Bluetooth Advertisement Crash Vulnerability in COVID-19 Contact Tracing Apps

Bluetooth Advertisement Crash Vulnerability in COVID-19 Contact Tracing Apps

CVE-2020-12717 · MEDIUM Severity

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

The COVIDSafe (Australia) app 1.0 and 1.1 for iOS allows a remote attacker to crash the app, and consequently interfere with COVID-19 contact tracing, via a Bluetooth advertisement containing manufacturer data that is too short. This occurs because of an erroneous OpenTrace manuData.subdata call. The ABTraceTogether (Alberta), ProteGO (Poland), and TraceTogether (Singapore) apps were also affected.

Learn more about our Cis Benchmark Audit For Apple Ios.