Sign-up

ID

VAR-201907-1036


CVE

CVE-2014-10374


TITLE

Fitbit Charge 2 Vulnerable to information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2019-006734

DESCRIPTION

On Fitbit activity-tracker devices, certain addresses never change. According to the popets-2019-0036.pdf document, this leads to "permanent trackability" and "considerable privacy concerns" without a user-accessible anonymization feature. The devices, such as Charge 2, transmit Bluetooth Low Energy (BLE) advertising packets with a TxAdd flag indicating random addresses, but the addresses remain constant. If devices come within BLE range at one or more locations where an adversary has set up passive sniffing, the adversary can determine whether the same device has entered one of these locations. Fitbit Charge 2 Contains an information disclosure vulnerability.Information may be obtained. Fitbit activity-tracker is a smart sports watch made by Fitbit Company in the United States. This vulnerability stems from configuration errors in network systems or products during operation. An unauthorized attacker could exploit the vulnerability to obtain sensitive information of the affected components

Trust: 1.71

sources: NVD: CVE-2014-10374 // JVNDB: JVNDB-2019-006734 // VULHUB: VHN-68947

IOT TAXONOMY

category:['industrial device']sub_category:tracker

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:fitbitmodel:charge 2scope:eqversion: -

Trust: 1.0

vendor:fitbitmodel:charge 2scope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2019-006734 // NVD: CVE-2014-10374

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-10374
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-10374
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201907-756
value: MEDIUM

Trust: 0.6

VULHUB: VHN-68947
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2014-10374
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-68947
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2014-10374
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-68947 // JVNDB: JVNDB-2019-006734 // CNNVD: CNNVD-201907-756 // NVD: CVE-2014-10374

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-68947 // JVNDB: JVNDB-2019-006734 // NVD: CVE-2014-10374

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201907-756

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201907-756

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-006734

PATCH
title:fitbit charge 2url:https://www.fitbit.com/jp/charge2
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-006734

EXTERNAL IDS
db:NVDid:CVE-2014-10374
Trust: 2.6
db:JVNDBid:JVNDB-2019-006734
Trust: 0.8
db:CNNVDid:CNNVD-201907-756
Trust: 0.7
db:OTHERid:NONE
Trust: 0.1
db:VULHUBid:VHN-68947
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            VULHUB: VHN-68947 // 
            
            
            
            JVNDB: JVNDB-2019-006734 // 
            
            
            
            CNNVD: CNNVD-201907-756 // 
            
            
            
            NVD: CVE-2014-10374

REFERENCES
url:https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdf
Trust: 2.5
url:https://twitter.com/tedonprivacy/status/1151390589990187008
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2014-10374
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-10374
Trust: 0.8
url:https://ieeexplore.ieee.org/abstract/document/10769424
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            VULHUB: VHN-68947 // 
            
            
            
            JVNDB: JVNDB-2019-006734 // 
            
            
            
            CNNVD: CNNVD-201907-756 // 
            
            
            
            NVD: CVE-2014-10374

SOURCES
db:OTHERid: - 
db:VULHUBid:VHN-68947
db:JVNDBid:JVNDB-2019-006734
db:CNNVDid:CNNVD-201907-756
db:NVDid:CVE-2014-10374

LAST UPDATE DATE
2025-01-30T22:28:38.441000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-68947date:2019-07-24T00:00:00
db:JVNDBid:JVNDB-2019-006734date:2019-07-25T00:00:00
db:CNNVDid:CNNVD-201907-756date:2019-07-25T00:00:00
db:NVDid:CVE-2014-10374date:2024-11-21T02:03:28.753

SOURCES RELEASE DATE
db:VULHUBid:VHN-68947date:2019-07-15T00:00:00
db:JVNDBid:JVNDB-2019-006734date:2019-07-25T00:00:00
db:CNNVDid:CNNVD-201907-756date:2019-07-15T00:00:00
db:NVDid:CVE-2014-10374date:2019-07-15T13:15:10.967