As the phone bootloader is unlocked when a thief gets their hands on it, they can boot a custom recovery environment. From the recovery mode, they could use the adb command to access all the data on your device. This bypasses any PIN or password used to secure your device. 4/
-
Show this thread
-
2nd scenario: 1. Shutdown phone 2. Plug to computer 3. Wait charger screen adb is enabled in charging mode
5/pic.twitter.com/SqxmUupUWy
2 replies 4 retweets 20 likesShow this thread -
In this 3rd scenario, let's assume as a hypothesis that the device is not protected. 1. Boot your device 2. "adb shell setprop persist.tinno.debug 1" 6/pic.twitter.com/iit5k5hPmy
2 replies 1 retweet 12 likesShow this thread -
This persist.tinno.debug system property is a backdoor which allow you to have a root shell
As a consequence, you can easily root your device (with bootloader locked). An attacker can also pull the content of sdcard to his computer (SMS, photos, videos,...). 7/1 reply 0 retweets 11 likesShow this thread -
As a summary, I found 3 critical vulnerabilities in the Freddy phone: 1. adb is enabled in charging mode 2. "setprop persist.tinno.debug 1" is enabling adb root 3. "fastboot oem unlock-tinno" is unlocking the bootloader without wiping the device 8/
4 replies 11 retweets 27 likesShow this thread -
These 3 flaws combined allow an attacker with a physical access to steal your data even if your device is password protected. Let's be super clear, these flaws had been created and left by Tinno. This shows that Tinno doesn't care about security. 9/
2 replies 0 retweets 15 likesShow this thread -
So, next time you are buying a cheap phone like this one don't be fooled. You are putting intentionally all your data (SMS, photos, videos,...) in a device with 0 security. It's like buying a new house without a door... 10/10
1 reply 5 retweets 36 likesShow this thread -
cc
@AndroidAuth@AndroidPolice@androidcentral@androidandme@Androidheadline@AndroidPolice@xdadevelopers@AndroidSPIN@TheHackersNews@verge@CNET@VICE@WIRED@JAMESWT_MHT@malwrhunterteam@hackerfantastic@LukasStefanko@twandroid@ANDROIDPIT@FigaroTech@virqdroid@LEXPRESS3 replies 4 retweets 17 likesShow this thread -
Replying to @fs0c131y @WikoMobile and
You should blog all these findings to keep an interesting record, perhaps a wiki of secret codes and known no-fix? Easier to help consumers not get lost in the twitterverse.
2 replies 0 retweets 8 likes -
Replying to @hackerfantastic @WikoMobile and
Sounds like a good advise, I will!
1 reply 0 retweets 8 likes
I just need to find the time to set that properly
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.