Insecure Alphanumeric IDs in React Native Bluetooth Scan: Exploiting COVID-19 Contact Tracing in Bluezone 1.0.0

Insecure Alphanumeric IDs in React Native Bluetooth Scan: Exploiting COVID-19 Contact Tracing in Bluezone 1.0.0

CVE-2020-12270 · MEDIUM Severity

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

React Native Bluetooth Scan in Bluezone 1.0.0 uses six-character alphanumeric IDs, which might make it easier for remote attackers to interfere with COVID-19 contact tracing by using many IDs. NOTE: the vendor disputes the relevance of this report because the recipient of an F1 alert will know it was a false alert if contact-history comparison fails (i.e., an F0 is not actually part of the contact history obtained from the device of this recipient, or this recipient is not actually part of the contact history obtained from the device of an F0)

Learn more about our Contact.