Critical Android Bluetooth flaw CVE-2020-0022 could be exploited without user interaction

Google addressed a critical vulnerability in its Android OS that affects the Bluetooth subsystem and could be exploited without user interaction.

Google has addressed a critical flaw in Android OS that affects the Bluetooth subsystem and could be exploited without user interaction.

The vulnerability tracked as CVE-2020-0022 is a remote code execution flaw that could allow attackers to execute code on the device with the elevated privileges of the Bluetooth daemon when the wireless module is active. The critical vulnerability impact Android Oreo (8.0 and 8.1) and Pie (9), while it is not exploitable on Android 10 for technical reasons and only trigger a DoS condition of the Bluetooth daemon.

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.” reads the security bulletin published by Android.

The flaw was reported to Google by Jan Ruge from the Technische Universität Darmstadt, Secure Mobile Networking Lab.

The risk of exploitation of such kind of vulnerabilities is that they could be used to implement a ‘wormable‘ behavior in mobile malware that could rapidly spread from one infected device to another device that is in its proximity and reachable via Bluetooth.

The issue could be exploited only if the attacker knows the Bluetooth MAC address of the target, but this is quite easy to retrieve.

“On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled.” the researcher wrote on a blog post on the site of IT security consultant ERNW. “No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).”

To mitigate the flaw, Ruge recommends disabling Bluetooth and enable it only “if strictly necessary.” If you need to activate Bluetooth, it is recommended to set the device non-discoverable for pairing with other devices.

Android users should apply the latest security patches as soon as possible.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Android, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]