Rolling Proximity Identifier Vulnerability: Circumvention of Bluetooth Smart Privacy via Secondary Temporary UID

Rolling Proximity Identifier Vulnerability: Circumvention of Bluetooth Smart Privacy via Secondary Temporary UID

CVE-2020-13702 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

The Rolling Proximity Identifier used in the Apple/Google Exposure Notification API beta through 2020-05-29 enables attackers to circumvent Bluetooth Smart Privacy because there is a secondary temporary UID. An attacker with access to Beacon or IoT networks can seamlessly track individual device movement via a Bluetooth LE discovery mechanism.

Learn more about our Api Penetration Testing.