Critical ‘BlueFrag’ Bluetooth Vulnerability In Older Android OS

Android users are being warned of a critical security flaw with Bluetooth that has the potential for malware infection and data theft.

By exploiting the ‘BlueFrag’ flaw, attackers can deliver malware to and steal data from nearby phones running Android 8 Oreo or Android 9 Pie, security researchers from ERNW have stated.

Flaws with Bluetooth are not uncommon. In 2017 researchers at Armis identified a Bluetooth vulnerability it called ‘Blueborne’. That attack disguised itself as a Bluetooth device and exploited a weaknesses in the protocol to deploy malicious code.

BlueFrag flaw

The ERNW researchers said they had “reported a critical vulnerability affecting the Android Bluetooth subsystem.”

The good news is that this vulnerability has been assigned CVE-2020-0022 and has now patched in the latest security patch from February 2020.

Essentially, the flaw affects Android 8.0 to 9.0, and it means that a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled.

“No user interaction is required and only the Bluetooth MAC address of the target devices has to be known,” warned the researchers. “For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware.”

They said the BlueFrag flaw is not exploitable for technical reasons on Android 10.

“Users are strongly advised to install the latest available security patch from February 2020,” said the researchers.

They said if people’s devices are no longer support, they can try and mitigate the risks by only enabling Bluetooth if strictly necessary.

And whilst a patch has been issued for users to protect themselves, this security update may not be compatible with older phones, leaving some without protection from hackers.

Older devices

Also people are advised to keep their device non-discoverable, if they can.

The problem with patching subsystems on older devices has been noted by some security experts.

“Vendors do a serious amount of work to protect their users from the latest vulnerabilities, but sadly mobile devices tend to come with a shelf life, and so are only patched for so long before they become extinct devices,” noted Jake Moore, cybersecurity specialist at ESET.

“There’s a common belief that devices should be protected for longer- but as hardware develops, older parts in devices become legacy quickly, and then it becomes more difficult to pump out patches,” said Moore. “Android has a vast number of operating systems on a multitude of devices at once, which makes it very difficult to update compared to the Apple ecosystem.”

“However, just like with Windows 7, everything has an end of life date, and so with the fast-paced world of cyber security, we need to help users understand these risks and take the necessary precautions,” he warned. “If that means that a newer device is required, then unfortunately this is what it takes. It is far cheaper in the long run to update a device than have your device hacked criminally.”

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Microsoft Executive Indicates Departmental Hiring Slowdown

Amid concern at the state of the global economy, a senior Microsoft executive tells staff…

1 day ago

Shareholders Sue Twitter, Elon Musk For Stock ‘Manipulation’

Disgruntled shareholders are now suing both Twitter and Elon Musk, over volatile share price swings…

1 day ago

Google Faces Second UK Probe Over Ad Practices

UK's competition watchdog launches second investigation of Google's ad tech practices, and whether it may…

1 day ago

Elon Musk Raises His Contribution To Twitter Acquisition

But one of Elon Musk's biggest backers on the Twitter board has tendered his resignation…

2 days ago

Broadcom Confirms VMware Acquisition For $61 Billion

Entry into cloud infrastructure software for US chip firm Broadcom after it confirms reports it…

2 days ago