LASER_oneXM

Level 36
Verified
Android users are urged to apply the latest security patches released for the operating system on Monday that address a critical vulnerability in the Bluetooth subsystem.

An attacker could leverage the security flaw, now identified as CVE-2020-0022 without user participation to run arbitrary code on the device with the elevated privileges of the Bluetooth daemon when the wireless module is active.

Short-distance worm

Discovered and reported by Jan Ruge at the Technische Universität Darmstadt, Secure Mobile Networking Lab, the bug is considered critical on Android Oreo (8.0 and 8.1) and Pie (9) because exploiting it leads to code execution.

According to Ruge, attackers could use this security fault to spread malware from one vulnerable device to another, like a worm. However, the transmission is limited to the short distance covered by Bluetooth.

The Android security bulletin notes that CVE-2020-0022 "could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process."
...
...
On Android 10, the severity rating drops to moderate since it all it does is crash the Bluetooth daemon, the researcher says. Android versions earlier than 8.0 may also be affected but the impact on them has not been assessed.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Haven't even got the January patch yet. 🙄

Hopefully I'll get the Android 10 upgrade soon enough, at least this month as that's what my vendor officially announced. 🤞
  • Only enable Bluetooth if strictly necessary. Keep in mind that most Bluetooth enabled headphones also support wired analog audio.
  • Keep your device non-discoverable. Most are only discoverable if you enter the Bluetooth scanning menu. Nevertheless, some older phones might be discoverable permanently.
Checked on the non-discoverable setting and nope don't have that. Then again, I don't have Bluetooth enabled 24/7. :coffee:
 
  • Like
Reactions: Correlate

upnorth

Moderator
Verified
Staff member
Malware Hunter
Correct, but I have to trace that in the battery consumption feature. Right now Bluetooth it's not even on the list. 🥳
 
  • Like
Reactions: Correlate
Top