Lack of Bluetooth LE pairing and access control in Fastrack Reflex 2.0 activity tracker
CVE-ID
CVE-2021-35952
Vendor
Fastrack
Product
Fastrack Reflex 2.0 Activity Tracker
Vulnerability
Lack of Bluetooth LE pairing and access control allows changing time/date/month without authorization.
Vulnerability Description
During BLE analysis, characteristic at handle
0x0017 was found writable without pairing/authorization.
An attacker in BLE range may modify device time and date.
Disclosure Timeline
17 Nov 2020 — Reported to vendor
30 Jun 2021 — No response; moving forward to public disclosure
30 Jun 2021 — No response; moving forward to public disclosure
Credit
Shakir Zari