Researcher finds critical bluetooth leak in Android 8 and 9

A German security researcher has discovered a critical vulnerability in Android 8.0 and 9.0 that makes it possible to execute arbitrary code on smartphones within the context of a Bluetooth daemon.

For an attack via the leak to succeed, it is only necessary that a user has activated bluetooth and that the bluetooth MAC address is known. With some smartphones, that MAC address can be derived from the MAC address for WiFi. The attacker could remotely execute arbitrary code with the permissions of the bluetooth daemon, without requiring further user interaction.

According to the man who discovered the vulnerability, Jan Ruge of the Secure Mobile Networking Lab at the Technische Universität Darmstadt, the vulnerability can be exploited to steal personal data and spread malware such as worms, although this can only be done at a relatively short distance. of a vulnerable device.

For Android Oreo 8.0 and 8.1 and Pie 9.0, the vulnerability has been labeled critical due to its code execution capability. As far as Android 10 is concerned, that is not the case, but the bluetooth daemon of this OS does crash with the bug. The vulnerability has been labeled CVE-2020-0022 and has already received a patch according to Google’s February Android Security Bulletin.

Ruge publishes on a blog of security company ERNW for the time being without divulging many details or a proof-of-concept. He wants to wait until a large number of users have updated their smartphone or have applied a workaround. Users who have not yet received a security update for Android are advised to only turn on Bluetooth if absolutely necessary and to make devices not discoverable via Bluetooth.