CVE-2019-20471

Vulnerability

The TK-Star Q90 Junior GPS horloge (firmware version 3.1042.9.8656) ships with a hardcoded default administrative password of 123456. During initial setup, the device does not prompt the user to change this password, leaving the administrative interface accessible with known credentials [1].

Exploitation

An attacker who can reach the device's administrative interface (e.g., over the network or via Bluetooth) can authenticate using the default password 123456. No prior authentication or user interaction is required. The password can also be used in conjunction with another vulnerability (CVE-2019-20470) to escalate access [1].

Impact

Successful exploitation grants the attacker full administrative control over the device. This can lead to unauthorized access to sensitive data (e.g., location history, personal information), modification of device settings, or further compromise of the device and associated accounts [1].

Mitigation

As of the publication date (2021-02-01), no firmware update or official workaround has been released by TK-Star to address this issue. Users are advised to contact the vendor for guidance and to monitor for future updates. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [2].