CVE-2014-10374
MEDIUMFitbit Charge 2 Firmware - Unauthorized Exposure of Sensitive Device Tracking Information via Static BLE Addresses
Title source: llmDescription
On Fitbit activity-tracker devices, certain addresses never change. According to the popets-2019-0036.pdf document, this leads to "permanent trackability" and "considerable privacy concerns" without a user-accessible anonymization feature. The devices, such as Charge 2, transmit Bluetooth Low Energy (BLE) advertising packets with a TxAdd flag indicating random addresses, but the addresses remain constant. If devices come within BLE range at one or more locations where an adversary has set up passive sniffing, the adversary can determine whether the same device has entered one of these locations.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdf
Third Party Advisory x_refsource_misc
https://twitter.com/TedOnPrivacy/status/1151390589990187008
Scores
CVSS v3
6.5
EPSS
0.0064
EPSS Percentile
46.1%
Attack Vector
ADJACENT_NETWORK
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
fitbit/charge_2_firmware
Published
Jul 15, 2019
Tracked Since
Feb 18, 2026