CVE-2020-12859 : Exploit Details and Defense Strategies
Learn about CVE-2020-12859 affecting COVIDSafe protocol, allowing device model identification by attackers. Find mitigation steps and update recommendations.
COVIDSafe through v1.0.17 allows a remote attacker to identify device models, leading to potential re-identification of devices.
Understanding CVE-2020-12859
What is CVE-2020-12859?
Unnecessary fields in the OpenTrace/BlueTrace protocol in COVIDSafe through v1.0.17 enable a remote attacker to discern a device model by analyzing cleartext payload data, facilitating the re-identification of devices, particularly less common phone models or those in low-density scenarios.
The Impact of CVE-2020-12859
The vulnerability poses a risk of privacy invasion and potential tracking of individuals using the COVIDSafe app.
Technical Details of CVE-2020-12859
Vulnerability Description
The issue arises from the presence of unnecessary fields in the OpenTrace/BlueTrace protocol, allowing device model identification through payload data.
Affected Systems and Versions
- Systems running COVIDSafe up to version 1.0.17
Exploitation Mechanism
- Remote attackers can exploit the vulnerability by observing cleartext payload data to determine device models.
Mitigation and Prevention
Immediate Steps to Take
- Update COVIDSafe to the latest version to mitigate the vulnerability.
- Avoid using the app on less common phone models or in low-density areas if unable to update.
Long-Term Security Practices
- Regularly update the COVIDSafe app to ensure protection against known vulnerabilities.
Patching and Updates
- Stay informed about security updates for COVIDSafe and promptly apply patches to address any identified vulnerabilities.