Google has rolled out a security update to address a critical flaw in Android's Bluetooth implementation that allows remote code execution without user interaction.
The vulnerability, tracked as CVE-2020-0022, affects devices running Android Oreo (8.0 and 8.1) and Pie (9.0). For these devices, which between them account for almost two-thirds of Android devices in use, the flaw is rated critical by Google.
According to German IT security provider ERNW, which discovered the ‘wormable’ security hole and reported it to Google three months ago, the bug could be exploited to pilfer personal data or distribute malware. Attackers could "silently execute arbitrary code with the privileges of the Bluetooth daemon", said the company.
“No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the Wi-Fi MAC address”. Obviously attackers also need to be within close proximity of the targeted device and the phone or tablet has to be in discoverable mode.
The bug is much less of a problem for Android 10, where it cannot be exploited and leads ‘only’ to a crash of the Bluetooth daemon. Android versions older than 8.0 were not tested.
ERNW stopped short of describing the bug in detail or sharing proof-of-concept code, as it waits for the fixes to reach end users.
Patch me if you can
If you own a Google-branded smartphone such as Pixel, you’re in luck. By contrast, patching may not be as fast as desired for many other Android device owners, who need to wait for their phone manufacturers or carriers to roll out the updates. Worse, many devices may no longer be supported.
Google, which included the fix in its latest assortment of monthly security updates for Android, said that it notified all Android device makers of the issue at least a month ago.
One way to lessen the risk is ensure that your phone is in non-discoverable mode when Bluetooth is on. Alternatively, enable Bluetooth only if necessary and remember to turn it off when not in use.