[Suggested description] An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. It uses a default SSID value, which makes it easier for remote attackers to discover the physical locations of many Siime Eye devices, violating the privacy of users who do not wish to disclose their ownership of this type of device. (Various resources such as wigle.net can be use for mapping of SSIDs to physical locations.) ------------------------------------------ [Additional Information] The access point is only detectable when the device is turned on. As the device is turned on for limited times less devices are detected via Wigle then one might expect. Wigle.net is a site which maps SSIDs to physical locations. Using this site, it is possible to filter on specific SSIDs. When a filter is applied to find the default SSID of the Siime Eye, it is possible to find several devices across the globe. The map shown on wigle shows an approximate physical location for the device and hence makes physical or physical proximity attacks more likely. In addition it violates the user's privacy as everyone on the internet is capable of detecting where the devices are being used. ------------------------------------------ [VulnerabilityType Other] Information disclosure ------------------------------------------ [Vendor of Product] Svakom ------------------------------------------ [Affected Product Code Base] Siime Eye - 14.1.00000001.3.330.0.0.3.14 ------------------------------------------ [Affected Component] Siime Eye Wi-Fi access point ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] In order to exploit this issue an attacker needs to simply search for the Siime Eye SSID on wigle.net ------------------------------------------ [Reference] https://wigle.net N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Edwin gozeling from Qbit cyber security in assignment of the Consumentenbond. Use CVE-2020-11917.