CVE-2020-35693

Name of the Vulnerable Software and Affected Versions Samsung phones and tablets running Android versions prior to 7.1.2 Samsung Galaxy Note 5 version not specified Samsung Galaxy S6 Edge version not specified Samsung Galaxy A3 version not specified Samsung Tab A (2017) version not specified Samsung J2 Pro (2018) version not specified Samsung Galaxy Note 4 version not specified Samsung Galaxy S5 version not specified

Description An attacker-controlled Bluetooth Low Energy (BLE) device can pair silently with a vulnerable target device without any user interaction when the target device's Bluetooth is on and it is running an app that offers a connectable BLE advertisement. Examples of such apps include Bluetooth-based contact tracing apps. During the pairing process, personally identifiable information such as the Identity Address of the Bluetooth adapter and its associated Identity Resolving Key (IRK) are exchanged, which can be used for long-term tracking of the target device.

Recommendations For Samsung phones and tablets running Android versions prior to 7.1.2, update to a version newer than 7.1.1 to mitigate the risk. For Samsung Galaxy Note 5, update to a newer version to mitigate the risk. For Samsung Galaxy S6 Edge, update to a newer version to mitigate the risk. For Samsung Galaxy A3, update to a newer version to mitigate the risk. For Samsung Tab A (2017), update to a newer version to mitigate the risk. For Samsung J2 Pro (2018), update to a newer version to mitigate the risk. For Samsung Galaxy Note 4, update to a newer version to mitigate the risk. For Samsung Galaxy S5, update to a newer version to mitigate the risk. As a temporary workaround, consider disabling Bluetooth when not in use to minimize the risk of exploitation.