DEF CON - Kryptowire
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
OEMModel
OS Version
DescriptionAttack RequirementsBuild Fingerprint
2
ZTEZMAX Pro6.0.1Send text messagesLocal app on the device without any permissionsZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys
3
ZTEZMAX Pro6.0.1Obtain all the text messages of the user and also insert, modify, and delete text messagesLocal app on the device without any permissionsZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys
4
ZTEZMAX Champ6.0.1A pre-installed app allows any app on the device to cause the device to get stuck in an unfixable recovery bootloop.Local app on the device without any permissionsZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys
5
ZTEZMAX Champ6.0.1A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.Local app on the device without any permissionsZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys
6
ZTEZMAX Pro6.0.1Obtain the numbers of contacts and numbers of people that the user has textedLocal app on the device without any permissionsZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys
7
ZTEBlade Spark7.1.2001Obtain the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification.Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcardZTE/Z971/peony:7.1.1/NMF26V/20171129.143111:user/release-keys
8
ZTEBlade Vantage7.1.2001A pre-installed app allows any app on the device to make the system write the modem log to the sdcard. This contains the send and received text messages and the call data.Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcardZTE/Z839/sweet:7.1.1/NMF26V/20180120.095344:user/release-keys
9
VivoV77.1.2002Record the screen and write it to app's private directory. A notification and floating icon pop up initiatlly, but these can be quickly removed.Local app on the device that does not require any permissionsvivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys
10
VivoV77.1.2002Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification.Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcardvivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys
11
VivoV77.1.2002Provides the capability to set system properties as the com.android.phone user. With this and vulnerability above, you can caputre the input of the user (where they touch the screen) and the bluetooth snoop log.Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcardvivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys
12
SonyXperia L17.0Take screenshot of the screen which can be used to examine the user's notifications.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar
Sony/G3313/G3313:7.0/43.0.A.6.49/2867558199:user/release-keys
13
SKYElite 6.0L+6.0Command execution as the system user via old version of Adups softwareLocal app on the device that does not require any permissionsSKY/x6069_trx_l601_sky/x6069_trx_l601_sky:6.0/MRA58K/1482897127:user/release-keys
14
PlumCompass6.0A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.Local app on the device that does not require any permissionsPLUM/c179_hwf_221/c179_hwf_221:6.0/MRA58K/W16.51.5-22:user/release-keys
15
OrbicWonder7.1
Pairing with the vulnerability above, the user can get the body of text messages and call data since the default messaging apps is in debug mode, so the telephony data is written to the log. The log is written to the sdcard so any app can use the vulnerability above to get this data.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcardOrbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys
16
OrbicWonder7.1.2002
A pre-installed app allows the user to obtain the logcat log that get written to the sdcard continuosly. The logcat log is not available to third-party apps since it contains sensitive user data. The user can start the app with so it will not show up in the recent apps list and then dismiss it by going to the home screen so it will not be accessible to the user. It will continuosly write the log file to the sdcard.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcardOrbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys
17
OrbicWonder7.1.2002A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.Local app on the device that does not require any permissionsOrbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys
18
OppoF57.1.2001Surreptitiously audio record the user and write it to the sdcard. This does require the command execution as system user to copy the recording file.Local app on the device without any permissionsOPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys
19
OppoF57.1.2001Command execution as the system userLocal app on the device without any permissionsOPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys
20
Nokia6 TA-10257.1.2001Take screenshot of the screen which can be used to examine the user's notifications.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar
Nokia/TA-1025_00WW/PLE:7.1.1/NMF26F/00WW_3_32F:user/release-keys
21
MXQTV Box4.4.2002A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.Local app on the device that does not require any permissionsMBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys
22
MXQTV Box4.4.2002Make the device non-functional. The device will not boot properly even after a factory reset. The device can likely be recovered by placing clean firmware images on the sdcard and flashing them.Local app on the device that does not require any permissionsMBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys
23
LGG67.0
Can lock a user out of their own phone (even in safe mode) and the user will be forced to factory reset in recovery mode. The user may be able to unlock the device if they have ADB enabled prior to the locking of the screen and can figure out how to unlock it hich may be difficult for the average user. This acts as a Denial of Service attack and results in data loss if a factory reset occurs.
