CVE-2020-14292 : Vulnerability Insights and Analysis

In the COVIDSafe application through 1.0.21 for Android, a vulnerability exists that allows attackers to reveal the victim's phone's public Bluetooth address without authorization.

Understanding CVE-2020-14292

The vulnerability in the COVIDSafe application for Android exposes users to privacy risks by disclosing their Bluetooth address.

What is CVE-2020-14292?

The flaw in the COVIDSafe app for Android enables attackers to bypass Bluetooth address randomization protection, exposing users' public Bluetooth addresses.

The Impact of CVE-2020-14292

This vulnerability allows malicious actors to obtain sensitive information, compromising user privacy and potentially leading to targeted attacks.

Technical Details of CVE-2020-14292

The technical aspects of the CVE-2020-14292 vulnerability are as follows:

Vulnerability Description

The unsafe use of the Bluetooth transport option in the GATT connection in the COVIDSafe app for Android.
Attackers can trick the app into establishing a connection over Bluetooth BR/EDR transport.

Affected Systems and Versions

Product: COVIDSafe application
Vendor: N/A
Versions affected: Through 1.0.21 for Android

Exploitation Mechanism

Attackers exploit the vulnerability to reveal the victim's phone's public Bluetooth address without authorization.

Mitigation and Prevention

To address CVE-2020-14292, users and organizations can take the following steps:

Immediate Steps to Take

Update the COVIDSafe app to the latest version.
Avoid using the app in public places where Bluetooth attacks are more likely.

Long-Term Security Practices

Regularly check for app updates and security patches.
Be cautious when granting permissions to apps that access sensitive data.

Patching and Updates

Ensure that all devices running the COVIDSafe app are updated to the latest version to mitigate the vulnerability.