Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


New Android Bluetooth Vulnerability Allows Silent Code Execution

Last November, the security company ERNW reported a critical vulnerability that affected Android’s implementation of Bluetooth. The vulnerability, dubbed “BlueFrag,” has been assigned CVE-2020-0022 and affects Android versions 8 and 9. Although Android 10 is technically affected, the exploit currently only results in the Bluetooth daemon crashing on Android 10. Android versions 7 and below may also be vulnerable but have not yet been thoroughly tested. BlueFrag is capable of remotely running code on vulnerable Android devices with a few caveats:

  • Bluetooth must be enabled
  • An attacker must be in range
  • An attacker must know the device’s Bluetooth MAC address

None of the above conditions are all that difficult for an attacker, however. Any time a Bluetooth capable device is in pairing mode or searching for a device to connect to, it is possible for anyone nearby to view the MAC address. Thankfully, Google has released the February 2020 security patch, which remediates this vulnerability and others.

Analyst Notes

All Android devices owners are strongly encouraged to open the software update from the settings menu and check for an update. Many devices will even display which security patch the device is currently at. For example, “December 1, 2019” is the December security patch for 2019. Unfortunately, many phone manufacturers and carriers do not issue updates for Android devices quickly after Google releases security patches. Some devices don’t receive any patches because the manufacturer no longer supports them. Even devices considered to be “flagship” aren’t guaranteed timely updates after patches are made available by Google. If a device is unable to be updated due to a patch not being available yet or is just unsupported, consider disabling Bluetooth when not at home to prevent remote exploitation.