CVE-2023-38296 in 30Z
Summary
by MITRE • 04/22/2024
Various software builds for the following TCL 30Z and TCL A3X devices leak the ICCID to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances they are leaked by a high-privilege process and can be obtained indirectly. The software build fingerprints for each confirmed vulnerable device are as follows: TCL 30Z (TCL/4188R/Jetta_ATT:12/SP1A.210812.016/LV8E:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU5P:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU61:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU66:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU68:user/release-keys, TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6P:user/release-keys, and TCL/T602DL/Jetta_TF:12/SP1A.210812.016/vU6X:user/release-keys) and TCL A3X (TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAAZ:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAB3:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vAB7:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABA:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABM:user/release-keys, TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABP:user/release-keys, and TCL/A600DL/Delhi_TF:11/RKQ1.201202.002/vABS:user/release-keys). This malicious app reads from the "persist.sys.tctPowerIccid" system property to indirectly obtain the ICCID.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/22/2024
This vulnerability represents a critical privacy and security flaw in specific TCL smartphone models where the ICCID (Integrated Circuit Card Identifier) is exposed through system properties accessible to any local application. The ICCID serves as a unique identifier for SIM cards and is considered a non-resettable device identifier under Android security policies. The vulnerability stems from improper privilege management within the device's system framework where high-privilege processes inadvertently expose sensitive SIM card information through the persist.sys.tctPowerIccid system property. This creates an indirect information disclosure channel that bypasses Android's built-in protections designed to prevent third-party applications from accessing such identifiers directly. The affected devices include TCL 30Z and TCL A3X models running specific Android versions, with software builds that have been fingerprinted to identify the vulnerable configurations.
The technical implementation of this vulnerability involves a fundamental breakdown in Android's security model where the system property containing the ICCID is not properly secured against unauthorized access. According to CWE-200, this constitutes an information exposure vulnerability where sensitive data is made available to unauthorized actors. The flaw operates through the Android system property mechanism, where a high-privilege process writes the ICCID to a persistent system property that lacks proper access controls. Any local application can read this property without requiring special permissions or elevated privileges, effectively creating a backdoor for information disclosure. This approach directly violates Android's security principles as outlined in the Android Security Model, where device identifiers should be protected from unauthorized access even when they are not directly exposed through standard APIs. The vulnerability is particularly concerning because it bypasses the protections established in Android 10 and higher versions that specifically restricted access to non-resettable identifiers.
The operational impact of this vulnerability extends beyond simple information disclosure to create potential exploitation vectors for malicious actors. Attackers can leverage this flaw to track users across different applications and services, as the ICCID provides a persistent identifier that remains unchanged across device reboots and SIM card changes. This persistent identifier can be used for user profiling, targeted advertising, or more sophisticated tracking mechanisms that circumvent normal privacy protections. The vulnerability also creates opportunities for SIM card cloning attacks or fraud detection bypassing, as the ICCID is often used in authentication processes and network access controls. From an ATT&CK framework perspective, this vulnerability maps to T1059.001 (Command and Scripting Interpreter) and T1068 (Exploitation for Privilege Escalation) as attackers can indirectly access privileged information through legitimate system interfaces. The ability to read the ICCID without permissions creates a persistent threat vector that can be exploited for long-term surveillance and tracking activities.
Mitigation strategies for this vulnerability require both immediate and long-term approaches to address the root cause. Device manufacturers must implement proper access controls on system properties containing sensitive information, ensuring that only authorized system processes can read or write to these properties. The fix should involve modifying the system property access permissions to restrict reads to only high-privilege processes that require the ICCID for legitimate system functions. Additionally, the affected TCL devices should receive firmware updates that either remove the direct exposure of the ICCID through system properties or implement proper permission controls. Security researchers and device manufacturers should also consider implementing runtime monitoring to detect unauthorized access patterns to system properties containing device identifiers. Organizations should implement network-level monitoring to detect potential abuse of this information and establish proper incident response procedures for cases where this information might be compromised. The vulnerability highlights the importance of proper privilege separation and access control mechanisms in mobile operating systems, particularly when dealing with sensitive device identifiers that are protected by design in modern security models.