VYPR
← All advisories
Unrated severityNVD Advisory· Published May 18, 2020· Updated Aug 4, 2024

CVE-2020-12856

CVE-2020-12856

Description

OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote attackers to conduct long-term re-identification attacks and possibly have unspecified other impact, because of how Bluetooth is used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A Bluetooth pairing flaw in OpenTrace-based contact tracing apps (COVIDSafe ≤v1.0.17, TraceTogether, ABTraceTogether) allows silent bonding, leaking permanent identifiers for long-term re-identification.

Vulnerability

The vulnerability resides in the Bluetooth pairing implementation of the OpenTrace protocol, as used in COVIDSafe for Android through v1.0.17, TraceTogether, ABTraceTogether, and similar apps. It allows an attacker to silently bond with a victim's Android device without user interaction, exchanging the device's Bluetooth identity address and Identity Resolving Key (IRK). These permanent identifiers enable long-term tracking [1].

Exploitation

An attacker must be within Bluetooth range of a vulnerable device running a susceptible app. The attacker initiates a pairing process that the victim device accepts automatically, without any user confirmation. During the bonding, the victim device transmits its Bluetooth identity address and IRK, which the attacker captures [1].

Impact

Successful exploitation allows the attacker to persistently track and re-identify the victim's device over time, bypassing Bluetooth privacy measures. This can lead to unauthorized location tracking and identification of individuals using the contact tracing app. The CVE description notes unspecified additional impact [1].

Mitigation

COVIDSafe for Android was fixed in version v1.0.18, released on May 18, 2020 [1]. Users of other affected apps should apply any available updates. No workaround exists for unpatched versions; users should update immediately.

References
  1. COVIDSafe-CVE-2020-12856/README.md at master · alwentiu/COVIDSafe-CVE-2020-12856

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The app's Bluetooth implementation allows silent bonding without user interaction, exposing permanent device identifiers (identity address and IRK) to a remote attacker."

Attack vector

An attacker within Bluetooth range can silently bond with a victim's Android phone running a vulnerable contact-tracing app [ref_id=1]. The bonding process exchanges permanent identifiers: the Bluetooth identity address and the Identity Resolving Key (IRK). Either identifier can then be used for long-term re-identification and tracking of the device, without the victim's knowledge or consent.

Affected code

The vulnerability lies in the Android implementation of COVIDSafe (v1.0.17 and earlier) and similar contact-tracing apps such as TraceTogether and ABTraceTogether. The researcher write-up [ref_id=1] identifies that the flaw is in how Bluetooth bonding is handled, allowing an attacker to pair silently with a victim's device.

What the fix does

The advisory [ref_id=1] states that the vulnerability was fixed in COVIDSafe (Android) v1.0.18, but does not include a patch diff or describe the specific code changes. No further remediation details are provided in the available reference materials.

Preconditions

  • networkAttacker must be within Bluetooth range of the victim's device.
  • configVictim must be running a vulnerable version of the app (COVIDSafe v1.0.17 or earlier, or similarly architected apps).

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.