CVE-2020-35473 describes an information leakage vulnerability affecting the Bluetooth Low Energy (BLE) advertisement scan response mechanism as defined in Bluetooth Core Specifications versions 4.0 through 5.2, including the extended scan response in versions 5.0 through 5.2. The vulnerability arises from the way devices using Resolvable Private Addressing (RPA) respond or do not respond to specific scan requests originating from remote Bluetooth addresses. RPAs are designed to enhance privacy by periodically changing device addresses to prevent tracking. However, this vulnerability allows an attacker to identify devices employing RPAs by analyzing their response patterns to crafted scan requests. Furthermore, if an attacker has previously associated an RPA with a particular remote device, they can use the device's reaction to active scan requests as a side channel to identify or track the peer device. This behavior has been termed an allowlist-based side channel, as it exploits the device's handling of allowed or blocked addresses during scanning. The vulnerability is classified under CWE-294 (Authentication Bypass by Capture-replay), indicating that it bypasses intended privacy protections without requiring authentication or user interaction. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is adjacent network (Bluetooth), requires no privileges or user interaction, and impacts confidentiality only, without affecting integrity or availability. No patches or vendor-specific mitigations are listed, and no known exploits have been reported in the wild to date. This vulnerability primarily enables device tracking and identification, potentially undermining user privacy and enabling targeted reconnaissance in Bluetooth-enabled environments.

For European organizations, the primary impact of CVE-2020-35473 lies in the potential compromise of device privacy and confidentiality. Organizations deploying Bluetooth-enabled devices that utilize RPA for privacy—such as smartphones, IoT devices, wearables, and industrial sensors—may face increased risk of device tracking and profiling by unauthorized actors. This could facilitate targeted reconnaissance, enabling attackers to map device presence and movement patterns within corporate premises or public spaces. In sectors where privacy is critical, such as healthcare, finance, or government, this leakage could indirectly aid in social engineering or physical intrusion attempts. Although the vulnerability does not allow direct compromise of device integrity or availability, the erosion of privacy protections may contravene GDPR requirements concerning personal data protection and location privacy. Additionally, organizations relying on Bluetooth for secure access control or asset tracking might experience reduced trustworthiness of their systems. The medium severity rating reflects that while the vulnerability is not immediately exploitable for system takeover, its exploitation could contribute to broader attack chains or privacy violations.

Given the lack of vendor patches, European organizations should adopt a layered approach to mitigate this vulnerability. First, disable Bluetooth scanning and advertising on devices when not in use, especially in sensitive environments, to reduce exposure. Second, configure Bluetooth devices to limit or randomize scan response behavior where possible, minimizing predictable patterns that could be exploited. Third, employ network segmentation and physical controls to restrict unauthorized Bluetooth scanning within corporate premises. Fourth, monitor for anomalous Bluetooth scanning activity using specialized wireless intrusion detection systems (WIDS) capable of detecting unusual scan requests or patterns indicative of reconnaissance. Fifth, update device firmware and Bluetooth stacks regularly, as vendors may release patches or mitigations addressing this issue in future updates. Finally, raise user awareness about Bluetooth privacy settings and encourage disabling Bluetooth in public or untrusted areas. For organizations deploying proprietary Bluetooth solutions, consider implementing additional cryptographic protections or obfuscation techniques to counteract side-channel identification.