Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/alwentiu/COVIDSafe-CVE-2020-12856

A bluetooth-related vulnerability in some contact tracing apps
https://github.com/alwentiu/COVIDSafe-CVE-2020-12856

Last synced: about 2 months ago
JSON representation

A bluetooth-related vulnerability in some contact tracing apps

Host: GitHub
URL: https://github.com/alwentiu/COVIDSafe-CVE-2020-12856
Owner: alwentiu
Created: 2020-05-15T00:18:03.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-06-26T03:41:19.000Z (over 4 years ago)
Last Synced: 2024-08-05T17:36:26.288Z (5 months ago)
Language: Python
Size: 998 KB
Stars: 28
Watchers: 12
Forks: 7
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - alwentiu/COVIDSafe-CVE-2020-12856 - A bluetooth-related vulnerability in some contact tracing apps (Python)

README

# COVIDSafe-CVE-2020-12856: A silent pairing issue in bluetooth-based contact tracing apps

Authors: Jim Mussared (George Robotics), Alwen Tiu (The Australian National University)

A vulnerability has been identified in the implementation of the Android version of Australia's COVIDSafe (v1.0.17 and earlier) contact tracing app that may affect several other contact tracing apps that share a similar architecture, such as Singapore's TraceTogether and Alberta's ABTraceTogether. This issue is being tracked using the CVE ID [CVE-2020-12856](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12856).
This vulnerability allows an attacker to bond silently with an Android phone running a vulnerable version of the app. The bonding process involves exchanges of permanent identifiers of the victim phone: the identity address of the bluetooth device in the phone and a cryptographic key called Identity Resolving Key (IRK). Either one of these identifiers can be used for long term tracking of the phone.

This vulnerability was reported to DTA (who is responsible for the COVIDSafe app) on May 5th, 2020, and it has been fixed in COVIDSafe (Android) v1.0.18.
Details of our finding are available [here](https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/CVE-2020-12856-19-June-2020.pdf).

The proof-of-concept code can be found [here.](https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/code)

An earlier draft (dated May 18th, 2020) that was sent to various developer teams is
available [here.](https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/CVE-2020-12856-18-may-2020.pdf)
(Note that this earlier draft has a small typo in the CVE ID; it refers to CVE-2020-12586 instead of CVE-2020-12856)