back to article Android owners – you'll want to get these latest security patches, especially for this nasty Bluetooth hijack flaw

Google has posted the February security updates for Android, including for a potentially serious remote code execution flaw in Bluetooth. Designated CVE-2020-0022, the flaw was discovered and reported by researchers with German company ERNW who say a fix has been in the works since November. "On Android 8.0 to 9.0, a remote …

  1. No Quarter
    FAIL

    Who would not do this?

    "make sure their devices are not in discovery mode in public"

    Surely nobody leaves their Bluetooth open like that?

    1. Kevin Johnston

      Re: Who would not do this?

      I think someone forgot to use the Joke icon or /sarcasm tags

      1. Snake Silver badge

        Re:A joke?

        I agree: surely you jest. It is always fun to stand in a public location - public transport especially - and turn on my Bluetooth to witness the sometimes dozens of discovery pings.

        I have always wondered if I'm the only person in this city who *does* turn off their Bluetooth when not in use...

        :bounces happily: I want to know the hijack and await a fun-filled app to practice it on the move!

        1. GnuTzu
          Thumb Up

          Re: Re:A joke?

          You're not alone. But, I'd like to see a decent survey of how many actually selectively turn their blue tooth off. Here's a proposed survey:

          Q: How much time do you leave your blue tooth off?

          1. Oh, do I need to see a dentist?

          2. I just leave everything at the default settings.

          3. I put the phone in airplane mode when I'm not expecting calls.

          4. I only turn it on when I need to make a call.

          5. I refuse to use it all together.

          6. I rooted the phone and ripped out the drivers so that some malware can enable it against my will.

          My answer is 4.

          1. DCdave
            Boffin

            Re: Re:A joke?

            7. I have automation in place to switch Bluetooth off overnight, but the rest of the time it's on so as to connect with my smartwatch, headphones, car head unit, home receiver etc. without me having to mess about with settings. That's OK, though, because they're already paired and the phone is never in discovery mode.

        2. Anonymous Coward
          Anonymous Coward

          Re: Re:A joke?

          AFAIK most android devices default to only discovery available when first turned on/bluetooth turned on or when selecting "discovery on for *60 seconds*"? Or is it just my handset made with idiot proof gloves?

    2. Khaptain Silver badge

      Re: Who would not do this?

      "Surely nobody leaves their Bluetooth open like that?"

      Not for any longer than 60 seconds they don't. ( Unless there is a hidden option to increase the scanning timeout)..

      I would also presume that not many people actually spend their time "discovering" bluetooth devices just for fun.... In general you pair up your headphones , speakers, car radio etc, once and then forget about it... What's the chance that the aforementioned hacker would be in your proximity exactly at that moment..

      1. Charlie Clark Silver badge

        Re: Who would not do this?

        What's the chance that the aforementioned hacker would be in your proximity exactly at that moment..

        Along with most of the more recent flaws, the risk of some kind of drive by attack is minimal (in comparison with say cars which often can be attacked while driving by) but useful if you can get hold of the device.

        1. Pascal Monett Silver badge

          Aaand we're back to physical access.

          So it's basically what I thought : a Blutooth-during-discovery bug, which means the attacker has a window of about 1.5 seconds in my case.

          Not losing sleep over that.

        2. Michael Wojcik Silver badge

          Re: Who would not do this?

          Social engineering is also plausible for a targeted attack in some scenarios. Use a lure - build the attack into a "free" or "lost" Bluetooth headset or similar.

    3. Blackjack Silver badge

      Re: Who would not do this?

      Oh you innocent child...

    4. bombastic bob Silver badge
      Devil

      Re: Who would not do this?

      "Surely nobody leaves their Bluetooth open like that?"

      I think you have to explicitly enable it to discover something via bluetooth. And don't call me Shirley.

      That being said, if you have BT headphones connected, and you pause, and then resume again (oh I'm on the train I want to make a phone call now), it probably re-connects your bluetooth stuff too on power up [which would make you vulnerable for that brief period of time].

