Skip to main content

CVE-2020-35473: n/a in n/a

Medium
VulnerabilityCVE-2020-35473cvecve-2020-35473
Published: Tue Nov 08 2022 (11/08/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

An information leakage vulnerability in the Bluetooth Low Energy advertisement scan response in Bluetooth Core Specifications 4.0 through 5.2, and extended scan response in Bluetooth Core Specifications 5.0 through 5.2, may be used to identify devices using Resolvable Private Addressing (RPA) by their response or non-response to specific scan requests from remote addresses. RPAs that have been associated with a specific remote device may also be used to identify a peer in the same manner by using its reaction to an active scan request. This has also been called an allowlist-based side channel.

AI-Powered Analysis

AILast updated: 06/25/2025, 21:14:59 UTC

Technical Analysis

CVE-2020-35473 describes an information leakage vulnerability affecting the Bluetooth Low Energy (BLE) advertisement scan response mechanism as defined in Bluetooth Core Specifications versions 4.0 through 5.2, including the extended scan response in versions 5.0 through 5.2. The vulnerability arises from the way devices using Resolvable Private Addressing (RPA) respond or do not respond to specific scan requests originating from remote Bluetooth addresses. RPAs are designed to enhance privacy by periodically changing device addresses to prevent tracking. However, this vulnerability allows an attacker to identify devices employing RPAs by analyzing their response patterns to crafted scan requests. Furthermore, if an attacker has previously associated an RPA with a particular remote device, they can use the device's reaction to active scan requests as a side channel to identify or track the peer device. This behavior has been termed an allowlist-based side channel, as it exploits the device's handling of allowed or blocked addresses during scanning. The vulnerability is classified under CWE-294 (Authentication Bypass by Capture-replay), indicating that it bypasses intended privacy protections without requiring authentication or user interaction. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is adjacent network (Bluetooth), requires no privileges or user interaction, and impacts confidentiality only, without affecting integrity or availability. No patches or vendor-specific mitigations are listed, and no known exploits have been reported in the wild to date. This vulnerability primarily enables device tracking and identification, potentially undermining user privacy and enabling targeted reconnaissance in Bluetooth-enabled environments.

Potential Impact

For European organizations, the primary impact of CVE-2020-35473 lies in the potential compromise of device privacy and confidentiality. Organizations deploying Bluetooth-enabled devices that utilize RPA for privacy—such as smartphones, IoT devices, wearables, and industrial sensors—may face increased risk of device tracking and profiling by unauthorized actors. This could facilitate targeted reconnaissance, enabling attackers to map device presence and movement patterns within corporate premises or public spaces. In sectors where privacy is critical, such as healthcare, finance, or government, this leakage could indirectly aid in social engineering or physical intrusion attempts. Although the vulnerability does not allow direct compromise of device integrity or availability, the erosion of privacy protections may contravene GDPR requirements concerning personal data protection and location privacy. Additionally, organizations relying on Bluetooth for secure access control or asset tracking might experience reduced trustworthiness of their systems. The medium severity rating reflects that while the vulnerability is not immediately exploitable for system takeover, its exploitation could contribute to broader attack chains or privacy violations.

Mitigation Recommendations

Given the lack of vendor patches, European organizations should adopt a layered approach to mitigate this vulnerability. First, disable Bluetooth scanning and advertising on devices when not in use, especially in sensitive environments, to reduce exposure. Second, configure Bluetooth devices to limit or randomize scan response behavior where possible, minimizing predictable patterns that could be exploited. Third, employ network segmentation and physical controls to restrict unauthorized Bluetooth scanning within corporate premises. Fourth, monitor for anomalous Bluetooth scanning activity using specialized wireless intrusion detection systems (WIDS) capable of detecting unusual scan requests or patterns indicative of reconnaissance. Fifth, update device firmware and Bluetooth stacks regularly, as vendors may release patches or mitigations addressing this issue in future updates. Finally, raise user awareness about Bluetooth privacy settings and encourage disabling Bluetooth in public or untrusted areas. For organizations deploying proprietary Bluetooth solutions, consider implementing additional cryptographic protections or obfuscation techniques to counteract side-channel identification.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2020-12-16T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9839c4522896dcbec8d0

Added to database: 5/21/2025, 9:09:13 AM

Last enriched: 6/25/2025, 9:14:59 PM

Last updated: 8/1/2025, 6:35:47 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats