Google Fixes No-User-Interaction Bug In Android's Bluetooth Component

An anonymous reader quotes a report from ZDNet: Google has patched this week a critical security flaw in Android's Bluetooth component. If left unpatched, the vulnerability can be exploited without any user interaction and can even be used to create self-spreading Bluetooth worms. Researchers said that exploiting the bug requires no user interaction. All that is required is that the user has Bluetooth enabled on his device. However, while this requirement would have limited the attack surface in past years, it does not today since modern Android OS versions ship with Bluetooth enabled by default and many Android users use Bluetooth-based headphones meaning the Bluetooth service is likely to be enabled on many handsets. The bug can lead to remote code execution and the hijacking of a device. Fixes for the bug are available via the Android February 2020 Security Bulletin, which has been available for download starting this week. Android 9 and earlier are impacted.

Important caveat

[AmiMoJo]

TFA says that the vulnerability can only be exploited when the device is scanning for new Bluetooth devices, not when it is merely connected to a Bluetooth device or simply has Bluetooth turned on.

If that is the case then it's much, much less severe than the summary makes out.

Re:

[DRJlaw]

None of the PC Mag, ENRW, or bulletin say that.

ENRW says

On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread

Re: Important caveat

[NagrothAgain]

The linked article, and the CVE linked to in the article, claim that: It doesn't work on Android 10, is confirmed on 8 and 9, and suspected on older versions. Bluetooth must be enabled, AND the device must be set to be Discoverable. Most Android devices do not default to Discoverable, and only have that enabled when actively attempting to Pair a new device.

Re:

[DRJlaw]

Bluetooth must be enabled, AND the device must be set to be Discoverable. Most Android devices do not default to Discoverable, and only have that enabled when actively attempting to Pair a new device.

None of them say that. You're interpreting the mitigation:

If you have no patch available yet or your device is not supported anymore, you can try to mitigate the impact by some generic behavior rules:

Only enable Bluetooth if strictly necessary. Keep in mind that most Bluetooth enabled headphones also support w

Re: Important caveat

[NagrothAgain]

the MAC can be determined in many devices even when not being broadcast by simply using the WiFi MAC

It can be inferred (i.e. guessed), not determined, from the Wifi MAC, which would only be visible if both devices have wifi enabled. Personally I'm not concerned because I'm using version 10, and only turn on bluetooth if I'm driving.

Re:

[DRJlaw]

It can be inferred (i.e. guessed), not determined, from the Wifi MAC

Except that MACs identify manufacturers, and manufacturers assign MACs, and manufacturers that assign these MACs in sequence are known. But go ahead and be pedantic to salve your ego.

which would only be visible if both devices have wifi enabled

The odds sure are low on that one...

Personally I'm not concerned because I'm using version 10, and only turn on bluetooth if I'm driving.

10 is vulnerable to a DoS from this bug. I mean, if we're go

Re:

[swillden]

Those modes are not required, because the MAC can be determined in many devices even when not being broadcast by simply using the WiFi MAC.

Note that in Android 10 the Wifi MAC is randomized by default, and completely unrelated to the hardware MAC. So on Android 10, you can't use the one to infer the other. Granted, only a very small percentage of users have Android 10 -- and the users with 10 are likely also getting security patches so they probably don't even have the bug any more.

Re:

[AmiMoJo]

ZD Net says

"Keep your device non-discoverable. Most devices are only discoverable if you enter the Bluetooth scanning menu. Nevertheless, some older phones might be discoverable permanently."

Re:

[DRJlaw]

That's a mitigation that attempts to keep your bluetooth MAC obscure. It's not sufficient to make the device non-attackable, especially when the bluetooth MAC is simply the WiFi MAC +1, e.g.: 12:34:56:78:90:AB and 12:34:56:78:90:AC.

The other mitigation is to turn your bluetooth module off except when necessary. Which would not be necessary if making the device non-discoverable was sufficient.

when will android users get this patch?

[known_coward_69]

sometime in the next 2-3 years? never for most of them?

Most likely never

[thesjaakspoiler]

as most manufacturers have moved on and left their users with no way to update by themselves...

Re:

[Eric.pl]

Most manufacturers... including Google : I own a Nexus 6. Not updated

Re:

[thegarbz]

Well you have a 6 year old "disposable" device. It's no surprise your device isn't receiving updates. Why aren't you breaking your screen or just upgrading to the latest fashion accessory?

"Forever-Day Remote Root" -- no updates/patches ex

[Fast Adam]

Funny, "google fixed it" but nearly 100% existing non-google androids will be forever remotely exploitable. This vuln was exploited in the wild in Spring 2019. My phone was hit by unknown persons May-2019, there was a bizarre bluetooth popup message associated when it happened. Bluetooth as yet another vector for Pegasus, the intelligence agency spyware from Israel (multiple known US customers). I was called delusional last summer, this disclosure is proof positive. unsigned int spooks=0x1deadfed;

Re:

[thegarbz]

1-2 months usually. Most major manufacturers offer security updates quite frequently given how they have nothing to do with system version. My now 4 year old Galaxy S phone is on the December 2019 Patch Level despite not having received an OS update for 3 years.

I suggest not parroting talking points from 5 years ago that affect only a subset of current devices from a few shitty vendors.

I only turn on Buetooth/WiFi when I use them

[pgmrdlm]

yes, I use Bluetooth headphones. BUT, not all the time Why do I want to leave something running that is not used? And I am in the habit of checking the status bar when I look at my phone, so it is obvious when they are active.

Re:

[thegarbz]

Why do I want to leave something running that is not used?

Why not. It's not like they consume any power on a modern system. Maybe if you're a security conscious person sure, that's a good reason, but "why leave it running" has a simple counter: convenience of not having to turn it on and off.

To say nothing of the automation possibilities: Automatically launching car service apps on detection of your car radio bluetooth, automatically turning off silent when you get home from work and detect your wifi network, etc.

I mean sure some people buy TVs and don't use the r

Programmers - what are they good for?

[AndyKron]

Bluetooth has been around for years and programmers still can't get it right.

Digital rag for stuffing Bluetooth mouth?

[BobCov]

Does this mean an exploit may come along to allow someone, I'm not saying who, to disable Bluetooth boomboxes played at high volume in public spaces by those who wish to impose their music on others anywhere, anytime? A STFU app would be a beautiful thing.