Restricting Bluetooth use on Android devices without a current patch level may protect against attacks on a critical security hole.
The discoverers of a current, critical security hole in the Android operating system have published details of possible attacks. For temporary protection on vulnerable devices, they recommend restricting Bluetooth use as much as possible. This can be used to prevent remote code execution (RCE), the theft of personal data and denial-of-service attacks by attackers within Bluetooth range.
The vulnerability with the identifier CVE-2020-0022 is one of two critical security vulnerabilities that became known as part of the Android patch day last Wednesday. Google has released updates for the operating system, which among other things also eliminate CVE-2020-0022. Systems with the patch level 2020-02-01 or 2020-02-05 (can be viewed under System -> Extended -> System Update ) are up to date and therefore protected against attacks.
Further details on all published patches can be found in Google’s Android Security Bulletin .
Code execution only possible with active Bluetooth
Android devices with the operating system version from 8.0 up to and including 9.0, whose manufacturers have not (yet) distributed security updates (based on Google’s current patches) are generally vulnerable to CVE-2020-0022. A successful attack opens up opportunities for RCE and data theft on them. On Android 10 devices, only the Bluetooth service can crash over the security hole.
User interaction is not necessary for the attack; According to a description of CVE-2020-0022 by the company ERNW , an attacker only needs to know the Bluetooth MAC address of the device within range, which can often be derived from the WiFi MAC address.
Avoid using Bluetooth if possible
It is clear from ERNW’s description that an attack is generally only possible while Bluetooth is activated. This significantly reduces the likelihood of an attack through mindfulness when using Bluetooth (especially in public places) or by not using it. ERNW also points out the danger that the use of Bluetooth-based headphones poses in this context.
According to its own information, ERNW only wants to publish proof of concept code for CVE-2020-0022 if (at least the current, still supported) devices have received the necessary security updates. There are currently no indications of attacks in the wild.