CVE-2014-10374
Last modified
CVE-2014-10374 is a vulnerability of currently unknown severity. On Fitbit activity-tracker devices, certain addresses never change. According to the popets-2019-0036.pdf document, this leads to "permanent trackability" and "considerable privacy concerns" without a user-accessible anonymization feature. EPSS estimates a 0.64% chance of exploitation in the next 30 days.
Description
On Fitbit activity-tracker devices, certain addresses never change. According to the popets-2019-0036.pdf document, this leads to "permanent trackability" and "considerable privacy concerns" without a user-accessible anonymization feature. The devices, such as Charge 2, transmit Bluetooth Low Energy (BLE) advertising packets with a TxAdd flag indicating random addresses, but the addresses remain constant. If devices come within BLE range at one or more locations where an adversary has set up passive sniffing, the adversary can determine whether the same device has entered one of these locations.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Fitbit | Charge 2 Firmware | All versions |
References
- https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdfThird Party Advisory
- https://twitter.com/TedOnPrivacy/status/1151390589990187008Third Party Advisory
- https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdfThird Party Advisory
- https://twitter.com/TedOnPrivacy/status/1151390589990187008Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2014-10374?
How severe is CVE-2014-10374?
How do I fix CVE-2014-10374?
Are you affected by CVE-2014-10374?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST