[Suggested description]
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices.
When using the device at initial setup, a default password is used
(123456) for administrative purposes. There is no prompt to change this password.
Note that this password can be used in combination with CVE-2019-20470.

------------------------------------------

[Vulnerability Type]
Incorrect Access Control

------------------------------------------

[Vendor of Product]
TK-star

------------------------------------------

[Affected Product Code Base]
TK-Star Q90 Junior GPS horloge - 3.1042.9.8656

------------------------------------------

[Affected Component]
Smartwatch

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
An attacker needs to send an SMS to the device's mobile number.
Knowledge of the mobile number is required before this vulnerability
can be exploited.

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
Dennis van Warmerdam, Jasper Nota, Jim Blankendaal

------------------------------------------

[Reference]
https://www.tk-star.com

Use CVE-2019-20471.