<Thread> Hi @WikoMobile 👋! Let's talk about the Wiko Freddy phone.
This phone was released October 2016 and is now selling for 99.99€.
Because of the @WikoMobile and Tinno negligence, I'll show you how your data can be stolen even if your phone is protected by a lock screen. 1/
This phone was released October 2016 and is now selling for 99.99€.
Because of the @WikoMobile and Tinno negligence, I'll show you how your data can be stolen even if your phone is protected by a lock screen. 1/
With the help of 3 critical vulnerabilities left by Tinno. If an attacker manages to get a physical access to your device, he has multiple ways to get your data.
Let's assume as a hypothesis that the device is protected by a PIN code and the developer options are disabled 2/
Let's assume as a hypothesis that the device is protected by a PIN code and the developer options are disabled 2/
1st scenario:
1. Reboot in bootloader mode
2. fastboot oem unlock-tinno
Thanks to this backdoor aka "forgotten" fastboot command, you can unlock the bootloader without wiping your data 🤦♂️ 3/
1. Reboot in bootloader mode
2. fastboot oem unlock-tinno
Thanks to this backdoor aka "forgotten" fastboot command, you can unlock the bootloader without wiping your data 🤦♂️ 3/
As the phone bootloader is unlocked when a thief gets their hands on it, they can boot a custom recovery environment.
From the recovery mode, they could use the adb command to access all the data on your device. This bypasses any PIN or password used to secure your device. 4/
From the recovery mode, they could use the adb command to access all the data on your device. This bypasses any PIN or password used to secure your device. 4/
2nd scenario:
1. Shutdown phone
2. Plug to computer
3. Wait charger screen
adb is enabled in charging mode 🤦♂️ 5/
1. Shutdown phone
2. Plug to computer
3. Wait charger screen
adb is enabled in charging mode 🤦♂️ 5/
In this 3rd scenario, let's assume as a hypothesis that the device is not protected.
1. Boot your device
2. "adb shell setprop persist.tinno.debug 1" 6/
1. Boot your device
2. "adb shell setprop persist.tinno.debug 1" 6/
This persist.tinno.debug system property is a backdoor which allow you to have a root shell 🤦♂️
As a consequence, you can easily root your device (with bootloader locked). An attacker can also pull the content of sdcard to his computer (SMS, photos, videos,...). 7/
As a consequence, you can easily root your device (with bootloader locked). An attacker can also pull the content of sdcard to his computer (SMS, photos, videos,...). 7/
As a summary, I found 3 critical vulnerabilities in the Freddy phone:
1. adb is enabled in charging mode
2. "setprop persist.tinno.debug 1" is enabling adb root
3. "fastboot oem unlock-tinno" is unlocking the bootloader without wiping the device 8/
1. adb is enabled in charging mode
2. "setprop persist.tinno.debug 1" is enabling adb root
3. "fastboot oem unlock-tinno" is unlocking the bootloader without wiping the device 8/
These 3 flaws combined allow an attacker with a physical access to steal your data even if your device is password protected.
Let's be super clear, these flaws had been created and left by Tinno. This shows that Tinno doesn't care about security. 9/
Let's be super clear, these flaws had been created and left by Tinno. This shows that Tinno doesn't care about security. 9/
So, next time you are buying a cheap phone like this one don't be fooled. You are putting intentionally all your data (SMS, photos, videos,...) in a device with 0 security.
It's like buying a new house without a door... 10/10
It's like buying a new house without a door... 10/10
