[Suggested description]
An issue was discovered on One2Track 2019-12-08 devices.
Confidential information is needlessly stored on the smartwatch. Audio
files are stored in .amr format, in the audior directory. An
attacker who has physical access can
retrieve all audio files by connecting via a USB cable.
------------------------------------------
[VulnerabilityType Other]
Voice conversations leaked to physical attackers.
------------------------------------------
[Vendor of Product]
One2Track
------------------------------------------
[Affected Product Code Base]
one2track - up to-date version as of 12-8-2019 (no exact version number)
------------------------------------------
[Affected Component]
Local smartwatch storage
------------------------------------------
[Attack Type]
Physical
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
An attacker must physically have access to the One2track software.
Once this access has been obtained audio messages send to the
smartwatch can be retrieved from the local storage.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Dennis van Warmerdam, Jasper Nota, Jim Blankendaal
------------------------------------------
[Reference]
https://www.one2track.nl
Use CVE-2019-20469.