Google has issued a collection of security updates to its Android mobile OS including patching a critically severe Bluetooth hijacking vulnerability that was first flagged to the developer in November last year.
The flaw, dubbed CVE-2020-0022, could have allowed an attacker, within range of Bluetooth signal, to execute arbitrary code with privileges of the Bluetooth daemon so long as Bluetooth is enabled on a vulnerable device.
This form of attack could have been executed by knowing just the Bluetooth MAC address of the target device, which could have, for some devices, been derived from the Wi-Fi MAC address, according to researchers with security firm ERNW.
The flaw, which was first flagged on 3 November 2019, affects older versions of Android, although it’s not exploitable for technical reasons on Android 10, and results instead in a crash of the Bluetooth daemon.
“On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled,” the ERNW researchers said.
“No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).”
RELATED RESOURCE
Report: The State of Software Security
This annual report explores important trends in software security
The collection of security updates also includes two dozen further patches for Android bugs ranging in severity from moderate to critical, although the vast majority of flaws are rated as being ‘highly’ severe.
There are several elevation of privilege bugs in the batch, as well as a moderate denial of service bug and a critically-rated information disclosure vulnerability.
Users have been advised to update their devices as soon as possible to receive the latest security updates, although there are a handful of mitigations users can employ.
The researchers who initially discovered the bug have urged all Android users to enable Bluetooth if only strictly necessary, and to keep their devices non-discoverable.
They have pledged to release the technical report on the vulnerability, as well as the proof of concept code, one they’re confident that patches have reached end users.
While Bluetooth vulnerabilities in mobile phones are unusual, researchers found a flaw in Google’s Titan security keys last year that could allow attackers to bypass encryption and hijack user accounts.
Discovered in May 2019, the flaw involved a misconfigured Bluetooth pairing protocol with the FIDO key, with non-Bluetooth devices unaffected.
In August, meanwhile, researchers discovered a flaw in Bluetooth authentication protocols that allowed hackers to listen in on conversations held over Bluetooth devices, or even change the contents of file transfers.
The attack, dubbed Key Negotiation of Bluetooth (KNOB), worked by forcing participants in a Bluetooth handshake to use an encryption key with just one byte of entropy, allowing an attacker to brute-force the key.
-
Global IT spending set to hit a 30-year high by end of 2025News Spending on hardware, software and IT services is growing faster than it has since 1996
-
Microsoft Teams is getting a feature that lets bosses snoop on staffNews A new location tracking feature in Microsoft Teams will make it easier to keep tabs on your colleague's activities – and for your boss to know exactly where you are.
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
