CVE-2022-37193

Vulnerability

Chipolo ONE Bluetooth tracker (2020 model) iOS app version 4.13.0 contains an incorrect access control vulnerability. The issue is in the access sharing functionality: when a trusted owner shares device access, the sharee's mobile app stores an authentication secret. Even after the owner revokes the sharee's access via the server, the local credentials persist and remain usable. This affects devices paired with the Chipolo iOS app version 4.13.0 [1][2].

Exploitation

The attack requires that the attacker (malicious sharee) obtains the Chipolo authentication secret, which can be extracted from the mobile app on an untrusted operating system. The attacker must have been initially granted shared access by the device owner. After access is revoked server-side, the attacker can simply reuse the previously extracted secret to continue controlling the Chipolo device without any further user interaction or network position requirements [2].

Impact

A successful attacker can maintain persistent control over the Chipolo ONE device even after access revocation. This enables continued access to location tracking and device ringing functionalities, violating the owner's intent to remove the sharee. The attacker effectively bypasses the server-side access revocation mechanism, leading to a breach of confidentiality (location data) and availability (device control) [2].

Mitigation

As of publication (September 2022), the vendor Chipolo has not released a patched version addressing this issue in the iOS app. Users should be cautious about sharing device access with untrusted parties. No workaround is documented in the available references; the KEV catalog does not list this CVE. Users should monitor official Chipolo channels for an app update that properly invalidates credentials upon revocation [1][2].