CVE-2016-6539 — LOW (3.5) — White Hats Nepal

Q: How severe is CVE-2016-6539?

CVE-2016-6539 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-6539?

Check the references section above for vendor advisories and patch information. Affected products include: Thetrackr Trackr Firmware, Thetrackr Trackr.

Vulnerability Description

The Trackr device ID is constructed of a manufacturer identifier of four zeroes followed by the BLE MAC address in reverse. The MAC address can be obtained by being in close proximity to the Bluetooth device, effectively exposing the device ID. The ID can be used to track devices. Updated apps, version 5.1.6 for iOS and 2.2.5 for Android, have been released by the vendor to address the vulnerabilities in CVE-2016-6538, CVE-2016-6539, CVE-2016-6540 and CVE-2016-6541.

CVSS Score

3.5

LOW

CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Thetrackr	Trackr Firmware	< 2.2.5
Thetrackr	Trackr	-

Related Weaknesses (CWE)

CWE-200

References

http://www.securityfocus.com/bid/93874Third Party AdvisoryVDB Entry
https://blog.rapid7.com/2016/10/25/multiple-bluetooth-low-energy-ble-tracker-vulExploitTechnical DescriptionThird Party Advisory
https://www.kb.cert.org/vuls/id/617567Third Party AdvisoryUS Government Resource
https://www.kb.cert.org/vuls/id/TNOY-AF3KCZThird Party AdvisoryUS Government Resource
http://www.securityfocus.com/bid/93874Third Party AdvisoryVDB Entry
https://blog.rapid7.com/2016/10/25/multiple-bluetooth-low-energy-ble-tracker-vulExploitTechnical DescriptionThird Party Advisory
https://www.kb.cert.org/vuls/id/617567Third Party AdvisoryUS Government Resource
https://www.kb.cert.org/vuls/id/TNOY-AF3KCZThird Party AdvisoryUS Government Resource

FAQ

What is CVE-2016-6539?

CVE-2016-6539 is a vulnerability with a CVSS score of 3.5 (LOW). The Trackr device ID is constructed of a manufacturer identifier of four zeroes followed by the BLE MAC address in reverse. The MAC address can be obtained by being in close proximity to the Bluetooth...

How severe is CVE-2016-6539?

CVE-2016-6539 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-6539?

Check the references section above for vendor advisories and patch information. Affected products include: Thetrackr Trackr Firmware, Thetrackr Trackr.