Due to several negligence, the security of the Wiko Freddy is extremely low and flaws allow easy access to the data stored on the device. It remains to be hoped that this is the only phone of the brand to suffer from these weaknesses.
With a smartphone, we tend to take a lot of photos and exchange countless messages. In short, a lot of information about us reside on this device that follows us everywhere. And it’s good to protect your privacy that you use passwords, fingerprint readers or facial recognition technologies.
However, if a phone secured by a secret code is easily piratable, this obviously raises major concerns. And this is the new problem facing Wiko. As a reminder, the Marseilles brand had already been singled out for cruelly lacking transparency on the data collected on its devices and sent to its Chinese mother-house, Tinno. The company reacted to make amends – we relayed its response here – and a major software update will soon remedy this problem.
Except that Wiko was pinned on another case, in which it is not the data collection of the brand that is questioned, but the security of the phone itself. The security developer who calls himself “Elliot Alderson” on Twitter has indeed posted a series of messages where he explains how the Wiko Freddy – released in 2016 and sold today around 100 euros – is very porous in terms of safety.
The famous Elliot Alderson denounces three vulnerabilities of very large scale and could seriously harm if the phone fell into the wrong hands. We have listed them below with some explanations:
ADB can be used in charge mode
The ADB tool (Android Debug Bridge) is a program for hackers that allows access to the phone storage from a computer connected by USB cable. To take advantage of it, activate the developer options on the phone and check “USB debugging”. But with the Wiko Freddy, Elliot Alderson noticed that by turning off the smartphone, you could use ADB from the charging mode – without activating the USB Debug option and without allowing the connection to the computer.
In other words, if a Freddy is stolen or found by a malicious hacker, the hacker will have no trouble accessing the system, even if the phone is protected by a password.
Unlock the bootloader without deleting the data
For those who are not familiar with it, the bootloader is the program used to launch the Android operating system. To make deep changes to your phone, you need to unlock it.
What you need to know is that unlocking the bootloader usually deletes all the information stored on the terminal. But, still according to the whistleblower, when we restart the Wiko Freddy in bootloader mode, just use the command “fastboot oem unlock-tinno” (so it’s good Tinno who left this tool there ) to unlock the bootloader without deleting the data stored on the smartphone.
Easy access administrator rights
To exploit this last flaw, it is necessary that the option USB debugging is activated, which makes it less likely. Nevertheless, it remains good to mention it. Elliot Alderson realized that by launching the ADB command “shell setprop persist.tinno.debug” (again, this is a debugging tool forgotten by Tinno) on the Wiko Freddy, he could get ADB root. That is, thanks to this, he could get administrator rights and bypass the protections without having to unlock the bootloader and root the phone.
The contents thus accessible can then be recorded on a computer.