German IT security provider ERNW company reported a critcial Bluetooth bug which could leave Android users exposed to personal data exploitation and malware infection. The report came over 3 months ago which prompted Google to act on the vulnerability.
The Bluetooth related flaw, tracked as CVE-2020-0022, affects devices running Android Oreo (8.0 and 8.1) and Pie (9.0). For these devices, which between them account for almost two-thirds of Android devices in use, the flaw is rated critical by Google.
Similarly to some of the biggest Android security threats, if left unplugged, the bug could allow attackers to run malicious code with no user interaction.
When asked to comment about the bug, the German security experts commented: Attackers could “silently execute arbitrary code with the privileges of the Bluetooth daemon”.
“No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the Wi-Fi MAC address”. Obviously attackers also need to be within close proximity of the targeted device and the phone or tablet has to be in discoverable mode.
According to WeLiveSecurity.com, there’s a patch now in place for users of Google-made devices:
If you own a Google-branded smartphone such as Pixel, you’re in luck. By contrast, patching may not be as fast as desired for many other Android device owners, who need to wait for their phone manufacturers or carriers to roll out the updates. Worse, many devices may no longer be supported.
Google, which included the fix in its latest assortment of monthly security updates for Android, said that it notified all Android device makers of the issue at least a month ago.
One way to lessen the risk is ensure that your phone is in non-discoverable mode when Bluetooth is on. Alternatively, enable Bluetooth only if necessary and remember to turn it off when not in use.