CVE-2016-6539

Public Exploit

TrackR Bravo MAC address can be exposed in close proximity and used to obtain the device ID

Description

The Trackr device ID is constructed of a manufacturer identifier of four zeroes followed by the BLE MAC address in reverse. The MAC address can be obtained by being in close proximity to the Bluetooth device, effectively exposing the device ID. The ID can be used to track devices. Updated apps, version 5.1.6 for iOS and 2.2.5 for Android, have been released by the vendor to address the vulnerabilities in CVE-2016-6538, CVE-2016-6539, CVE-2016-6540 and CVE-2016-6541.

References

Link	Tags
http://www.securityfocus.com/bid/93874	third party advisory vdb entry
https://www.kb.cert.org/vuls/id/TNOY-AF3KCZ	third party advisory us government resource
https://blog.rapid7.com/2016/10/25/multiple-bluetooth-low-energy-ble-tracker-vulnerabilities/	third party advisory exploit technical description
https://www.kb.cert.org/vuls/id/617567	third party advisory us government resource

Frequently Asked Questions

What is the severity of CVE-2016-6539?: CVE-2016-6539 has been scored as a low severity vulnerability.
How to fix CVE-2016-6539?: To fix CVE-2016-6539, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2016-6539 being actively exploited in the wild?: It is possible that CVE-2016-6539 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2016-6539?: CVE-2016-6539 affects TrackR Bravo Mobile Application, TrackR Bravo Mobile Application.

Description

Category

CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

References

Frequently Asked Questions