Google has fixed its highly-reported critical vulnerability that affects the Android Bluetooth subsystem. The bug known as CVE-2020-0022 was discovered back in November 2019, and after three months, Google has finally patched the issue available on its latest security patch from February 2020.
German cyber-security firm ERNW first discovered the bug and reported it to Google. And after months of dedication, the issue is finally resolved.
The Security Impact of the Bug
According to ERNW, the CVE-2020-0022, within a certain proximity, can quickly execute arbitrary code with the privileges of the Bluetooth daemon if Bluetooth is enabled. It doesn’t require user interaction and would efficiently work if only the Bluetooth MAC address of the device is known. However, in some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. CVE-2020-0022 makes Android devices vulnerable to data theft or to spread malware (Short-Distance Worm).
Android versions 8.0 to 9.0 are usually the devices vulnerable enough to be affected with the bug. However, devices older than 8.0 versions are also at risk. Be that as it may, devices with Android 10 won’t face serious issues regarding the bug. It might only result in a crash of the Bluetooth daemon.
How to Avoid CVE-2020-0022?
The best way to avoid CVE-2020-0022 is to install the latest available security patch for your Android devices. It is available at the Android Security Bulletin. However, if your device doesn’t support the patch or isn’t available, you can lessen the impact by some generic behavior rules. The first is to enable Bluetooth only if it’s strictly necessary. But also remember that Bluetooth headphones also support wired analog audio.
And the next way is to keep your devices non-discoverable. While some older devices are discoverable permanently, most need to enter the Bluetooth scanning menu.
ERNW has announced that they’ll publish a technical report on the bug, including a Proof of Concept code and a description of the exploit.