Critical Android Bluetooth Bug Enables RCE, No User Interaction Needed

The flaw was recently patched in Android’s February Security Bulletin.

A critical vulnerability in the Bluetooth implementation on Android devices could allow attackers to launch remote code execution (RCE) attacks – without any user interaction.

Researchers on Thursday revealed further details behind the critical Android flaw (CVE-2020-0022), which was patched earlier this week as part of Google’s February Android Security Bulletin. The RCE bug poses as a critical-severity threat to Android versions Pie (9.0) and Oreo (8.0, 8.1), which account for almost two-thirds of Android devices at this point, if they have enabled Bluetooth.

On these versions, researchers said that a remote attacker “within proximity” can silently execute arbitrary code with the privileges of the Bluetooth daemon, which is a program that runs in the background and handles specified tasks at predefined times or in response to certain events. The flaw is particularly dangerous because no user interaction is required and only the Bluetooth MAC address of the target devices has to be known to launch the attack, researchers said.

“For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address,” German security company ERNW said in a recent analysis. “This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).”

The same CVE also impacts Google’s most recent Android version, Android 10. However, with Android 10, the severity rating is moderate and the impact is not a RCE bug, but rather a denial of service threat which could result in the crash of the Bluetooth daemon, researchers said.

Android versions older than 8.0 might also be affected, but researchers said they have not tested the impact. They said, once they are “confident” all patches have reached the end users, they will publish a technical report on the flaw that includes a description of the exploit as well as proof-of-concept code.

Google said an over-the-air update and firmware images for Google devices are available for its Pixel and  Nexus devices, and third-party carriers will also deliver updates to vendor handsets. Altogether, the company’s February patch roundup for its Android OS included 25 bugs and patches. Nineteen of those vulnerabilities are rated high, with four additional bugs also rated high, but associated with Qualcomm chipsets used inside Android devices.

In the meantime, researchers urge users to install the latest patches from the February Android Security Bulletin. In terms of other mitigations, they said, users can also stay secure by only enabling Bluetooth “if strictly necessary.”

“CVE-2020-0022 can be exploited by anyone within range of your vulnerable phone who can figure out your Bluetooth MAC address, which is not a difficult exercise,” Jonathan Knudsen, senior security strategist at Synopsys, said in an email. “As a user, keeping current with updates and applying them in a timely manner is important. Unfortunately, many vulnerable, slightly older phones will not have continuing software update support from the manufacturer, which means users are faced with two unattractive options: either disable Bluetooth entirely, or get a newer phone.”

It’s not the first time Bluetooth flaws have left Android devices exposed to various threats. In 2019, researchers found a critical vulnerability (CVE-2019-2009) impacting the Android core system (version 7 and later) related to the Bluetooth component “l2c_lcc_proc_pdu”.  The infamous BlueBorne attack uncovered in 2017 also affected Android devices (as well as iOS devices), allowing attackers to jump from one nearby Bluetooth device to another wirelessly.

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

Suggested articles

Discussion

  • Barry cash on

    I think it's done it to my phone and my phone is going stupid on me
  • Robert on

    It's Imposible to update Android 8.1 on Nexus 5x to correct this bug cause of Google end of life support so how we can deal with it
  • you can call me X, Mr X on

    root your phone, take full ownership of your phone. Install custom ROM and update whatever suits you.
  • Larx Knight on

    Same way you deal with it on Android phones. You buy a more up to date supported handset. And don't be fooled, apart from Google Pixel line and Samsung S10, I am not aware of any other manufacturer, that , as of 11th February, has released February patches.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.