VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 1, 2021· Updated Aug 5, 2024

CVE-2019-20470

CVE-2019-20470

Description

TK-Star Q90 Junior GPS watches can be remotely abused via unauthenticated SMS commands to initiate calls, leak the password, or extract GPS coordinates.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TK-Star Q90 Junior GPS watches can be remotely abused via unauthenticated SMS commands to initiate calls, leak the password, or extract GPS coordinates.

Vulnerability

The TK-Star Q90 Junior GPS horloge (firmware version 3.1042.9.8656) accepts several SMS commands without requiring any prior authentication or authorization check beyond a static default password. The device processes commands such as pw,,call,<mobile_number> to initiate outbound calls, as well as commands to retrieve the password itself (related to CVE-2019-20471). The default password is often shared across devices and is not changed by users, making the attack trivial. Affected product: TK-Star Q90 Junior GPS horloge version 3.1042.9.8656 [1].

Exploitation

An attacker only needs the target's phone number and a mobile phone capable of sending SMS. No network proximity or prior authentication is required. The attacker sends an SMS command to the watch's SIM card number using the default password (e.g. pw,<default_password>,call,<attacker_phone_number>). The watch then places an outbound cellular voice call to the specified number, establishing a one-way or two-way audio channel. Because the password can be discovered via another command (CVE-2019-20471), the attacker can first retrieve the password if it has been changed [1].

Impact

A successful attack allows the remote attacker to establish a voice communication channel from the watch to any telephone number, effectively turning the watch into a covert listening device. This results in a severe violation of confidentiality, as the attacker can eavesdrop on the wearer's surroundings. The attacker does not require any privileges on the device beyond knowledge of the password; the watch operates under its normal cellular plan, potentially incurring charges for the victim [1].

Mitigation

As of the publication date (2021-02-01), no official firmware update or patch has been released by TK-Star to address this vulnerability. The product may be end-of-life and no longer supported. Users should disable or remove the SIM card from the watch when not in active use, change the default password via SMS (if the feature allows), or discontinue use of the device entirely. This vulnerability is not known to be listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].

References
  1. Worldwide laboratory testing services
  2. TKSTAR TK-STAR GPS TRACKER - TKSTAR TKSTAR GPS Tracker

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • TK-Star/Q90 Junior GPS horlogedescription
  • star/starllm-fuzzy
    Range: = 3.1042.9.8656

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.