TCL devices vulnerable to IMEI leak through high-privilege process

CVE-2023-38298

What is CVE-2023-38298?

Certain TCL devices, including models 30Z, A3X, 20XE, and 10L, exhibit a vulnerability that permits local applications to access the device's IMEI number via a system property. This occurs without any permissions or special privileges, undermining user privacy. Android's restrictions enacted in version 10 aimed to prevent third-party apps from directly accessing such non-resettable identifiers. However, in the case of these TCL devices, high-privilege processes inadvertently expose sensitive information, allowing malicious applications to indirectly extract the IMEI by reading from the 'gsm.device.imei0' system property. This poses significant risks for end-users, as unauthorized access to device identifiers can lead to tracking and other malicious activities.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References