Vulnerability Description
On Fitbit activity-tracker devices, certain addresses never change. According to the popets-2019-0036.pdf document, this leads to "permanent trackability" and "considerable privacy concerns" without a user-accessible anonymization feature. The devices, such as Charge 2, transmit Bluetooth Low Energy (BLE) advertising packets with a TxAdd flag indicating random addresses, but the addresses remain constant. If devices come within BLE range at one or more locations where an adversary has set up passive sniffing, the adversary can determine whether the same device has entered one of these locations.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fitbit | Charge 2 Firmware | - |
| Fitbit | Charge 2 | - |
Related Weaknesses (CWE)
References
- https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdfThird Party Advisory
- https://twitter.com/TedOnPrivacy/status/1151390589990187008Third Party Advisory
- https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdfThird Party Advisory
- https://twitter.com/TedOnPrivacy/status/1151390589990187008Third Party Advisory
FAQ
What is CVE-2014-10374?
CVE-2014-10374 is a vulnerability with a CVSS score of 6.5 (MEDIUM). On Fitbit activity-tracker devices, certain addresses never change. According to the popets-2019-0036.pdf document, this leads to "permanent trackability" and "considerable privacy concerns" without a...
How severe is CVE-2014-10374?
CVE-2014-10374 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-10374?
Check the references section above for vendor advisories and patch information. Affected products include: Fitbit Charge 2 Firmware, Fitbit Charge 2.