Security researchers ERNW identity critical vulnerability affecting the Android Bluetooth subsystem, which it is calling ‘BlueFrag’
Android users are being warned of a critical security flaw with Bluetooth that has the potential for malware infection and data theft.
By exploiting the ‘BlueFrag’ flaw, attackers can deliver malware to and steal data from nearby phones running Android 8 Oreo or Android 9 Pie, security researchers from ERNW have stated.
Flaws with Bluetooth are not uncommon. In 2017 researchers at Armis identified a Bluetooth vulnerability it called ‘Blueborne’. That attack disguised itself as a Bluetooth device and exploited a weaknesses in the protocol to deploy malicious code.
The ERNW researchers said they had “reported a critical vulnerability affecting the Android Bluetooth subsystem.”
The good news is that this vulnerability has been assigned CVE-2020-0022 and has now patched in the latest security patch from February 2020.
Essentially, the flaw affects Android 8.0 to 9.0, and it means that a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled.
“No user interaction is required and only the Bluetooth MAC address of the target devices has to be known,” warned the researchers. “For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware.”
They said the BlueFrag flaw is not exploitable for technical reasons on Android 10.
“Users are strongly advised to install the latest available security patch from February 2020,” said the researchers.
They said if people’s devices are no longer support, they can try and mitigate the risks by only enabling Bluetooth if strictly necessary.
And whilst a patch has been issued for users to protect themselves, this security update may not be compatible with older phones, leaving some without protection from hackers.
Also people are advised to keep their device non-discoverable, if they can.
The problem with patching subsystems on older devices has been noted by some security experts.
“Vendors do a serious amount of work to protect their users from the latest vulnerabilities, but sadly mobile devices tend to come with a shelf life, and so are only patched for so long before they become extinct devices,” noted Jake Moore, cybersecurity specialist at ESET.
“There’s a common belief that devices should be protected for longer- but as hardware develops, older parts in devices become legacy quickly, and then it becomes more difficult to pump out patches,” said Moore. “Android has a vast number of operating systems on a multitude of devices at once, which makes it very difficult to update compared to the Apple ecosystem.”
“However, just like with Windows 7, everything has an end of life date, and so with the fast-paced world of cyber security, we need to help users understand these risks and take the necessary precautions,” he warned. “If that means that a newer device is required, then unfortunately this is what it takes. It is far cheaper in the long run to update a device than have your device hacked criminally.”
Do you know all about security? Try our quiz!