CVE-2020-12270
MEDIUMBluezone 1.0.0 - Use of Insufficiently Random Values in Bluetooth Scan IDs
Title source: llmDescription
React Native Bluetooth Scan in Bluezone 1.0.0 uses six-character alphanumeric IDs, which might make it easier for remote attackers to interfere with COVID-19 contact tracing by using many IDs. NOTE: the vendor disputes the relevance of this report because the recipient of an F1 alert will know it was a false alert if contact-history comparison fails (i.e., an F0 is not actually part of the contact history obtained from the device of this recipient, or this recipient is not actually part of the contact history obtained from the device of an F0)
References (7)
Core 7
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/BluezoneGlobal/bluezone-app/blob/afa15fcec391f0edc51d0486a4ca84dd2520bbb3/CHANGELOG.md
Third Party Advisory x_refsource_misc
https://github.com/BluezoneGlobal/bluezone-app/blob/afa15fcec391f0edc51d0486a4ca84dd2520bbb3/package.json#L27
Third Party Advisory x_refsource_misc
https://github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/java/com/scan/TraceCovidModule.java#L98
Third Party Advisory x_refsource_misc
https://github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/AndroidManifest.xml#L11-L12
Exploit, Third Party Advisory x_refsource_misc
https://vnhacker.blogspot.com/2020/04/vietnams-contact-tracing-app_26.html
Third Party Advisory x_refsource_misc
https://github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/java/com/scan/BluezonerIdGenerator.java#L18-L28
Various Sources x_refsource_misc
https://bluezone.ai/CVE
Scores
CVSS v3
6.5
EPSS
0.0143
EPSS Percentile
69.5%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-330
Status
published
Products (1)
bluezone/bluezone
1.0.0
Published
Apr 27, 2020
Tracked Since
Feb 18, 2026