The latest Android security update includes a fix for a critical Bluetooth vulnerability that a nearby attacker could use to run arbitrary code on a vulnerable device.
The weakness affects several versions of Android, including 8.0, 8.1, and 9, but there are some mitigating factors for it. The most significant limitation to exploiting this vulnerability is that an attacker needs to know the Bluetooth MAC address for the target device, which is assigned by the manufacturer.
“On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address,” the advisory from German security firm ERNW, which discovered the flaw, says.
The Bluetooth bug (CVE-2020-0022) also affects Android 10 but it can’t be used for remote code execution and will only cause a crash. The researchers said the flaw may also affect older versions of Android, but they have not tested it on versions below 8.
Although Google has pushed out a patch for the vulnerability, it may take some time for the majority of Android users to actually get it, thanks to the way that the Android update ecosystem works. Google releases the updates to all of the manufacturers that make Android devices and then those OEMs test and tweak the updates for their devices. The manufacturers then are responsible for pushing the updates to the carriers, who then push them to individual users.
Some OEMs and carriers are faster at this process than others, and Google pushes the new patches directly to its house-made Pixel devices as soon as they’re available. Because of the way this process works, there is often a broad range of patch levels across the Android ecosystem, with some devices completely up to date and others several months behind. The researchers at ERNW have not released the full technical details of the Bluetooth vulnerability yet in order to limit the possibility of exploitation.
“Users are strongly advised to install the latest available security patch from February 2020. If you have no patch available yet or your device is not supported anymore, you can try to mitigate the impact by some generic behavior rules,” the advisory says.
People who don’t have the February update available for the devices yet can protect themselves by either disabling Bluetooth altogether or making their devices non-discoverable.