COVIDSafe on Android up to v1.0.16 allowed a device to be re-identified over long periods of time due to static random data in the BLE payload

Impact

Due to how the COVIDSafe app was generating random data in the BLE advertising payload, it was possible for an attacker to re-identify a device from previous encounters over long periods of time. This was caused by the fact the random data generated by the Android COVIDSafe app for the BLE advertising payload was generated on app startup and used for the life of the running app.

Patches

This issue was fixed in COVIDSafe v1.0.17 for Android.

References

https://nvd.nist.gov/vuln/detail/CVE-2020-12858

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

COVIDSafe on Android up to v1.0.16 allowed a device to be re-identified over long periods of time due to static random data in the BLE payload

Package

Affected versions

Patched versions

Description

Impact

Patches

References

Severity

CVE ID

Weaknesses

Credits