KDE Project Security Advisory ============================= Title: KDE Connect: the fingerprint of the devices can be brute-forced due to truncation Risk rating: Medium CVE: CVE-2025-32898 Versions: KDE Connect Android < 1.33.0, KDE Connect desktop < 25.04, KDE Connect iOS < 0.5, Date: 18 April 2025 Overview ======== KDE Connect displays an 8-character-long verification code when pairing two devices that is generated from the devices public keys. Because this code is short and remains the same between two devices, it is susceptible to brute-force attacks. CWE-222: Truncation of Security-relevant Information Impact ====== An attacker could brute-force a key pair such that the resulting verification code matches the one of another device they try to impersonate. Workaround ========== We advise you to stop KDE Connect when on untrusted networks like those on airports or conferences. Solution ======== Update KDE Connect on all your devices to a non-vulnerable version, which use a time-based component to the key generation, so that the verification code is always different. This makes brute-force attacks more impractical, since the attack window is now of about one hour, during which the victim would need to perform the pairing. Note that, for backwards compatibility, KDE Connect keeps using the previous non-time-based verification codes when pairing to a device that runs an old version of KDE Connect. You can verify that your devices use the protocol version 8, which contains the security fixes. - In KDE Connect Android: select a device, open the overflow menu and select "Encryption Info". - In KDE Connect desktop: use the command line tool "kdeconnect-cli --encryption-info". Other Affected Software ==================== This vulnerability also affects other implementations of the KDE Connect protocol that are not developed by KDE. The following implementations are known to have applied a fix: * Valent: Fixes added in version 1.0.0.alpha.47 * GSConnect: Fixes added in version 59 Credits ======= Thanks to Cezar Lungu for reporting this issue.