A critical vulnerability in the Bluetooth implementation on Android devices could allow attackers to launch remote code execution (RCE) attacks – without any user interaction.
Researchers on Thursday revealed further details behind the critical Android flaw (CVE-2020-0022), which was patched earlier this week as part of Google’s February Android Security Bulletin. The RCE bug poses as a critical-severity threat to Android versions Pie (9.0) and Oreo (8.0, 8.1), which account for almost two-thirds of Android devices at this point, if they have enabled Bluetooth.
On these versions, researchers said that a remote attacker “within proximity” can silently execute arbitrary code with the privileges of the Bluetooth daemon, which is a program that runs in the background and handles specified tasks at predefined times or in response to certain events. The flaw is particularly dangerous because no user interaction is required and only the Bluetooth MAC address of the target devices has to be known to launch the attack, researchers said.
“For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address,” German security company ERNW said in a recent analysis. “This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).”
The same CVE also impacts Google’s most recent Android version, Android 10. However, with Android 10, the severity rating is moderate and the impact is not a RCE bug, but rather a denial of service threat which could result in the crash of the Bluetooth daemon, researchers said.
Android versions older than 8.0 might also be affected, but researchers said they have not tested the impact. They said, once they are “confident” all patches have reached the end users, they will publish a technical report on the flaw that includes a description of the exploit as well as proof-of-concept code.
Google said an over-the-air update and firmware images for Google devices are available for its Pixel and Nexus devices, and third-party carriers will also deliver updates to vendor handsets. Altogether, the company’s February patch roundup for its Android OS included 25 bugs and patches. Nineteen of those vulnerabilities are rated high, with four additional bugs also rated high, but associated with Qualcomm chipsets used inside Android devices.
In the meantime, researchers urge users to install the latest patches from the February Android Security Bulletin. In terms of other mitigations, they said, users can also stay secure by only enabling Bluetooth “if strictly necessary.”
“CVE-2020-0022 can be exploited by anyone within range of your vulnerable phone who can figure out your Bluetooth MAC address, which is not a difficult exercise,” Jonathan Knudsen, senior security strategist at Synopsys, said in an email. “As a user, keeping current with updates and applying them in a timely manner is important. Unfortunately, many vulnerable, slightly older phones will not have continuing software update support from the manufacturer, which means users are faced with two unattractive options: either disable Bluetooth entirely, or get a newer phone.”
It’s not the first time Bluetooth flaws have left Android devices exposed to various threats. In 2019, researchers found a critical vulnerability (CVE-2019-2009) impacting the Android core system (version 7 and later) related to the Bluetooth component “l2c_lcc_proc_pdu”. The infamous BlueBorne attack uncovered in 2017 also affected Android devices (as well as iOS devices), allowing attackers to jump from one nearby Bluetooth device to another wirelessly.
Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.