This post was originally published on February 18, 2020.
Researchers at the Secure Mobile Networking Lab at Technische Universität Darmstadt recently discovered CVE-2020-0022, an Android bug which targets the Bluetooth code of Android devices running Oreo (8.0 and 8.1) and Pie (9.0).
Malicious attackers operating within the Bluetooth range of your device can exploit the flaw to execute code without your approval or knowledge.
[Want more Android security news? Sign up for the ExpressVPN newsletter.]
German IT security company ERNW, which first reported the findings to Google a few months ago, says “only the Bluetooth MAC address of the target devices has to be known [for a successful intrusion].”
It adds that “for some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware.”
The severity of the situation is deemed to be “high” by Android, which rolled out patches to fix the problem in a security update earlier this month.
CVE-2020-0022 can also impact devices running Android 10, but the severity isn’t as high. In those devices, the most it can do is crash the Bluetooth component and cause it to malfunction. However, there’s no threat of malware creeping in.
Older Android versions, running on devices that don’t support the latest OS, may also be affected. ERNW says it hasn’t explored the potential impact. The unfortunate news is that if you do have an older Android device, you might have to permanently disable Bluetooth or buy a new phone.
How can I avoid the CVE-2020-0022 Android Bluetooth bug?
As always, keep your devices updated at all times. Don’t just ignore the software update because it’s inconvenient or you’re strapped for time. It’s shipped for a reason: to keep you protected and out of harm’s way.
Android has pushed the latest security update, which means its own brand of Pixel and Android One phones are covered. But other device manufacturers, such as Samsung and Huawei, have yet to release a fix, which means some terminals might still be vulnerable.
If you’re still waiting for a security update, then turn Bluetooth off immediately. The newer Android versions come with Bluetooth enabled by default, so make sure to double-check.
We understand it’s annoying not to be able to use your sleek Bluetooth headsets during the morning commute or at the gym, but the security risks are too high to ignore. Only use Bluetooth when absolutely necessary, lest your phone falls prey to hackers.