Critical Bluetooth Vulnerability Exposes Android Devices to Attacks
One of the security flaws that Google addressed with the February 2020 set of Android patches is a critical vulnerability in Bluetooth that could lead to code execution.
A total of 25 vulnerabilities were fixed with Android’s February 2020 security updates, and the most important of them are two critical severity issues is System.
One of these is CVE-2020-0022, a bug impacting the Bluetooth component, and which can be exploited by an attacker to run arbitrary code on vulnerable devices, remotely.
An attacker within proximity can exploit the flaw for silent code execution with the privileges of the Bluetooth daemon. While no user interaction is required for the attack to be successful, the adversary needs to know the target device’s Bluetooth MAC address and Bluetooth has to be enabled.
The issue was discovered by security researcher Jan Ruge of the Secure Mobile Networking Lab at the Technische Universität Darmstadt in Germany, who explains that an attacker could deduce the Bluetooth MAC address of some devices from their WiFi MAC address.
“This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm),” the researcher notes.
What is important to underline, however, is that only Android 8.0 and 9.0 devices were found prone to remote code execution. On Android 10 devices, exploitation of the issue could only lead to a crash of the Bluetooth daemon, causing denial of service.
Devices running Android versions older than 8.0 might be impacted as well, but the researcher says that impact on those devices hasn’t been evaluated yet.
Only the Android Bluetooth Stack is affected by the vulnerability. Linux systems usually use Bluez, which is different, and the researcher says the same technique did not result in a crash on Ubuntu.
To ensure they are safe from any exploitation attempts, Android users should install the February 2020 security updates for the platform. Any device running security patch level 2020-02-01 or later should be protected.
For devices that have yet to receive a patch or which are no longer supported, mitigation steps include keeping Bluetooth disabled at all times, and only enabling it when strictly necessary, as well as ensuring that the device is non-discoverable when Bluetooth is enabled.
Ruge says that a technical report on the vulnerability, along with proof-of-concept code, will be published after the security patches have been rolled out to end users.