Google fixes no-user-interaction bug in Android's Bluetooth component

Fixes are available via the Android Security Bulletin for February 2020.
Written by Catalin Cimpanu, Contributor
Image: ZDNet

Google has patched this week a critical security flaw in Android's Bluetooth component. If left unpatched, the vulnerability can be exploited without any user interaction and can even be used to create self-spreading Bluetooth worms, experts said.

Fixes for the bug are available via the Android February 2020 Security Bulletin, which has been available for download starting this week.

The actual bug is tracked as CVE-2020-0022, and was discovered and reported to Google by experts from German cyber-security firm ERNW.

Can be used to create self-spreading Bluetooth worms

Researchers said that exploiting the bug requires no user interaction. All that is required is that the user has Bluetooth enabled on his device.

However, while this requirement would have limited the attack surface in past years, it does not today since modern Android OS versions ship with Bluetooth enabled by default and many Android users use Bluetooth-based headphones meaning the Bluetooth service is likely to be enabled on many handsets.

Proximity to a target is also required, but this is self-implied for any type of Bluetooth exploitation.

The ERNW researchers say the bug allows an attacker to "silently execute arbitrary code with the privileges of the Bluetooth daemon."

"No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address," they added.

"This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm)," the ERNW researchers said.

Bug works on Android 9 and earlier

The vulnerability was successfully tested on Android 8 and 9, but researchers believe older versions are also likely vulnerable.

CVE-2020-0022 doesn't work on Android 10, though, where it only causes a crash of the Bluetooth daemon.

The ERNW team said it plans to publish in-depth technical details about this bug later, but, in the meantime, they're giving Android users a warning and more time to install the February 2020 security updates.

If users can't update -- for various reasons -- then they can use follow simple rules to prevent attacks:

  • Only enable Bluetooth if strictly necessary.
  • Keep your device non-discoverable. Most devices are only discoverable if you enter the Bluetooth scanning menu. Nevertheless, some older phones might be discoverable permanently.

The ERNW team also said they plan to publish proof-of-concept code to reproduce the bug, which will most likely be weaponized by some bad actors.

Editorial standards