The Rolling Proximity Identifier used in the Apple/Google Exposure Notification API beta through 2020-05-29 enables attackers to circumvent Bluetooth Smart Privacy because there is a secondary temporary UID. An attacker with access to Beacon or IoT networks can seamlessly track individual device movement via a Bluetooth LE discovery mechanism.
References
Link | Resource |
---|---|
https://blog.google/documents/70/Exposure_Notification_-_Bluetooth_Specification_v1.2.2.pdf | Third Party Advisory |
https://github.com/google/exposure-notifications-internals/commit/8f751a666697 | Patch Third Party Advisory |
https://github.com/google/exposure-notifications-internals/commit/8f751a666697c3cae0a56ae3464c2c6cbe31b69e | Patch Third Party Advisory |
https://github.com/normanluhrmann/infosec/raw/master/exposure-notification-vulnerability-20200611.pdf | Exploit Technical Description Third Party Advisory |
https://github.com/normanluhrmann/infosec/raw/master/exposure-notification-vulnerability-20200616-2.pdf | Exploit Technical Description Third Party Advisory |
https://github.com/normanluhrmann/infosec/raw/master/exposure-notification-vulnerability-20200616.pdf | Exploit Technical Description Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
12 Mar 2021, 12:58
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/google/exposure-notifications-internals/commit/8f751a666697 - Patch, Third Party Advisory | |
References | (MISC) https://github.com/google/exposure-notifications-internals/commit/8f751a666697c3cae0a56ae3464c2c6cbe31b69e - Patch, Third Party Advisory |
01 Mar 2021, 18:15
Type | Values Removed | Values Added |
---|---|---|
Summary | The Rolling Proximity Identifier used in the Apple/Google Exposure Notification API beta through 2020-05-29 enables attackers to circumvent Bluetooth Smart Privacy because there is a secondary temporary UID. An attacker with access to Beacon or IoT networks can seamlessly track individual device movement via a Bluetooth LE discovery mechanism. | |
References |
|
Information
Published : 2020-06-11 19:15
Updated : 2023-12-10 13:27
NVD link : CVE-2020-13702
Mitre link : CVE-2020-13702
CVE.ORG link : CVE-2020-13702
JSON object : View
Products Affected
the_rolling_proximity_identifier_project
- the_rolling_proximity_identifier
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor