show this thread
-
1st scenario: 1. Reboot in bootloader mode 2. fastboot oem unlock-tinno Thanks to this backdoor aka "forgotten" fastboot command, you can unlock the bootloader without wiping your data
3/pic.twitter.com/ngRjQ7stHn
Show this thread -
As the phone bootloader is unlocked when a thief gets their hands on it, they can boot a custom recovery environment. From the recovery mode, they could use the adb command to access all the data on your device. This bypasses any PIN or password used to secure your device. 4/
Show this thread -
2nd scenario: 1. Shutdown phone 2. Plug to computer 3. Wait charger screen adb is enabled in charging mode
5/pic.twitter.com/SqxmUupUWy
Show this thread -
In this 3rd scenario, let's assume as a hypothesis that the device is not protected. 1. Boot your device 2. "adb shell setprop persist.tinno.debug 1" 6/pic.twitter.com/iit5k5hPmy
Show this thread -
This persist.tinno.debug system property is a backdoor which allow you to have a root shell
As a consequence, you can easily root your device (with bootloader locked). An attacker can also pull the content of sdcard to his computer (SMS, photos, videos,...). 7/Show this thread -
As a summary, I found 3 critical vulnerabilities in the Freddy phone: 1. adb is enabled in charging mode 2. "setprop persist.tinno.debug 1" is enabling adb root 3. "fastboot oem unlock-tinno" is unlocking the bootloader without wiping the device 8/
Show this thread -
These 3 flaws combined allow an attacker with a physical access to steal your data even if your device is password protected. Let's be super clear, these flaws had been created and left by Tinno. This shows that Tinno doesn't care about security. 9/
Show this thread -
So, next time you are buying a cheap phone like this one don't be fooled. You are putting intentionally all your data (SMS, photos, videos,...) in a device with 0 security. It's like buying a new house without a door... 10/10
Show this thread - End of conversation
New conversation -
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Hey
@WikoMobile WTF?Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
! Let's talk about the Wiko Freddy phone.
This phone was released October 2016 and is now selling for 99.99€.
Because of the