Description Preview
A vulnerability in Android's TelephonyManager.java implementation allows local applications to access the SIM serial number without proper permission checks. The flaw in the getSimSerialNumber method enables unauthorized access to this trackable identifier, which could be used to uniquely identify and track users. This vulnerability affects Android 10 and requires user execution privileges but no direct user interaction for exploitation.
Overview
CVE-2021-0428 is a missing permission check vulnerability (CWE-862: Missing Authorization) in Android's TelephonyManager component. The issue exists in the getSimSerialNumber method of TelephonyManager.java, which fails to properly verify that the calling application has the necessary permissions to access the SIM card's serial number. This identifier is considered sensitive as it can be used for tracking users across applications or services. The vulnerability affects Android 10 devices and requires the malicious application to be installed on the device but doesn't require any further user interaction to exploit.
Remediation
To address this vulnerability:
- Update to the latest Android security patch level, specifically the September 2021 security update or later.
- For device manufacturers and carriers: Ensure security patches from September 2021 or later are deployed to affected devices.
- For app developers: Do not rely on SIM serial numbers as security controls, and implement proper permission checks when accessing sensitive device identifiers.
- For users: Only install applications from trusted sources like the Google Play Store, keep your device updated with the latest security patches, and consider using security solutions that can detect potentially harmful applications.
References
- Android Security Bulletin - September 2021: https://source.android.com/security/bulletin/2021-09-01
- CWE-862: Missing Authorization: https://cwe.mitre.org/data/definitions/862.html
- Android Security Updates: https://security.googleblog.com/search/label/Android%20security
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Finance and InsuranceFinance and Insurance
- ManufacturingManufacturing
- Retail TradeRetail Trade
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Educational ServicesEducational Services
- Health Care & Social AssistanceHealth Care & Social Assistance
- InformationInformation
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Public AdministrationPublic Administration
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Transportation & WarehousingTransportation & Warehousing
- UtilitiesUtilities
- Wholesale TradeWholesale Trade