Local app on the device that does not require any permissionslge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys
24
LGG67.0Obtain the logcat logs continuosly which are not available to third party apps since they leak senstive user data. The log file can be written to the app's private directory by using path traversal.Local app on the device and INTERNET permission to send out the data.lge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys
25
LGG67.0Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. It also creates a file on the sdcard containing the phone IMEI and serial number.Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcardlge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys
26
LeagooZ5C6.0Read the last text message from each conversation. The last message will containt the phone number, text body, timestamp, and the contact's name (if any)Local app on the device that does not require any permissionssp7731c_1h10_32v4_bird:6.0/MRA58K/android.20180125.183848:user/release-keys
27
LeagooP17.0Take screenshot of the screen which can be used to examine the user's notifications.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar
LEAGOO/t592_otd_p1/t592_otd_p1:7.0/NRD90M/1508151212:user/release-keys
28
LeagooP17.0Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges.Physical access to deviceLEAGOO/t592_otd_p1/t592_otd_p1:7.0/NRD90M/1508151212:user/release-keys
29
LeagooP17.0A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.Local app on the device that does not require any permissionsLEAGOO/t592_otd_p1/t592_otd_p1:7.0/NRD90M/1508151212:user/release-keys
30
LeagooZ5C6.0Send text messagesLocal app on the device that does not require any permissionssp7731c_1h10_32v4_bird:6.0/MRA58K/android.20180125.183848:user/release-keys
31
LeagooZ5C6.0A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.Local app on the device that does not require any permissionssp7731c_1h10_32v4_bird:6.0/MRA58K/android.20180125.183848:user/release-keys
32
EssentialEssential7.1.2001A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.Local app on the device that does not require any permissions
essential/mata/mata:7.1.1/NMJ88C/464:user/release-keys & essential/mata/mata:8.1.0/OPM1.180104.166/297:user/release-keys
33
DoogeeX56.0Video record of the screen. This capability can be used in a similar way as taking screenshots by opening apps that show the user's messages. The recording is not transparent to the user.Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the INTERNET permission to send out the data
DOOGEE/full_hct6580_weg_c_m/hct6580_weg_c_m:6.0/MRA58K/1479906828:user/test-keys
34
CoolpadRevvl Plus7.1.2001Obtain all the text messages of the user and also insert, modify, and delete text messagesLocal app on the device without any permissions
Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
35
CoolpadCanvas7.0Provides the capability to set system properties as the com.android.phone user.Local app on the device without any permissionsCoolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys
36
CoolpadDefiant7.1.2001Send text messagesLocal app on the device without any permissionsCoolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys
37
CoolpadRevvl Plus7.1.2001Provides the capability to set system properties as the com.android.phone user.Local app on the device without any permissions
Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
38
CoolpadRevvl Plus7.1.2001A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.Local app on the device without any permissions
Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
39
CoolpadRevvl Plus7.1.2001Send text messagesLocal app on the device without any permissions
Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
40
CoolpadCanvas7.0Obtain the logcat logs, kernel logs, and tcpdump capture which are written to the sdcard. This leaves a notification active. The logs contain the body of sent and received text messages.Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcardCoolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys
41
CoolpadDefiant7.1.2001A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss.Local app on the device without any permissionsCoolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys
42
CoolpadDefiant7.1.2001Obtain all the text messages of the user and also insert, modify, and delete text messagesLocal app on the device without any permissionsCoolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys
43
AsusZenFone 3 Max7.0
A pre-installed app with an exposed interface allows any app on the phone to obtain a bugreport (kernel log, logcat log, dump of system services (includes text of active notifications), WiFi Passwords, and other system data gets written to the sdcard. The numbers for received and placed telephone calls show up in the log, as well as the sending and receving telephone numbers for text messages.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard
asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys
44
AsusZenFone 3 Max7.0Arbitrary app installation over the internet. Then this app can also be uninstalled after it is run using the same interface.Local app on the device without any permissions
asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys
45
AsusZenFone 3 Max7.0Take screenshot of the screen which can be used to examine the user's notifications.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and EXPAND_STATUS_BAR permission is needed to expand the status bar
asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys
46
Asus
ZenFone 3 Max & ZenFone V Live
7.0Command execution as the system userLocal app on the device without any permissions
asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys & asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1709.56-20171017:user/release-keys
47
AlcatelA307.0Take screenshot of the screen which can be used to examine the user's notifications.
Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar
TCL/5046G/MICKEY6US:7.0/NRD90M/J63:user/release-keys
48
AlcatelA307.0Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges. This was an Amazon Prime exclusive device.The user needs physical access to the device and needs to bypass the screen-lock if it existsTCL/5046G/MICKEY6US:7.0/NRD90M/J63:user/release-keys
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...