Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Critical Bluetooth Vulnerability Exposes Android Devices to Attacks

One of the security flaws that Google addressed with the February 2020 set of Android patches is a critical vulnerability in Bluetooth that could lead to code execution.

One of the security flaws that Google addressed with the February 2020 set of Android patches is a critical vulnerability in Bluetooth that could lead to code execution.

A total of 25 vulnerabilities were fixed with Android’s February 2020 security updates, and the most important of them are two critical severity issues is System.

One of these is CVE-2020-0022, a bug impacting the Bluetooth component, and which can be exploited by an attacker to run arbitrary code on vulnerable devices, remotely.

An attacker within proximity can exploit the flaw for silent code execution with the privileges of the Bluetooth daemon. While no user interaction is required for the attack to be successful, the adversary needs to know the target device’s Bluetooth MAC address and Bluetooth has to be enabled.

The issue was discovered by security researcher Jan Ruge of the Secure Mobile Networking Lab at the Technische Universität Darmstadt in Germany, who explains that an attacker could deduce the Bluetooth MAC address of some devices from their WiFi MAC address.

“This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm),” the researcher notes.

Advertisement. Scroll to continue reading.

What is important to underline, however, is that only Android 8.0 and 9.0 devices were found prone to remote code execution. On Android 10 devices, exploitation of the issue could only lead to a crash of the Bluetooth daemon, causing denial of service.

Devices running Android versions older than 8.0 might be impacted as well, but the researcher says that impact on those devices hasn’t been evaluated yet.

Only the Android Bluetooth Stack is affected by the vulnerability. Linux systems usually use Bluez, which is different, and the researcher says the same technique did not result in a crash on Ubuntu.

To ensure they are safe from any exploitation attempts, Android users should install the February 2020 security updates for the platform. Any device running security patch level 2020-02-01 or later should be protected.

For devices that have yet to receive a patch or which are no longer supported, mitigation steps include keeping Bluetooth disabled at all times, and only enabling it when strictly necessary, as well as ensuring that the device is non-discoverable when Bluetooth is enabled.

Ruge says that a technical report on the vulnerability, along with proof-of-concept code, will be published after the security patches have been rolled out to end users.

Related: Android’s February 2020 Update Patches Critical System Vulnerabilities

Related: Android’s January 2020 Update Patches 40 Vulnerabilities

Related: ‘StrandHogg’ Vulnerability Exploited by Malicious Android Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.