CVE-2020-12270

Name of the Vulnerable Software and Affected Versions Bluezone version 1.0.0

Description The issue is related to the use of insufficiently random values in the React Native Bluetooth Scan component of the Bluezone application. This could allow a remote attacker to interfere with COVID-19 contact tracing by using many IDs. The vendor disputes the relevance of this report, stating that the recipient of an alert will know it was a false alert if contact-history comparison fails.

Recommendations For Bluezone version 1.0.0, consider restricting the use of the React Native Bluetooth Scan component until a patch is available. As a temporary workaround, avoid using the six-character alphanumeric IDs in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.