Connect with us

Hi, what are you looking for?


Mobile & Wireless

Critical Bluetooth Vulnerability Exposes Android Devices to Attacks

One of the security flaws that Google addressed with the February 2020 set of Android patches is a critical vulnerability in Bluetooth that could lead to code execution.

One of the security flaws that Google addressed with the February 2020 set of Android patches is a critical vulnerability in Bluetooth that could lead to code execution.

A total of 25 vulnerabilities were fixed with Android’s February 2020 security updates, and the most important of them are two critical severity issues is System.

One of these is CVE-2020-0022, a bug impacting the Bluetooth component, and which can be exploited by an attacker to run arbitrary code on vulnerable devices, remotely.

An attacker within proximity can exploit the flaw for silent code execution with the privileges of the Bluetooth daemon. While no user interaction is required for the attack to be successful, the adversary needs to know the target device’s Bluetooth MAC address and Bluetooth has to be enabled.

The issue was discovered by security researcher Jan Ruge of the Secure Mobile Networking Lab at the Technische Universität Darmstadt in Germany, who explains that an attacker could deduce the Bluetooth MAC address of some devices from their WiFi MAC address.

“This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm),” the researcher notes.

What is important to underline, however, is that only Android 8.0 and 9.0 devices were found prone to remote code execution. On Android 10 devices, exploitation of the issue could only lead to a crash of the Bluetooth daemon, causing denial of service.

Devices running Android versions older than 8.0 might be impacted as well, but the researcher says that impact on those devices hasn’t been evaluated yet.

Advertisement. Scroll to continue reading.

Only the Android Bluetooth Stack is affected by the vulnerability. Linux systems usually use Bluez, which is different, and the researcher says the same technique did not result in a crash on Ubuntu.

To ensure they are safe from any exploitation attempts, Android users should install the February 2020 security updates for the platform. Any device running security patch level 2020-02-01 or later should be protected.

For devices that have yet to receive a patch or which are no longer supported, mitigation steps include keeping Bluetooth disabled at all times, and only enabling it when strictly necessary, as well as ensuring that the device is non-discoverable when Bluetooth is enabled.

Ruge says that a technical report on the vulnerability, along with proof-of-concept code, will be published after the security patches have been rolled out to end users.

Related: Android’s February 2020 Update Patches Critical System Vulnerabilities

Related: Android’s January 2020 Update Patches 40 Vulnerabilities

Related: ‘StrandHogg’ Vulnerability Exploited by Malicious Android Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.