Critical Bluetooth vulnerability affects Android devices

A few days ago, Google released the Android update package for February 2020. In total, the company fixed 25 security vulnerabilities, including a critical Bluetooth flaw that, if exploited, would allow hackers to run remote code, as mentioned by researchers in ethical hacking.

The vulnerability, tracked as CVE-2020-0022, could be exploited by a nearby threat actor to stealthily run arbitrary code with Bluetooth daemon privileges. The exploitation of this flaw does not require user interaction, although it should be noted that the attacker must know the MAC address of the victim’s Bluetooth, in addition to the Bluetooth having to be enabled, which increases the complexity of the exploitation.  

German researcher Jan Ruge reported the flaw to Google, explaining that an attacker could guess the MAC address of a potential victim from the WiFi MAC address. In his report, the ethics hacking expert mentions that the vulnerability could lead to the theft of sensitive information as well as malware infections.

However, the highlight of the report is that, apparently, only Android 8.0 and 9.0 devices are exposed to this remote code execution flaw. As for Android 10, exploiting this vulnerability could lead to a denial of service (DoS) condition. Some versions earlier than Android 8.0 may also be affected, although this has not been proven by tests.

The ethical hacking researcher mentioned that he tried to abuse the same flaw in Bluez, the Bluetooth stack used in Linux systems, but the attack did not result in an Ubuntu system collapse or any other anomalous behavior, so the scope of the attack can be considered, in fact, reduced.

To mitigate the risk of exploitation, users of potentially exposed Android systems should only install the security updates of February 2020. In case your device has not yet received the update, we recommend:

  • Always keep your device’s Bluetooth turned off
  • Turn off Bluetooth auto-detection when it’s turned on
  • Ignore possible Bluetooth connection requests from unknown devices