CVE-2020-12270
Description
React Native Bluetooth Scan in Bluezone 1.0.0 uses six-character alphanumeric IDs, which might make it easier for remote attackers to interfere with COVID-19 contact tracing by using many IDs. NOTE: the vendor disputes the relevance of this report because the recipient of an F1 alert will know it was a false alert if contact-history comparison fails (i.e., an F0 is not actually part of the contact history obtained from the device of this recipient, or this recipient is not actually part of the contact history obtained from the device of an F0)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Bluezone 1.0.0 uses fixed six-character IDs, enabling remote attackers to generate many false alerts and interfere with COVID-19 contact tracing.
Vulnerability
Bluezone 1.0.0 uses a fixed six-character alphanumeric ID per installation, broadcast repeatedly via Bluetooth [1][2]. The ID is generated in BluezonerIdGenerator.java [2] and used in TraceCovidModule.java [3]. This design allows any Bluetooth device in range to observe the ID.
Exploitation
An attacker can create many unique IDs (since six-character space is small) and broadcast them via Bluetooth, causing the Bluezone app to generate numerous false F1 alerts for contact tracing [1]. No authentication or user interaction is required; only Bluetooth proximity.
Impact
Successful exploitation can interfere with COVID-19 contact tracing by overwhelming the system with false alerts, potentially reducing trust and effectiveness [1]. The vendor disputes the impact, arguing that recipients can identify false alerts if contact-history comparison fails [1].
Mitigation
No official fix or update has been published for Bluezone 1.0.0 as of the references [1][2][3]. The vendor has not acknowledged the vulnerability [1]. Users are advised to monitor for app updates or consider alternative contact tracing solutions.
- Vietnam's contact tracing app broadcasting a fixed ID
- react-native-bluetooth-scan/lib/android/src/main/java/com/scan/BluezonerIdGenerator.java at d9ee70fd594093a30e50b6e62a7593a8397c2dab · BluezoneGlobal/react-native-bluetooth-scan
- react-native-bluetooth-scan/lib/android/src/main/java/com/scan/TraceCovidModule.java at d9ee70fd594093a30e50b6e62a7593a8397c2dab · BluezoneGlobal/react-native-bluetooth-scan
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Bluezone/Bluetooth Scandescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- bluezone.ai/CVEmitrex_refsource_MISC
- github.com/BluezoneGlobal/bluezone-app/blob/afa15fcec391f0edc51d0486a4ca84dd2520bbb3/CHANGELOG.mdmitrex_refsource_MISC
- github.com/BluezoneGlobal/bluezone-app/blob/afa15fcec391f0edc51d0486a4ca84dd2520bbb3/package.jsonmitrex_refsource_MISC
- github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/AndroidManifest.xmlmitrex_refsource_MISC
- github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/java/com/scan/BluezonerIdGenerator.javamitrex_refsource_MISC
- github.com/BluezoneGlobal/react-native-bluetooth-scan/blob/d9ee70fd594093a30e50b6e62a7593a8397c2dab/lib/android/src/main/java/com/scan/TraceCovidModule.javamitrex_refsource_MISC
- vnhacker.blogspot.com/2020/04/vietnams-contact-tracing-app_26.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.