CVE-2019-20468 – The SeTracker2 app for TK-Star Q90 Junior GPS w... (How to Fix)

Q: What is the severity of CVE-2019-20468?

CVE-2019-20468 has a CVSS score of 9.8 (CRITICAL). The SeTracker2 app for TK-Star Q90 Junior GPS watches requests excessive Android permissions (READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, READ_CONTACTS) that are not needed for its functionality. This allows malicious apps on the same device to potentially access sensitive user data without proper justification. Users of TK-Star Q90 Junior GPS watches with the SeTracker2 app are affected.

📋 TL;DR

The SeTracker2 app for TK-Star Q90 Junior GPS watches requests excessive Android permissions (READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, READ_CONTACTS) that are not needed for its functionality. This allows malicious apps on the same device to potentially access sensitive user data without proper justification. Users of TK-Star Q90 Junior GPS watches with the SeTracker2 app are affected.

💻 Affected Systems

Products:

TK-Star Q90 Junior GPS watch with SeTracker2 app

Versions: 3.1042.9.8656

Operating Systems: Android (app)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the Android app component that pairs with the GPS watch. The watch firmware itself may not be directly affected.

📦 What is this software?

Q90 Junior Gps Horloge Firmware by Tk Star

View all CVEs affecting Q90 Junior Gps Horloge Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious app exploits these permissions to steal all photos, files, and contact information from the device, potentially leading to identity theft, blackmail, or further attacks.

🟠

Likely Case

Malware or spyware apps leverage these unnecessary permissions to exfiltrate personal data from the device without user knowledge.

🟢

If Mitigated

With proper app permission controls and security software, unauthorized access attempts would be blocked or detected.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires a malicious app to be installed on the same Android device. No public exploit code has been released, but the attack vector is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tk-star.com

Restart Required: No

Instructions:

1. Check TK-Star website for app updates. 2. Update SeTracker2 app through Google Play Store if available. 3. Re-pair watch with updated app.

🔧 Temporary Workarounds

Revoke unnecessary app permissions

android

Manually disable the unnecessary permissions for the SeTracker2 app in Android settings

Settings > Apps > SeTracker2 > Permissions > Disable: Storage, Contacts

Use app permission manager

android

Install a security app that monitors and controls app permissions

🧯 If You Can't Patch

Discontinue use of the SeTracker2 app and unpair the watch
Use a different GPS tracking app that follows permission best practices

🔍 How to Verify

Check if Vulnerable:

Check app version in Android Settings > Apps > SeTracker2. If version is 3.1042.9.8656, check app permissions for unnecessary storage and contacts access.

Check Version:

adb shell dumpsys package com.tkstar.setracker2 | grep versionName

Verify Fix Applied:

Verify app has been updated to a newer version and that unnecessary permissions are no longer requested or can be disabled.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to storage or contacts by SeTracker2 app
Permission requests from SeTracker2 app in Android logs

Network Indicators:

Unusual data exfiltration from device to unknown destinations

SIEM Query:

source="android" app="SeTracker2" (event="permission_granted" OR event="file_access")

📊 Metadata

CVE ID: CVE-2019-20468

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

Published: February 1, 2021

Last Updated: November 21, 2024

🔗 References

http://seclists.org/fulldisclosure/2024/Jul/14
https://www.eurofins-cybersecurity.com/news/connected-devices-smart-watches/ Third Party Advisory
https://www.tk-star.com Vendor Advisory
http://seclists.org/fulldisclosure/2024/Jul/14
https://www.eurofins-cybersecurity.com/news/connected-devices-smart-watches/ Third Party Advisory
https://www.tk-star.com Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-20468, you might also want to check these: