Bosscomm IF740 Information Disclosure Vulnerability

A vulnerability allowing information disclosure has been identified in the Bosscomm IF740 OBD2 tablet, specifically in firmware versions 11001.7078 and 11001.0000, as well as system versions 6.25 and 6.00. This vulnerability arises from hardcoded cleartext credentials that can be accessed during the update or boot process.

Impact

Exploitation of this vulnerability allows attackers to obtain hardcoded cleartext credentials, including WiFi passwords and other sensitive information, such as screenshots and OBDII diagnostic logs.

Reproduction

The vulnerability can be reproduced by initiating a WiFi update while connected to a network that intercepts and captures traffic. This will expose cleartext communications to the Bosscomm update API, including sensitive information such as the device's serial number and download tokens. Additionally, the hardcoded passwords can be accessed by removing the microSD card from the device and reading it on a Linux machine, or by plugging the device into a computer via USB and accessing certain partitions that contain the cleartext credentials.