
CVE-2020-13702: catastrophic breach of user privacy in Apple/Google Corona API [pdf] - normanluhrmann
https://github.com/normanluhrmann/infosec/raw/master/exposure-notification-vulnerability-20200611.pdf
======
sethvargo
The author of this paper alerted Google on June 11, 7:35 AM EST, less than 6
hours ago. While we recognize this is a rapidly-evolving space, a few hours is
not in line with responsible disclosure[1] timelines.

While we're still preparing a proper response to the submitter, the paper
makes an invalid assumption that RPI rotation and BLE address rotation are
out-of-step and overlap. The BLE and RPI changes are synced; the MAC address
is always rotated with the RPI/packet is rotated. We're still investigating
our implementation to verify, but we do not believe this to be a
vulnerability. I will reply to this thread should our investigation find
anything.

[1]:
[https://en.wikipedia.org/wiki/Responsible_disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure)

------
normanluhrmann
I need the help of the smartest people on the internet on this dire day.

I talked to the media, to no avail. I reached out to MITRE, to no avail. I
reported to Google, without response.

Google and Apple are about to break Bluetooth LE and the IoT with
ramifications that will proof fatal for future generations.

Severity: 10.0 CRITICAL CVSS v3.1 Vector:
/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:U/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:X
Vulnerability Type: CWE-359 (Exposure of Private Personal Information to an
Unauthorized Actor) Vendor of Product: Apple, Google Affected Product Code
Base: Android 6.0 or higher, IOS 13,5 or higher Affected Component: Exposure
Notification API, Bluetooth LE Attack Type: Remote Attack Vectors: Bluetooth
Smart Privacy is broken in API due to the addition of secondary temporary UID.
Bluetooth LE discovery mechanism can be used to track individual device
movement across a fleet of devices

~~~
Iolaum
Does this vulnerability also affect users with Bluetooth disabled?

