PT-2020-13959 · Australian Government · Covidsafe

Published

2020-09-09

Updated

2021-07-21

CVE-2020-14292

CVSS v3.1

5.7

Medium

Vector

AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions COVIDSafe application through 1.0.21 for Android

Description The issue allows attackers to trick the application into establishing a connection over Bluetooth BR/EDR transport, revealing the public Bluetooth address of the victim's phone without authorization, bypassing the Bluetooth address randomisation protection in the user's phone. This is due to the unsafe use of the Bluetooth transport option in the GATT connection.

Recommendations For COVIDSafe application versions through 1.0.21 for Android, consider disabling the Bluetooth functionality until a patch is available to prevent exploitation. Restrict access to the GATT connection to minimize the risk of revealing the public Bluetooth address.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2020-14292

Affected Products

Covidsafe

PT-2020-13959 · Australian Government · Covidsafe

CVE-2020-14292

Related Identifiers

Affected Products

References · 6