Android New updates Critical Bluetooth Bug Enables RCE, Without User Permissions

Android Feb 8, 2020

The flaw was recently patched in Android’s February Security Bulletin.

A critical vulnerability within the Bluetooth implementation on Android devices could allow attackers to launch remote code execution (RCE) attacks – with none user interaction.

Researchers on Thursday revealed further details behind the critical Android flaw (CVE-2020-0022), which was patched earlier in the week as a part of Google’s February Android Security Bulletin. The RCE bug poses as a critical-severity threat to Android versions Pie (9.0) and Oreo (8.0, 8.1), which account for nearly two-thirds of Android devices at now , if they need enabled Bluetooth.

On these versions, researchers said that a foreign attacker “within proximity” can silently execute arbitrary code with the privileges of the Bluetooth daemon, which may be a program that runs within the background and handles specified tasks at predefined times or in response to certain events. The flaw is especially dangerous because no user interaction is required and only the Bluetooth MAC address of the target devices has got to be known to launch the attack, researchers said.

“For some devices, the Bluetooth MAC address are often deduced from the WiFi MAC address,” German security company ERNW said during a recent analysis. “This vulnerability can cause theft of private data and will potentially be wont to spread malware (Short-Distance Worm).”

The same CVE also impacts Google’s most up-to-date Android version, Android 10. However, with Android 10, the severity rating is moderate and therefore the impact isn't a RCE bug, but rather a denial of service threat which could end in the crash of the Bluetooth daemon, researchers said.

Android versions older than 8.0 may additionally be affected, but researchers said they need not tested the impact. They said, once they're “confident” all patches have reached the top users, they're going to publish a technical report on the flaw that has an outline of the exploit also as proof-of-concept code.

Google said an over-the-air update and firmware images for Google devices are available for its Pixel and Nexus devices, and third-party carriers also will deliver updates to vendor handsets. Altogether, the company’s February patch roundup for its Android OS included 25 bugs and patches. Nineteen of these vulnerabilities are rated high, with four additional bugs also rated high, but related to Qualcomm chipsets used inside Android devices.

In the meantime, researchers urge users to put in the newest patches from the February Android Security Bulletin. In terms of other mitigations, they said, users also can stay secure by only enabling Bluetooth “if strictly necessary.”

“CVE-2020-0022 are often exploited by anyone within range of your vulnerable phone who can find out your Bluetooth MAC address, which isn't a difficult exercise,” Jonathan Knudsen, senior security strategist at Synopsys, said in an email. “As a user, keeping current with updates and applying them during a timely manner is vital . Unfortunately, many vulnerable, slightly older phones won't have continuing software update support from the manufacturer, which suggests users are faced with two unattractive options: either disable Bluetooth entirely, or get a more moderen phone.”

It’s not the primary time Bluetooth flaws have left Android devices exposed to varied threats. In 2019, researchers found a critical vulnerability (CVE-2019-2009) impacting the Android core system (version 7 and later) associated with the Bluetooth component “l2c_lcc_proc_pdu”. The infamous Blue Borne attack uncovered in 2017 also affected Android devices (as well as iOS devices), allowing attackers to leap from one nearby Bluetooth device to a different wirelessly.

Learn how Operational Technology and knowledge Technology systems are merging and changing security playbooks during this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.