KDE Connect Information Exchange Protocol Vulnerability Allowing Temporary Device Information Manipulation

A vulnerability exists in the KDE Connect information-exchange protocol, affecting versions prior to 2025-04-18. The issue arises from the use of broadcast UDP, which allows for the crafting of packets that can temporarily alter the displayed information about a device. This vulnerability is present in KDE Connect for Android versions prior to 1.33.0, desktop versions prior to 25.04, iOS versions prior to 0.5, as well as in Valent prior to 1.0.0.alpha.47 and GSConnect prior to 59.

Impact

Exploitation of this vulnerability could lead to user confusion by misrepresenting the identity of a legitimate device, potentially causing the user to pair with the wrong device.

Remediation

Users are advised to update KDE Connect on all devices to a version that is not vulnerable. After the update, ensure that the devices are using protocol version 8, which includes the security fixes. For KDE Connect on Android, this can be checked by selecting a device, opening the overflow menu, and selecting 'Encryption Info'. For KDE Connect on desktop, use the command line tool 'kdeconnect-cli --encryption-info'.