CVE-2023-38293
📋 TL;DR
This vulnerability allows local third-party apps on affected Nokia Android devices to execute arbitrary AT commands with radio user privileges via AT command injection in a pre-installed app. No permissions or user interaction are required beyond installing a malicious app. Only Nokia C200 and C100 devices with specific software builds are affected.
💻 Affected Systems
- Nokia C200
- Nokia C100
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise including unauthorized network access, SIM manipulation, call/SMS interception, device tracking, and potential baseband-level attacks.
Likely Case
Unauthorized AT command execution allowing SIM manipulation, call forwarding, SMS interception, and device information extraction.
If Mitigated
Limited impact with proper app isolation and input validation preventing command injection.
🎯 Exploit Status
Exploitation requires installing a malicious app but no permissions or user interaction. Two injection techniques documented in DEF CON presentation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None provided in CVE
Restart Required: No
Instructions:
1. Check for manufacturer security updates. 2. If update available, install via Settings > System > System update. 3. Monitor Nokia/Tracfone security advisories.
🔧 Temporary Workarounds
Disable vulnerable app
allDisable the com.tracfone.tfstatus app to prevent exploitation
adb shell pm disable-user --user 0 com.tracfone.tfstatus
Remove app via ADB
allRemove the vulnerable app package (requires root or system privileges)
adb shell pm uninstall -k --user 0 com.tracfone.tfstatus
🧯 If You Can't Patch
- Disable or restrict installation of third-party apps from unknown sources
- Use mobile device management (MDM) to monitor for suspicious AT command execution
🔍 How to Verify
Check if Vulnerable:
Check device build fingerprint: Settings > About phone > Build number. Compare with vulnerable fingerprints in CVE description.Check Version:
adb shell dumpsys package com.tracfone.tfstatus | grep versionVerify Fix Applied:
Verify com.tracfone.tfstatus app is disabled or removed: adb shell pm list packages | grep tracfone📡 Detection & Monitoring
Log Indicators:
- AT command execution from non-system apps
- Broadcast intents to com.tracfone.tfstatus/.TFStatus
Network Indicators:
- Unexpected AT command sequences to modem
- SMS/call anomalies
SIEM Query:
process:com.tracfone.tfstatus AND (event:AT_command OR intent:broadcast)🔗 References
- https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf
- https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf
