CVE-2020-13702

2020-06-11T19:15:00
ID CVE-2020-13702
Type cve
Reporter cve@mitre.org
Modified 2020-12-11T05:15:00

Description

DISPUTED The Rolling Proximity Identifier used in the Apple/Google Exposure Notification API beta through 2020-05-29 enables attackers to circumvent Bluetooth Smart Privacy because there is a secondary temporary UID. An attacker with access to Beacon or IoT networks can seamlessly track individual device movement via a Bluetooth LE discovery mechanism. NOTE: this is disputed because the specification states "The advertiser address, Rolling Proximity Identifier, and Associated Encrypted Metadata shall be changed synchronously so that they cannot be linked" and therefore the purported tracking actually cannot occur. The original reporter says that synchronous changes only occur in one direction, not both directions.