      1. Charlie Clark Silver badge
        Stop

        Re: Who would not do this?

        Bluetooth does not enable discovery when connecting with paired devices.

    5. Mike007 Bronze badge

      Re: Who would not do this?

      I am not sure the requirements in terms of what is actually needed to exploit the bug, but if it only needs to know the device MAC address then this advice could be incorrect. Discoverable mode enabled and able to be discovered are not the same thing... the reference to guessing bluetooth addresses based on wifi address hints that you merely need the address even if it is not in discoverable mode.

      When you explicitly wish to pair a new device you need to be in discoverable mode, where it will respond to probes and be "easy to find", however a device not appearing on the GUI does not mean it is hidden.

      Do you use bluetooth headphones? What happens when you turn them on...? The same with pairing to cars etc. Do you have to go and tell your phone to be discoverable before anything will connect? If bluetooth is as much as enabled then even if it isn't currently connected you can simply guess addresses until something responds. Your device will also send out its own probes every few minutes, just in case a paired device is around and didn't auto-connect on startup.

    6. a_yank_lurker

      Re: Who would not do this?

      I normally have Bluetooth turned off. I only use discovery mode when pairing a new device which is done very infrequently.

    7. Anonymous Coward
      Anonymous Coward

      Re: Who would not do this?

      "Surely nobody leaves their Bluetooth open like that?"

      You might not know this but Android apps that have the BLUETOOTH_ADMIN permission in their manifest will allow an app to pair with other devices using bluetooth and apps with the BLUETOOTH_PRIVILEGED permission in the apps manifest: "Allows applications to pair bluetooth devices without user interaction, and to allow or disallow phonebook access or message access."

      I do know that apps that contain Facebook's SDK's use bluetooth to discover a users location to serve targeted ads and that apps that contain the BLUETOOTH_ADMIN permission in their manifest was a very good indication that the app had Facebook's SDK's inside.

      Also, correct me if I'm wrong, but I believe the BLUETOOTH_PRIVILEGED permission is a newer more fine-grained permission and that older Android versions allowed an app to pair bluetooth without user interaction with just the BLUETOOTH_ADMIN permission.

      1. Snake Silver badge

        Re: Bluetooth_admin

        Yes, actually, I just used that functionality 30 minutes ago! Samsung Gear 360's app handles pairing from within said app, no need to go into your Bluetooth settings to pair manually.

        Mixed blessing, that. Raised my eyebrow I suspicion (and now I read your comment about it), but convenience for most people is all they care about

  2. Anonymous Coward
    Anonymous Coward

    Christ..

    .. WTF? Have they started to employ Microsoft staff or what?

    1. Anonymous Coward
      Anonymous Coward

      Re: Have they started to employ Microsoft staff or what?

      OMG!!! Have the great overlords Google actually got something wrong???? Say it isn't so!!!!

      Or is it just that you haven't been paying attention and Android has always been a bit shit?

      1. werdsmith Silver badge

        Re: Have they started to employ Microsoft staff or what?

        As much as I dislike Android, the problem of yet to be discovered/created vulnerabilities and bugs has to be accepted in any complex software. It’s not so much that there will be patches required, but more about the response and availability of patches. And ease of application of those.

        1. Just Enough

          Re: Have they started to employ Microsoft staff or what?

          Yeah. The fanboy crowing that always follows discoveries like this is irritating noise.

          No-matter what OS you worship, it is not immune to hacks and exploits. So the partisan jeering when one is found in another is rather pathetic.

          1. Nick Ryan Silver badge

            Re: Have they started to employ Microsoft staff or what?

            Very true. It's our role here as commentards to jeer at every OS.

          2. Grinning Bandicoot

            Re: Have they started to employ Microsoft staff or what?

            Except for ancients who remember LADDER LOGIC. Totally unhackle except on those call outs on vacation when the Ethenol was given rule. Oh it was a wonder when FGAs brought a new era almost as slow as I now but alot more flexible. Unhackable equates to non field programable.

