CVE-2014-10374

Name of the Vulnerable Software and Affected Versions Fitbit activity-tracker devices (affected versions not specified)

Description The issue concerns Fitbit activity-tracker devices, such as Charge 2, which transmit Bluetooth Low Energy (BLE) advertising packets. Despite the TxAdd flag indicating random addresses, the addresses remain constant, leading to "permanent trackability" and "considerable privacy concerns" without a user-accessible anonymization feature. If an adversary sets up passive sniffing at one or more locations, they can determine whether the same device has entered one of these locations when it comes within BLE range.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.