I need the help of the smartest people on the internet on this dire day.
I talked to the media, to no avail. I reached out to MITRE, to no avail. I reported to Google, without response.
Google and Apple are about to break Bluetooth LE and the IoT with ramifications that will proof fatal for future generations.
Severity: 10.0 CRITICAL
CVSS v3.1 Vector: /AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:U/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:X
Vulnerability Type: CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor)
Vendor of Product: Apple, Google
Affected Product Code Base: Android 6.0 or higher, IOS 13,5 or higher
Affected Component: Exposure Notification API, Bluetooth LE
Attack Type: Remote
Attack Vectors: Bluetooth Smart Privacy is broken in API due to the addition of secondary temporary UID. Bluetooth LE discovery mechanism can be used to track individual device movement across a fleet of devices
I humbly ask you to give this whitepaper a look and let me know what your views on this matter are.
We need a fresh discussion about net neutrality in times of proprietary traffic solutions controlling vast amounts of global bandwidth.
We need to consider policy management in automated decision making systems. This is just the start - the problem is everywhere.