Bosscomm IF740 Cleartext Password Storage Vulnerability

A vulnerability exists in the Bosscomm IF740 OBD2 tablet, specifically in firmware versions 11001.7078 and 11001.0000, as well as system versions 6.25 and 6.00. This vulnerability allows the device to store passwords in cleartext, including WiFi passwords, within a partition of the microSD card. Additionally, the device communicates with the Bosscomm update API in plaintext, exposing sensitive information such as serial numbers and download tokens to potential interception.

Impact

Exploitation of this vulnerability leads to the disclosure of stored passwords and other sensitive information, such as WiFi credentials, screenshots, and OBDII logs, all in cleartext.

Reproduction

The vulnerability can be reproduced by accessing the microSD card directly, which reveals all stored WiFi passwords in cleartext. This can be done by removing the microSD card from the device and inserting it into a Linux machine, or by connecting the device via USB and accessing certain partitions.