CVE-2019-20473

Vulnerability

The TK-Star Q90 Junior GPS horloge (firmware version 3.1042.9.8656) has an intentional design restriction that prevents users from configuring a PIN on the SIM card inserted into the device [1]. If a user attempts to set a PIN, the device displays a “Remove PIN and restart!” message and refuses to operate, effectively enforcing the use of an unprotected SIM card. This behavior is not a traditional software bug but a deliberate constraint built into the device's firmware.

Exploitation

An attacker who physically steals or gains temporary access to the device can remove the SIM card and insert it into another phone or modem [1]. Because the SIM card has no PIN lock, the attacker can immediately use the card for its cellular services (voice, SMS, data) without needing to bypass any SIM-level authentication. No additional authentication or user interaction beyond physical possession of the device is required.

Impact

The successful exploitation results in a loss of confidentiality and availability of the SIM card’s services. The attacker gains the ability to make calls, send messages, or use mobile data using the victim’s mobile subscription, potentially incurring charges or exposing private communications. The legitimate user cannot prevent this by setting a PIN, as the device prohibits it [1]. This design flaw undermines basic SIM theft protection.

Mitigation

As of the last available reference (February 2021), TK-Star has not released a firmware update or workaround to allow PIN-protected SIM cards [1], [2]. Users are advised to physically secure the device to prevent theft, and to contact the vendor for possible future updates. No known fix is documented in the disclosed references. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog.