6.5

CVE-2014-10374

EPSS 0.18%
Veröffentlicht 15.07.2019 13:15:10
Zuletzt bearbeitet 21.11.2024 02:03:28
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

On Fitbit activity-tracker devices, certain addresses never change. According to the popets-2019-0036.pdf document, this leads to "permanent trackability" and "considerable privacy concerns" without a user-accessible anonymization feature. The devices, such as Charge 2, transmit Bluetooth Low Energy (BLE) advertising packets with a TxAdd flag indicating random addresses, but the addresses remain constant. If devices come within BLE range at one or more locations where an adversary has set up passive sniffing, the adversary can determine whether the same device has entered one of these locations.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Fitbit ≫ Charge 2 Firmware Version-

Fitbit ≫ Charge 2 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.37

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	3.3	6.5	2.9	AV:A/AC:L/Au:N/C:P/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdf

Third Party Advisory

https://twitter.com/TedOnPrivacy/status/1151390589990187008

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2014-10374

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-10374

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-10374

EUVD