CVE-2014-10374 - Vulnerability Details - OpenCVE

On Fitbit activity-tracker devices, certain addresses never change. According to the popets-2019-0036.pdf document, this leads to "permanent trackability" and "considerable privacy concerns" without a user-accessible anonymization feature. The devices, such as Charge 2, transmit Bluetooth Low Energy (BLE) advertising packets with a TxAdd flag indicating random addresses, but the addresses remain constant. If devices come within BLE range at one or more locations where an adversary has set up passive sniffing, the adversary can determine whether the same device has entered one of these locations.

No CVSS v4.0

No CVSS v3.1

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fitbit	Charge 2 Charge 2 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:fitbit:charge_2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:fitbit:charge_2:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdf
https://twitter.com/TedOnPrivacy/status/1151390589990187008

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-15T12:47:25

Updated: 2024-08-06T14:02:38.299Z

Reserved: 2019-07-15T00:00:00

Link: CVE-2014-10374

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-07-15T13:15:10.967

Modified: 2024-11-21T02:03:28.753

Link: CVE-2014-10374

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "On Fitbit activity-tracker devices, certain addresses never change. According to the popets-2019-0036.pdf document, this leads to \"permanent trackability\" and \"considerable privacy concerns\" without a user-accessible anonymization feature. The devices, such as Charge 2, transmit Bluetooth Low Energy (BLE) advertising packets with a TxAdd flag indicating random addresses, but the addresses remain constant. If devices come within BLE range at one or more locations where an adversary has set up passive sniffing, the adversary can determine whether the same device has entered one of these locations."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-17T12:57:10", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://twitter.com/TedOnPrivacy/status/1151390589990187008"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-10374", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "On Fitbit activity-tracker devices, certain addresses never change. According to the popets-2019-0036.pdf document, this leads to \"permanent trackability\" and \"considerable privacy concerns\" without a user-accessible anonymization feature. The devices, such as Charge 2, transmit Bluetooth Low Energy (BLE) advertising packets with a TxAdd flag indicating random addresses, but the addresses remain constant. If devices come within BLE range at one or more locations where an adversary has set up passive sniffing, the adversary can determine whether the same device has entered one of these locations."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdf", "refsource": "MISC", "url": "https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdf"}, {"name": "https://twitter.com/TedOnPrivacy/status/1151390589990187008", "refsource": "MISC", "url": "https://twitter.com/TedOnPrivacy/status/1151390589990187008"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T14:02:38.299Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://twitter.com/TedOnPrivacy/status/1151390589990187008"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-10374", "datePublished": "2019-07-15T12:47:25", "dateReserved": "2019-07-15T00:00:00", "dateUpdated": "2024-08-06T14:02:38.299Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fitbit:charge_2_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "528E2F56-0D59-4C38-ADCF-95D3D5D11F48", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fitbit:charge_2:-:*:*:*:*:*:*:*", "matchCriteriaId": "BFA23A3A-C202-4C6C-8B68-DE74899BF74B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "On Fitbit activity-tracker devices, certain addresses never change. According to the popets-2019-0036.pdf document, this leads to \"permanent trackability\" and \"considerable privacy concerns\" without a user-accessible anonymization feature. The devices, such as Charge 2, transmit Bluetooth Low Energy (BLE) advertising packets with a TxAdd flag indicating random addresses, but the addresses remain constant. If devices come within BLE range at one or more locations where an adversary has set up passive sniffing, the adversary can determine whether the same device has entered one of these locations."}, {"lang": "es", "value": "En los dispositivos de seguimiento de actividad Fitbit, algunas direcciones determinadas nunca cambian. De acuerdo con el documento popets-2019-0036.pdf, esto conlleva a un \"permanent trackability\" y \"considerable privacy concerns\" sin una funcionalidad de anonimizaci\u00f3n accesible para el usuario. Los dispositivos, tales como Charge 2, transmiten paquetes de publicidad de Bluetooth Low Energy (BLE) con un flag TxAdd indicando direcciones aleatorias, pero las direcciones permanecen constantes. Si los dispositivos est\u00e1n dentro del rango de BLE en una o m\u00e1s ubicaciones donde un adversario ha establecido un rastreo pasivo, el adversario puede determinar si el mismo dispositivo ha ingresado en una de estas ubicaciones."}], "id": "CVE-2014-10374", "lastModified": "2024-11-21T02:03:28.753", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-15T13:15:10.967", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdf"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://twitter.com/TedOnPrivacy/status/1151390589990187008"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://twitter.com/TedOnPrivacy/status/1151390589990187008"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}