CVE-2022-20481 - How Residual WiFi Data After Android Reset Can Leak Your Personal Network Details

Did you know that even after you reset your Android device, sensitive information like your WiFi passwords might not be completely deleted? This post explores CVE-2022-20481, a critical information disclosure vulnerability that affects several generations of Android phones and tablets. Here, we’ll break down how and why this happens, include code snippets, provide steps for potential exploitation, and give you links to official references and patches.

What is CVE-2022-20481?

CVE-2022-20481 is a security vulnerability found in multiple Android versions, from Android 10 up to Android 13. The bug lets attackers recover WiFi network settings -- including passwords -- even after a factory reset. All they need is direct access to your device, and no hacking skills or extra permissions are needed. Unlike many exploits, this one requires user interaction (meaning you have to cooperate in some action, like exporting data).

Android 13 (T)

Android Security Bulletin: AOSP Bulletin, November 2022

Residual Configuration Files

When you reset an Android device to factory settings, you expect your data to be wiped. However, some WiFi settings survive in residual configuration files that are not properly deleted. Attackers who gain local access after reset can extract these files and read sensitive network info like SSIDs, PSKs (passwords), and even EAP TLS credentials.

Factory reset initiated.

- Some WiFi conf files (like /data/misc/wifi/WifiConfigStore.xml) are not correctly purged.
- User or attacker exports WiFi settings (manually or via backup/restore operations).

Example Vulnerable Code Snippet

Below is a simplified version (pseudo-Java) showing how WiFi settings may be erroneously handled during a reset:

// Called on factory reset command
public void performFactoryReset() {
    // ... other wipe operations

    File wifiConf = new File("/data/misc/wifi/WifiConfigStore.xml");
    if (wifiConf.exists()) {
        // Incomplete deletion due to permissions or missing path
        wifiConf.delete();  // Sometimes this fails silently!
    }
    // ... more wipe operations
}

Problem: If the delete operation fails, the configuration file remains. On startup, the WiFi subsystem reloads these settings. Later, if a user uses the built-in WiFi export tool, the supposedly deleted configurations are included!

Exploitation Details: Step-by-Step

Scenario: User factory resets their Android device, but an attacker has local access (post-reset). Here's how they can get WiFi information:

2. Initiate WiFi Settings Export

On many devices (especially Samsung and Pixel), the setup process offers to import/export WiFi settings via a file or QR code.

3. Extracting the Residual Data

By exporting WiFi settings, the resulting file (for example, WifiConfigStore.xml or its user-facing export) contains all previously stored networks, _including those that should have been wiped_.

Sample export content

<NetworkList>
  <Network>
    <SSID>MyHomeWiFi</SSID>
    <PreSharedKey>supersecret2022</PreSharedKey>
    <HiddenSSID>false</HiddenSSID>
    <EAPMethod>PEAP</EAPMethod>
    ...
  </Network>
  ...
</NetworkList>

4. Viewing Recovered Data

Open the export file in any XML or text viewer to get WiFi names and passwords.

Official References and Patches

- CVE Record – cve.org
- Android Security Bulletin, November 2022
- AOSP Commit Fixing A-241927115 (Direct link to the patch)
- NIST NVD Entry

Is There a Patch?

Yes. The issue was resolved by making sure all WiFi settings files are securely deleted during a factory reset. If you apply the November 2022 Android security updates (or later), your device should be safe.

Always update your Android device to the latest security patch level

- Perform a (double) reset and manually check for rogue files before selling or disposing of the device

Conclusion

CVE-2022-20481 is a scary reminder that factory resets don't always do what we expect—especially when it comes to private wireless credentials. Always keep devices updated and be careful how you dispose of them.

References and Further Reading

- Android Security Bulletins
- CVE-2022-20481 Record
- NIST National Vulnerability Database


*This post was independently written to help regular Android users understand how their data may remain at risk, even after a full reset. For developers and sysadmins, always test security assumptions!*

Timeline

Published on: 02/28/2023 17:15:00 UTC
Last modified on: 03/09/2023 18:33:00 UTC