Lucene search

MitreCVE-2020-13702

HistoryJun 11, 2020 - 7:15 p.m.

CVE-2020-13702

2020-06-1119:15:10

CWE-200

mitre

web.nvd.nist.gov

cve

2020

13702

rolling proximity identifier

apple

google

exposure notification api

bluetooth

privacy

attack

beacon

iot

bluetooth le

nvd

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

9.2

Confidence

High

EPSS

0.004

Percentile

72.4%

JSON

The Rolling Proximity Identifier used in the Apple/Google Exposure Notification API beta through 2020-05-29 enables attackers to circumvent Bluetooth Smart Privacy because there is a secondary temporary UID. An attacker with access to Beacon or IoT networks can seamlessly track individual device movement via a Bluetooth LE discovery mechanism.

Affected configurations

Nvd

Node

the_rolling_proximity_identifier_projectthe_rolling_proximity_identifierRange≤2020-05-29

VendorProductVersionCPE
the_rolling_proximity_identifier_projectthe_rolling_proximity_identifier*cpe:2.3:a:the_rolling_proximity_identifier_project:the_rolling_proximity_identifier:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
the_rolling_proximity_identifier_project	the_rolling_proximity_identifier	*	cpe:2.3:a:the_rolling_proximity_identifier_project:the_rolling_proximity_identifier::::::::

References

blog.google/documents/70/Exposure_Notification_-_Bluetooth_Specification_v1.2.2.pdf

github.com/google/exposure-notifications-internals/commit/8f751a666697

github.com/google/exposure-notifications-internals/commit/8f751a666697c3cae0a56ae3464c2c6cbe31b69e

github.com/normanluhrmann/infosec/raw/master/exposure-notification-vulnerability-20200611.pdf

github.com/normanluhrmann/infosec/raw/master/exposure-notification-vulnerability-20200616-2.pdf

github.com/normanluhrmann/infosec/raw/master/exposure-notification-vulnerability-20200616.pdf

Social References

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

AI Score

9.2

Confidence

High

EPSS

0.004

Percentile

72.4%

JSON

Related for CVE-2020-13702