The lifetime of this ID is important because it will uniquely identify your phone for this time interval. It doesn't say who you are, but it allows any Bluetooth device in range to know that it's the same phone it saw earlier. A simple example of how this could be abused is that it allows someone to track your movement as your ID shows up in multiple locations. Devices recording these IDs could provide effective distributed location tracing. This is why it's very important that the same ID is used for the shortest possible period.
A slightly more complicated example is that if I already know who someone is and can record their ID (by being within 20 metres of them for a few seconds), then I now can track that exact person. This would be especially worrying to victims of domestic violence (also note that the issues described here do not require access to an unlocked phone).
Impact / Risk
This was possible by anyone for 17 days in Australia until yesterday. Singapore fixed it same day. This is the privacy breach. This is why I strongly recommended against usage of #covidsafeapp if you are an at risk target.https://t.co/2mvZafqUfX https://t.co/u67PKjbkSm— geoffrey huntley (@GeoffreyHuntley) May 15, 2020
- This issue was first reported to email@example.com at 1:19am on 27/04/2020, and subsequently by in-app feedback later that day. It was also reported to firstname.lastname@example.org at 4:52pm on 27/04/2020.
- This issue was first reported to the Singapore OpenTrace team at 12:38am on 30/04/2020 and was fixed in this commit to the opentrace-android repository at 7:11pm on the same day.
- This issue was fixed in v1.0.17 released on 14/05/2020 (see note at end)