Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-12856 PoC — OpenTrace 安全漏洞

Source
https://github.com/alwentiu/COVIDSafe-CVE-2020-12856
Associated Vulnerability
Title:OpenTrace 安全漏洞 (CVE-2020-12856)
Description:OpenTrace, as used in COVIDSafe through v1.0.17, TraceTogether, ABTraceTogether, and other applications on iOS and Android, allows remote attackers to conduct long-term re-identification attacks and possibly have unspecified other impact, because of how Bluetooth is used.
Description
A bluetooth-related vulnerability in some contact tracing apps
Readme
# COVIDSafe-CVE-2020-12856: A silent pairing issue in bluetooth-based contact tracing apps

Authors: Jim Mussared (George Robotics), Alwen Tiu (The Australian National University)

A vulnerability has been identified in the implementation of the Android version of Australia's COVIDSafe (v1.0.17 and earlier) contact tracing app that may affect several other contact tracing apps that share a similar architecture, such as Singapore's TraceTogether and Alberta's ABTraceTogether. This issue is being tracked using the CVE ID [CVE-2020-12856](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12856). 
This vulnerability allows an attacker to bond silently with an Android phone running a vulnerable version of the app. The bonding process involves exchanges of permanent identifiers of the victim phone: the identity address of the bluetooth device in the phone and a cryptographic key called Identity Resolving Key (IRK). Either one of these identifiers can be used for long term tracking of the phone.  

This vulnerability was reported to DTA (who is responsible for the COVIDSafe app) on May 5th, 2020, and it has been fixed in COVIDSafe (Android) v1.0.18. 
Details of our finding are available [here](https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/CVE-2020-12856-19-June-2020.pdf). 

The proof-of-concept code can be found [here.](https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/code)

An earlier draft (dated May 18th, 2020) that was sent to various developer teams is 
available [here.](https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/CVE-2020-12856-18-may-2020.pdf)
(Note that this earlier draft has a small typo in the CVE ID; it refers to CVE-2020-12586 instead of CVE-2020-12856)
File Snapshot

 [4.0K]  /data/pocs/2815da9103c2c1b64ca2472114128b66c3f00c34
├── [4.0K]  code
│   ├── [ 18K]  COPYING
│   ├── [4.7K]  exploit1.py
│   ├── [6.7K]  gatt_advert.py
│   ├── [ 20K]  gatt_server.py
│   ├── [1.4K]  README.md
│   └── [ 210]  setup.sh
├── [1005K]  CVE-2020-12856-18-may-2020.pdf
├── [1016K]  CVE-2020-12856-19-June-2020.pdf
├── [1.7K]  README.md
├── [  97]  SHA256SUM-2020-05-18
└── [  97]  SHA256SUM-2020-05-23

1 directory, 11 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →