CVE-2023-38291
📋 TL;DR
This vulnerability allows any local app on affected Android devices to access the Wi-Fi MAC address without permissions, bypassing Android 10+ restrictions on non-resettable identifiers. It affects TCL 30Z, TCL 10L, Motorola Moto G Pure, and Motorola Moto G Power devices with specific software builds. The MAC address leak occurs through the ro.boot.wifimacaddr system property exposed by a high-privilege process.
💻 Affected Systems
- TCL 30Z (A3X)
- TCL 10L
- Motorola Moto G Pure
- Motorola Moto G Power
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Persistent device tracking across apps and services, enabling targeted advertising, location tracking, and correlation of user activities despite device resets or app uninstalls.
Likely Case
Advertising networks and analytics services using the MAC address for persistent device identification and tracking, potentially violating user privacy expectations.
If Mitigated
Limited tracking capability as MAC address alone provides less value without other identifiers, though still enables some device correlation.
🎯 Exploit Status
Exploitation requires installing a malicious app that reads the ro.boot.wifimacaddr system property. No special permissions needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None provided in CVE
Restart Required: No
Instructions:
Check with device manufacturer for firmware updates. For TCL and Motorola devices, monitor official security bulletins for patch availability.
🔧 Temporary Workarounds
Restrict app installations
androidOnly install apps from trusted sources like Google Play Store and avoid sideloading unknown apps.
Use MAC randomization
androidEnable MAC randomization in Wi-Fi settings to use random MAC addresses when connecting to networks.
🧯 If You Can't Patch
- Replace affected devices with patched models or different manufacturers
- Implement network-level MAC address filtering and monitoring for unusual device behavior
🔍 How to Verify
Check if Vulnerable:
Check device build fingerprint in Settings > About Phone. Compare against vulnerable fingerprints listed in CVE description.Check Version:
adb shell getprop ro.build.fingerprintVerify Fix Applied:
After manufacturer update, verify build fingerprint no longer matches vulnerable versions. Test with app that reads system properties to confirm ro.boot.wifimacaddr is no longer accessible.📡 Detection & Monitoring
Log Indicators:
- Apps accessing system properties without appropriate permissions
- Unusual MAC address queries from userland apps
Network Indicators:
- MAC address being transmitted to unexpected external endpoints
SIEM Query:
process_name:package_installer AND target_package_permissions:system_property_read🔗 References
- https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf
- https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf
