I need the help of the smartest people on the internet on this dire day.
I talked to the media, to no avail. I reached out to MITRE, to no avail. I reported to Google, without response.
Google and Apple are about to break Bluetooth LE and the IoT with ramifications that will proof fatal for future generations.
Severity: 10.0 CRITICAL
CVSS v3.1 Vector: /AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:U/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:X
Vulnerability Type: CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor)
Vendor of Product: Apple, Google
Affected Product Code Base: Android 6.0 or higher, IOS 13,5 or higher
Affected Component: Exposure Notification API, Bluetooth LE
Attack Type: Remote
Attack Vectors: Bluetooth Smart Privacy is broken in API due to the addition of secondary temporary UID. Bluetooth LE discovery mechanism can be used to track individual device movement across a fleet of devices
The author of this paper alerted Google on June 11, 7:35 AM EST, less than 6 hours ago. While we recognize this is a rapidly-evolving space, a few hours is not in line with responsible disclosure[1] timelines.
While we're still preparing a proper response to the submitter, the paper makes an invalid assumption that RPI rotation and BLE address rotation are out-of-step and overlap. The BLE and RPI changes are synced; the MAC address is always rotated with the RPI/packet is rotated. We're still investigating our implementation to verify, but we do not believe this to be a vulnerability. I will reply to this thread should our investigation find anything.
3 comments
[ 0.28 ms ] story [ 27.3 ms ] threadI talked to the media, to no avail. I reached out to MITRE, to no avail. I reported to Google, without response.
Google and Apple are about to break Bluetooth LE and the IoT with ramifications that will proof fatal for future generations.
Severity: 10.0 CRITICAL CVSS v3.1 Vector: /AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:U/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:X Vulnerability Type: CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) Vendor of Product: Apple, Google Affected Product Code Base: Android 6.0 or higher, IOS 13,5 or higher Affected Component: Exposure Notification API, Bluetooth LE Attack Type: Remote Attack Vectors: Bluetooth Smart Privacy is broken in API due to the addition of secondary temporary UID. Bluetooth LE discovery mechanism can be used to track individual device movement across a fleet of devices
While we're still preparing a proper response to the submitter, the paper makes an invalid assumption that RPI rotation and BLE address rotation are out-of-step and overlap. The BLE and RPI changes are synced; the MAC address is always rotated with the RPI/packet is rotated. We're still investigating our implementation to verify, but we do not believe this to be a vulnerability. I will reply to this thread should our investigation find anything.
[1]: https://en.wikipedia.org/wiki/Responsible_disclosure