CVE-2020-24722 : Vulnerability Insights and Analysis

An issue was discovered in the GAEN (aka Google/Apple Exposure Notifications) protocol through 2020-10-05, as used in COVID-19 applications on Android and iOS. The vulnerability allows for metadata deanonymization and risk-score inflation.

Understanding CVE-2020-24722

This CVE highlights a security flaw in the GAEN protocol used in COVID-19 applications on Android and iOS.

What is CVE-2020-24722?

The vulnerability in the GAEN protocol allows for a contamination attack through bitflipping, potentially leading to metadata deanonymization and risk-score inflation.

The Impact of CVE-2020-24722

The lack of a checksum in the encrypted metadata block with a TX value can amplify a contamination attack, risking metadata deanonymization and risk-score inflation.

Technical Details of CVE-2020-24722

The technical aspects of the vulnerability are crucial to understanding its implications.

Vulnerability Description

The issue lies in the GAEN protocol, where the encrypted metadata block with a TX value lacks a checksum, enabling a contamination attack through bitflipping.

Affected Systems and Versions

Android and iOS COVID-19 applications

Exploitation Mechanism

The vulnerability allows attackers to perform a contamination attack by manipulating the TX value in the metadata block.

Mitigation and Prevention

Addressing and preventing the exploitation of CVE-2020-24722 is essential for maintaining security.

Immediate Steps to Take

Update affected applications to patched versions
Monitor for any suspicious activities related to metadata manipulation

Long-Term Security Practices

Regular security audits and assessments of the GAEN protocol
Implement additional security measures to prevent metadata deanonymization

Patching and Updates

Apply patches provided by the vendor to fix the checksum issue in the metadata block