Android users are urged to apply the latest security patches released for the operating system on Monday that address a critical vulnerability in the Bluetooth subsystem.
An attacker could leverage the security flaw, now identified as CVE-2020-0022 without user participation to run arbitrary code on the device with the elevated privileges of the Bluetooth daemon when the wireless module is active.
Discovered and reported by Jan Ruge at the Technische Universität Darmstadt, Secure Mobile Networking Lab, the bug is considered critical on Android Oreo (8.0 and 8.1) and Pie (9) because exploiting it leads to code execution.
According to Ruge, attackers could use this security fault to spread malware from one vulnerable device to another, like a worm. However, the transmission is limited to the short distance covered by Bluetooth.
The Android security bulletin notes that CVE-2020-0022 “could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.”
The only prerequisite for taking advantage of the issue is knowing the Bluetooth MAC address. This is not difficult to find, though.
“For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address,” says the researcher on the the blog site of German IT security consultant ERNW.
On Android 10, the severity rating drops to moderate since it all it does is crash the Bluetooth daemon, the researcher says. Android versions earlier than 8.0 may also be affected but the impact on them has not been assessed.
Technical details, PoC to be published
The severity of the issue is what keeps the researcher from disclosing technical details and proof of concept (PoC) code demonstrating the findings.
Despite a patch being available, OEM vendors and mobile carriers also have to push it to user terminals. For devices still under support, it can take weeks until the update rolls out.
If a patch does not become available, Ruge recommends enabling Bluetooth only “if strictly necessary.” If you need to activate it, consider keeping the device non-discoverable, a feature that hides it from other gadgets looking for a pair.
Ruge says that a technical report will be available for this vulnerability “as soon as we are confident that patches have reached the end users.”