Published: 18/05/2020 Updated: 20/05/2020

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 670

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote malicious users to conduct long-term re-identification attacks and possibly have unspecified other impact, because of how Bluetooth is used.

Vulnerable Product	Search on Vulmon	Subscribe to Product
alberta abtracetogether -
health covidsafe -
health covidsafe
tracetogether tracetogether -

Enhances your Pokémon GO Plus

PoGo+LE (beta) SHA-256 fingerprint of the code transparency key certificate (must be compared with the developer's public key manually): C8 70 92 46 B3 32 22 6F 33 57 05 B4 5C 37 83 81 65 67 42 44 1B DC CC B2 96 1B 66 4D CF 4C 74 BC Automagically skips pairing dialog when connecting Pokémon GO Plus, and alerts you when things go wrong Context: Pairing dialog

A bluetooth-related vulnerability in some contact tracing apps

COVIDSafe-CVE-2020-12856: A silent pairing issue in bluetooth-based contact tracing apps Authors: Jim Mussared (George Robotics), Alwen Tiu (The Australian National University) A vulnerability has been identified in the implementation of the Android version of Australia's COVIDSafe (v1017 and earlier) contact tracing app that may affect several other contact tracing apps

All the IOC's I have gathered which are used directly involved coronavirus / covid-19 / SARS-CoV-2 cyber attack campaigns

Dedicated to the men and women fighting the coronavirus pandemic coronavirus-covid-19-SARS-CoV-2 All the IoC's I have gathered which are used directly in coronavirus / covid-19 / SARS-CoV-2 cyber attack campaigns All IOC's are provided "as-is", please use your own verification methodology before deploying them in production network Remember, architecture

Enhances your Pokémon GO Plus

PoGo+LE (beta) SHA-256 fingerprint of the code transparency key certificate (must be compared with the developer's public key manually): C8 70 92 46 B3 32 22 6F 33 57 05 B4 5C 37 83 81 65 67 42 44 1B DC CC B2 96 1B 66 4D CF 4C 74 BC Automagically skips pairing dialog when connecting Pokémon GO Plus, and alerts you when things go wrong Context: Pairing dialog

Bluetooth and contact tracing research COVIDSafe and related applications : A remote crash exploit on COVIDSafe 20 (Android) CVE-2020-14292 Identity address leakage through bluetooth transport CVE-2020-12856 A silent pairing issue affecting the Android version of COVIDSafe app v117 and earlier versions Joint work with Jim Mussared Apple/Google Exposure Notifications F

NVD-CWE-noinfo https://docs.google.com/document/d/1u5a5ersKBH6eG362atALrzuXo3zuZ70qrGomWVEC27U/edit?usp=sharing https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/README.md https://covidsafe.watch/issue-register/cve-2020-12856-long-term-tracking-and-possibly-enables-other-bluetooth-based-attack-vectors https://nvd.nist.gov https://github.com/Mygod/pogoplusplus

CVE-2020-12856

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect