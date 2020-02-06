Image: ZDNet

Google has fixed a critical security flaw in the Bluetooth component of Android this week. If it is not patched, the vulnerability could be exploited without any user interaction and could even be used to create self-spreading Bluetooth worms, experts said.

Bug fixes are available through the February 2020 security bulletin for Android, available for download this week.

The actual bug is tracked as CVE-2020-0022 and has been discovered and reported to Google by experts from the German cyber security company ERNW.

Can be used to make self-spreading Bluetooth worms

Researchers said that exploiting the bug does not require user interaction. All that is required is that the user has enabled Bluetooth on their device.

Although this requirement would have limited the attack area in recent years, this is not the case today, as modern Android OS versions come standard with Bluetooth and many Android users use Bluetooth headphones, meaning that the Bluetooth service is likely on many handsets.

Proximity to a goal is also required, but this implies itself for every type of Bluetooth operation.

The ERNW investigators say the bug allows an attacker to “quietly execute arbitrary code with the rights of the Bluetooth daemon.”

“No user interaction is required and only the Bluetooth MAC address of the target devices must be known. For some devices, the Bluetooth MAC address can be derived from the WiFi MAC address,” she added.

“This vulnerability can lead to the theft of personal data and could potentially be used to spread malware (Short-Distance Worm),” said the ERNW researchers.

Bug works on Android 9 and earlier

The vulnerability has been successfully tested on Android 8 and 9, but researchers think older versions are probably also vulnerable.

However, CVE-2020-0022 does not work on Android 10, where it only causes a crash of the Bluetooth daemon.

The ERNW team said it plans to publish in-depth technical details about this bug later, but meanwhile they give Android users a warning and more time to install the February 2020 security updates.

If users are unable to update for various reasons, they can follow simple rules to prevent attacks:

Only switch on Bluetooth if this is strictly necessary.

Keep your device untraceable. Most devices are only detectable if you open the Bluetooth scan menu. Nevertheless, some older telephones can be permanently discovered.

The ERNW team also said they are planning to publish a proof-of-concept code to reproduce the bug, which is likely to be armed by some bad actors.