Because several people were asking about #Bluetooth, I'll make a thread. But I might ignore further questions, especially regarding over-the-air exploits. #DP3T

• BLE advertisements have a longer range than 2m, but are way more accurate than LTE cell towers.
(1/n)

• BLE advertisement distance measurement accuracy depends a lot on the chips, meaning that they will work well within the Apple ecosystem, but probably not so well on some Androids. (2/n)

• The Singapore app solves this by maintaining active BLE/GATT connections, which provides better measurements, but drains battery power.

• On iOS, the BLE/GATT handler has been extensively tested for security issues and is definitely one of the better ones by now. (3/n)

• Using Bluetooth tracking requires users to enable Bluetooth. On some Androids (Xiaomi, OnePlus) this automatically makes your smartphone detectable over Classic BT.

• Being detectable via Classic BT without Software-Defined Radio opens further attack vectors. (4/n)

• CVE-2020-0022 aka #BlueFrag allows RCE on Android 8&9 (maybe also others) via Bluetooth but requires an active connection. BLE advertisements don't require this, but being visible in Classic BT opens this attack vector. The heap spray still takes a few minutes, though. (5/n)

• Broadcom didn't patch a BLE vulnerability in their stack that Jan reported in July 2019 (CVE-2019-13916). Advertisements can not exploit it, active connections could, depending on the host stack. (6/n)