Bluetooth Vulnerability Discovery
The vulnerability with Bluetooth running on Android 8 and 9 phones was discovered by a German security firm, ERNW. The ERNW security researchers identified the problem some three months ago and reported it to Google. Since then Google has been working on solving the issue. Only today the tech giant brought out an update that patches the vulnerability.
The Bluetooth Vulnerability Explained
The Bluetooth bug discovered by ERNW security researchers could let attackers silently install malware on nearby Android phones. It could also allow attackers to steal personal data form such phones without the owner being aware of the attack. “…a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required…” explained the security researchers. Attackers would, however, need to know the phone’s Bluetooth MAC address to be able to exploit the bug. The manufacturer assigns the phone’s Bluetooth MAC address and it is not easily accessible. Unfortunately, however, on some phones the Bluetooth MAC address can be easily deduced from the WiFi MAC address. The other limitation of this vulnerability is that attackers would need to be near a phone affected by the bug and the phone must have Bluetooth enabled.
Android Phones Affected
In addition to Android 8 and 9 phones, the Bluetooth bug also affects Android 10 phones. However, attackers cannot use the bug for remote code execution on these phones. Attempting to run code remotely on Android 10 phones just causes Bluetooth to crash. It is not known if the bug affects earlier versions of Android phones as ERNW did not test these. The bug does not affect phones that don’t have Bluetooth enabled.
What to Do
Users running Bluetooth on Android 8, 9 and 10, or on earlier versions, are advised to install the latest patch provided by Google today. Users with phones for which Google has not yet provided an update, or whose phones are no longer supported, are advised to either disable Bluetooth on their phone or make the phone non-discoverable.