Jump to content

Google fixes no-user-interaction bug in Android's Bluetooth component


Recommended Posts

Fixes are available via the Android Security Bulletin for February 2020.




Google has patched this week a critical security flaw in Android's Bluetooth component. If left unpatched, the vulnerability can be exploited without any user interaction and can even be used to create self-spreading Bluetooth worms, experts said.


Fixes for the bug are available via the Android February 2020 Security Bulletin, which has been available for download starting this week.


The actual bug is tracked as CVE-2020-0022, and was discovered and reported to Google by experts from German cyber-security firm ERNW.

Can be used to create self-spreading Bluetooth worms

Researchers said that exploiting the bug requires no user interaction. All that is required is that the user has Bluetooth enabled on his device.


However, while this requirement would have limited the attack surface in past years, it does not today since modern Android OS versions ship with Bluetooth enabled by default and many Android users use Bluetooth-based headphones meaning the Bluetooth service is likely to be enabled on many handsets.


Proximity to a target is also required, but this is self-implied for any type of Bluetooth exploitation.


The ERNW researchers say the bug allows an attacker to "silently execute arbitrary code with the privileges of the Bluetooth daemon."



"No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address," they added.


"This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm)," the ERNW researchers said.

Bug works on Android 9 and earlier

The vulnerability was successfully tested on Android 8 and 9, but researchers believe older versions are also likely vulnerable.


CVE-2020-0022 doesn't work on Android 10, though, where it only causes a crash of the Bluetooth daemon.


The ERNW team said it plans to publish in-depth technical details about this bug later, but, in the meantime, they're giving Android users a warning and more time to install the February 2020 security updates.


If users can't update -- for various reasons -- then they can use follow simple rules to prevent attacks:


  • Only enable Bluetooth if strictly necessary.
  • Keep your device non-discoverable. Most devices are only discoverable if you enter the Bluetooth scanning menu. Nevertheless, some older phones might be discoverable permanently.


The ERNW team also said they plan to publish proof-of-concept code to reproduce the bug, which will most likely be weaponized by some bad actors.



Link to comment
Share on other sites

  • Replies 0
  • Created
  • Last Reply

Top Posters In This Topic

  • steven36


Popular Days

Top Posters In This Topic

Popular Days

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...