Android Phones Open to Attack Via Bluetooth Bug

Android Phones Open to Attack via Bluetooth Bug

A Bluetooth bug leaves Android 8 Oreo and Android 9 Pie phones open to Attack. Google today has brought out an update that patches the vulnerability.

Bluetooth Vulnerability Discovery

The vulnerability with Bluetooth running on Android 8 and 9 phones was discovered by a German security firm, ERNW. The ERNW security researchers identified the problem some three months ago and reported it to Google.

Since then Google has been working on solving the issue. Only today the tech giant brought out an update that patches the vulnerability.

The Bluetooth Vulnerability Explained

The Bluetooth bug discovered by ERNW security researchers could let attackers silently install malware on nearby Android phones. It could also allow attackers to steal personal data form such phones without the owner being aware of the attack.

“…a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required…” explained the security researchers.

Attackers would, however, need to know the phone’s Bluetooth MAC address to be able to exploit the bug. The manufacturer assigns the phone’s Bluetooth MAC address and it is not easily accessible. Unfortunately, however, on some phones the Bluetooth MAC address can be easily deduced from the WiFi MAC address.

The other limitation of this vulnerability is that attackers would need to be near a phone affected by the bug and the phone must have Bluetooth enabled.

Android Phones Affected

In addition to Android 8 and 9 phones, the Bluetooth bug also affects Android 10 phones. However, attackers cannot use the bug for remote code execution on these phones. Attempting to run code remotely on Android 10 phones just causes Bluetooth to crash.

It is not known if the bug affects earlier versions of Android phones as ERNW did not test these.

The bug does not affect phones that don’t have Bluetooth enabled.

What to Do

Users running Bluetooth on Android 8, 9 and 10, or on earlier versions, are advised to install the latest patch provided by Google today.

Users with phones for which Google has not yet provided an update, or whose phones are no longer supported, are advised to either disable Bluetooth on their phone or make the phone non-discoverable.

Information technology expert
Grace is an information technology expert who joined the VPNoverview team in 2019, writing cybersecurity and internet privacy-based news articles. Due to her IT background in legal firms, these subjects have always been of great interest to her.