A critical flaw in Android’s Bluetooth implementation that allows remote code execution without user interaction has been discovered by German IT security provider ERNW,
The vulnerability affects devices running Android Oreo (8.0 and 8.1) and Pie (9.0). For these devices, which between them account for almost two-thirds of Android devices in use, the flaw is rated critical by Google, who has rolled out a security update to address the flaw.
On the above mentioned Android os versions, researchers said that a remote attacker “within proximity” can silently execute arbitrary code with the privileges of the Bluetooth daemon, which is a program that runs in the background and handles specified tasks at predefined times or in response to certain events.
The flaw is particularly dangerous because no user interaction is required and only the Bluetooth MAC address of the target devices has to be known to launch the attack.
ERNW stated,
On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known.
For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address,
This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).
The same CVE also impacts Google’s most recent Android version, Android 10. However, with Android 10, the severity rating is moderate and the impact is not a RCE bug, but rather a denial of service threat which could result in the crash of the Bluetooth daemon.
Android versions older than 8.0 might also be affected, but researchers said they have not tested the impact. They said, once they are “confident” all patches have reached the end users, they will publish a technical report on the flaw that includes a description of the exploit as well as proof-of-concept code.
Users are strongly advised to install the latest available security patch from February 2020. If you have no patch available yet or your device is not supported anymore, you can try to mitigate the impact by some generic behavior rules:
- Only enable Bluetooth if strictly necessary.
- Keep your device non-discoverable.
