U2-I2

An one-stop solution to explore user unresettable identifiers (UUIs) leakage on your Android smartphone.

© 2023. All rights reserved.

CVEs

Table of Common Vulnerabilities and Exposures (CVEs) found in this study

CVE ID Affected Devices Involved UUIs Severity* Vendor Advisory$
CVE-2020-12488 Vivo (G10) Serial 5.5 MEDIUM [Link, Snapshot]
CVE-2020-14103 Xiaomi (H10, H11) Serial 5.5 MEDIUM [Link, Snapshot]
CVE-2020-14105 Xiaomi (H10, H11) Misc UUI (sno) 5.5 MEDIUM [Link, Snapshot]
CVE-2021-0428 Pixel (AOSP 10) ICCID 5.5 MEDIUM [Link, Snapshot]
CVE-2021-25344 Samsung (E10) Serial 5.5 MEDIUM [Link+, Snapshot]
CVE-2021-25358 Samsung (E10) IMSI 3.3 LOW [Link#, Snapshot]
CVE-2021-26278 Vivo (G10) WiFi MAC 6.3 MEDIUM [Link, Snapshot]
CVE-2021-37055 Huawei (A10) ICCID 5.3 MEDIUM [Link, Snapshot]

* According to NIST NVD CVSS 3.x Severity and Metrics scoring standard.
$ All the URLs listed are accessed on 20 September 2022.
+ In the section “SMR-MAR-2021” of the webpage.
# In the section “SMR-APR-2021” of the webpage.

More details about CVE-2021-0428

SubscriptionInfo.getIccid() in Android 10

We found an issue in SubscriptionInfo.getIccid( ) and reported to Google. The vulnerability is later confirmed by Google [Snapshot of Google’s IssueTracker Website] and registered with a CVE.

The fixing of this vulnerability turns out to be an unexpectedly non-trivial process. During our assessment, we notice that the vulnerability in getIccid( ) only exists in Android 10 and is not inherited by Android 11 and later releases.

This may be because Google has been aware of this issue and has fixed it in AOSP 11, or it may have unintentionally fixed that vulnerability during the development process.

After we reported it, Google issued a warning in its security bulletin on 5th Apr 2021 [link], which confirms the issue has been fixed.
However, later in June 2021, the “fix” was recalled as shown in an updated version of the security bulletin. Google explained that the recall was because of application compatibility issues.

Google later updated the comments in the source code of getIccid( ) [Link to AOSP Repo], stating that the system-level permission for this method is imposed since Android 11 (API level 30) rather than Android 10 (API level 29). This, however, contradicts Android’s documentation and the policies on other UUIs, where the system-level permission is imposed since Android 10.

You can find more technical details of the fixing and recalling of this CVE from the slides prepared by us