CVE-2020-12856
📋 TL;DR
This vulnerability in COVID-19 contact tracing apps allows attackers to conduct long-term re-identification of users via Bluetooth signals. The flaw enables tracking individuals over extended periods and potentially facilitates other Bluetooth-based attacks. Users of COVIDSafe (v1.0.17 and earlier), TraceTogether, ABTraceTogether, and similar contact tracing applications on iOS and Android are affected.
💻 Affected Systems
- COVIDSafe
- TraceTogether
- ABTraceTogether
- Other contact tracing apps using OpenTrace framework
📦 What is this software?
Covidsafe by Health
Covidsafe by Health
Tracetogether by Tracetogether
Tracetogether by Tracetogether
⚠️ Risk & Real-World Impact
Worst Case
Attackers could persistently track individuals' movements and locations over weeks or months, potentially enabling stalking, surveillance, or correlation with other data sources to deanonymize users.
Likely Case
Privacy violation through long-term tracking of Bluetooth identifiers, allowing attackers to monitor when and where specific devices appear over time.
If Mitigated
Limited to short-term Bluetooth proximity detection as intended, without persistent tracking capabilities.
🎯 Exploit Status
Exploitation requires Bluetooth scanning equipment and proximity to target devices. Public proof-of-concept demonstrates the tracking capability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: COVIDSafe v1.0.18+ and updates to other affected apps
Vendor Advisory: https://www.health.gov.au/resources/publications/covidsafe-app-update
Restart Required: Yes
Instructions:
1. Update affected contact tracing apps through official app stores. 2. For COVIDSafe, update to v1.0.18 or later. 3. Ensure automatic updates are enabled. 4. Restart the application after updating.
🔧 Temporary Workarounds
Disable Bluetooth when not needed
allTurn off Bluetooth to prevent broadcasting vulnerable identifiers
Settings > Bluetooth > Toggle Off
Uninstall vulnerable apps
allRemove affected contact tracing applications until patched
Long press app icon > Uninstall
🧯 If You Can't Patch
- Disable Bluetooth completely when not in use
- Use airplane mode in sensitive locations to disable all wireless communications
🔍 How to Verify
Check if Vulnerable:
Check app version in settings: COVIDSafe v1.0.17 or earlier is vulnerable. For other apps, check if using OpenTrace framework.Check Version:
Open app > Settings > About or App Info > VersionVerify Fix Applied:
Confirm app version is updated to patched version (COVIDSafe v1.0.18+). Verify Bluetooth identifier rotation occurs as designed.📡 Detection & Monitoring
Log Indicators:
- Unusual Bluetooth scanning patterns from unknown devices
- Persistent Bluetooth connections to contact tracing apps
Network Indicators:
- Bluetooth Low Energy (BLE) advertising packets with consistent identifiers over time
- Multiple devices scanning for specific BLE services
SIEM Query:
Bluetooth scanning devices with MAC addresses correlating to contact tracing app identifiers over extended periods🔗 References
- https://covidsafe.watch/issue-register/cve-2020-12856-long-term-tracking-and-possibly-enables-other-bluetooth-based-attack-vectors
- https://docs.google.com/document/d/1u5a5ersKBH6eG362atALrzuXo3zuZ70qrGomWVEC27U/edit?usp=sharing
- https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/README.md
- https://covidsafe.watch/issue-register/cve-2020-12856-long-term-tracking-and-possibly-enables-other-bluetooth-based-attack-vectors
- https://docs.google.com/document/d/1u5a5ersKBH6eG362atALrzuXo3zuZ70qrGomWVEC27U/edit?usp=sharing
- https://github.com/alwentiu/COVIDSafe-CVE-2020-12856/blob/master/README.md
