CATEGORIES
home News

New Android Bluetooth Flaw Allows Code Execution Without User Involvement, Patch Now

by Shane McGlaunFriday, February 07, 2020, 12:05 PM EDT
android logo
Android users need to apply the latest round of security updates to their devices as one of them is meant to address a critical vulnerability in the Bluetooth subsystem. The flaw is known as CVE-2020-0022, and when exploited, it could allow arbitrary code to be run on the device with the elevated privileges of the Bluetooth daemon when the wireless module is active. A security update released on Monday addressed this flaw.

CVE-2020-0022 was discovered and reported by the Technische Universität Darmstadt, Secure Mobile Networking Lab, and is considered critical on Android Oreo 8.0 and 8.1 as well as Android Pie 9.0. Attackers could leverage CVE-2020-0022 to spread malware from one vulnerable device to another like a worm.

One caveat to the exploit is that it is limited to the short distances covered by Bluetooth. Taking advantage of the issue only requires that the attacker knows the Bluetooth MAC address for the device, which the researchers say isn’t hard to find. For some devices, the address can be deduced from the WiFi Mac address.

While the CVE-2020-0022 impacts Android 10, the severity rating is moderate because it doesn’t cause a crash in the Bluetooth daemon. Researchers do warn that the exploit may also impact Android versions before 8.0, but the severity hasn’t been assessed at this time. A proof-of-concept attack will be published later, along with the technical details. The researchers are not disclosing the findings at this time because of the severity of the issue.

The researchers note that while a patch is available, OEMs and mobile carriers have to push it to users, and it can take weeks for the update to roll out. They suggest enabling Bluetooth only when necessary until the fix is rolled out and to keep the device non-discoverable, which is a feature that hides it from other gadgets that want to pair.

In other Android news, the Android devices that are subsidized by the government for low income individuals have been found to be riddled with malware.

Tags:  Android, Google, security, Bluetooth, (nasdaq:goog)
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment