Google fixes critical vulnerability affecting Android Bluetooth subsystem

Bluetooth Android security flaw has been labelled ‘critical’ on both Android 8 and 9

Google has fixed a critical security flaw in Android's Bluetooth subsystem, which could enable attackers to "execute arbitrary code with the privileges of the Bluetooth daemon".

Tracked as CVE-2020-0022, this remote code execution vulnerability is considered critical on Android 8 and 9, where it can lead to code execution and theft of personal data.

It could also enable attackers to spread worms from one vulnerable device to another within the Bluetooth range, according to the researchers from German cyber security firm ERNW, who discovered the flaw and reported it to Google in November last year.

To exploit the vulnerability, attackers don't need any user interaction. All they require is that the targeted device has Bluetooth enabled. Attackers also need to know the Bluetooth MAC address of the device, which for some devices, can be easily deduced from the WiFi MAC address.

According to the researchers, the vulnerability is not exploitable on Android 10, where it just leads to crashing of Bluetooth daemon. Older Android versions may also be affected by the bug, but the researchers are yet to assess the impact.

Users are advised to download and install the latest patches from the Android Security Bulletin for February 2020. Android users whose devices are not supported are advised to enable Bluetooth only when strictly required. In case they need to activate Bluetooth, they should keep the device non-discoverable - a feature that hides the device from other gadgets looking for a pair.

The researchers said they plan to release a detailed technical report describing the vulnerability, as well as proof-of-concept code, as soon as the patches have reached most end users.

Google's February 2020 set of security updates for the Android operating system also addressed 24 other vulnerabilities, including CVE-2020-0023, which only affects Android 10 and can lead to information disclosure.

Four vulnerabilities, rated high in severity, were patched in the System component of Android. Of them, three are elevation of privilege flaws (CVE-2020-0026, CVE-2020-0027 and CVE-2020-0005) affecting Android 8.0, 8.1, 9, and 10.

The fourth (CVE-2020-0028) is an information disclosure bug affecting Android 9.