        2. Michael Wojcik Silver badge

          Re: Have they started to employ Microsoft staff or what?

          the problem of yet to be discovered/created vulnerabilities and bugs has to be accepted in any complex software

          True. That said, what we know about a number of high-profile Android vulnerabilities (e.g. Stagefright) suggests that Android development practices are not particularly good. Are they requiring static code analysis for all Android code, for example? Doesn't look like it - at least not historically.

      2. EnviableOne

        Re: Have they started to employ Microsoft staff or what?

        As with all mostly open source software with a Huge user base, the level of bug detection is quite high, so the bug complexity and use cases fall quite rapidly as the project matures.

        iOS CVEs 2019 = 156

        Android CVEs 2019 = 414

        iOS Market Share = 24.6%

        Android Market share = 74.3%

        so androird is roughly 3 times the install base and roughly 3 times the CVEs, so simillar to CMSes the vulnerability rate looks similar to market share, i.e. bug detection goes where the users go.

  3. Charlie Clark Silver badge

    Project Treble paying off

    Got the update this morning for my S10e so it looks like the work that went into Project Treble in order to be able to push security updates faster has paid off. Yes, this still means millions of phones will be vulnerable but possibly less than the headline might suggest.

    1. ThatOne Silver badge
      Unhappy

      Re: Project Treble paying off

      > Project Treble

      On my side it looks more like a hit and mostly miss affair: I expected I'd be getting more updates that way, but after 3 months I'm still waiting to see any for a new-ish tablet (and yes, I do check manually, both for security and system updates). Clearly "possibility" doesn't mean "certainty", no matter the amount of wishful thinking involved. (BTW, I wasn't the one downvoting you.)

      (For those smug people who will rush to tell me they got updates: Yes, I'm very happy for you. Thanks for telling me.)

    2. John Brown (no body) Silver badge

      Re: Project Treble paying off

      My Samsung J3 last got an update in Nov'19. There's nothing new for it yet.

  4. Anonymous Coward
    Anonymous Coward

    you'll want to get these latest security patches

    in older versions of Android (8, 8.1, and 9)

    presumably my goode olde S2 happily running Android 4 is immune then? And thanks God I only updated my handset to one running Android 6 :)

    1. DCFusor

      Re: you'll want to get these latest security patches

      Or my nexus 10...it does what I want, and was much too expensive to just toss out simply due to lack of upgrades.

      Lesson learned. No more such devices get my bucks.

  5. Version 1.0 Silver badge
    Coat

    Bluetooth impeached

    It's going to be patched, it's just a bug - nothing odd about this - Bluetooth has been acquitted! Yes there's is a vulnerability there but the Bluetooth device was trying to get elected continue discovering its headphone connection so no crime has been committed.

    My phone Android gets updates every day - so I'm confident that most of yesterdays bugs have been probably fixed - I expect that they will fix today's bugs tomorrow. I'll get my phone out of my coat pocket and check for today's updates now.

    1. Venerable and Fragrant Wind of Change
      Coat

      Re: Bluetooth impeached

      It's OK. You're not one of the versions listed as being affected by this bug.

    2. bombastic bob Silver badge
      Devil

      Re: Bluetooth impeached

      "My phone Android gets updates every day"

      How's your bandwidth overage charges doing?

      1. John Brown (no body) Silver badge

        Re: Bluetooth impeached

        Maybe he's set it to update over WiFi only.

  6. andy gibson

    "you'll want to get these latest security patches"

    Goes into settings - system - updates....

    "Your device is up to date. 1st Feb 2019"

    a one year old Motorola phone.

    1. wyatt

      Re: "you'll want to get these latest security patches"

      The last update I had available to me was December and who knows what that actually contained. Sony Xperia.

    2. dajames

      Re: "you'll want to get these latest security patches"

      "Your device is up to date. 1st Feb 2019"

      a one year old Motorola phone.

      Even my (7 month old) Motorola One says 1st January 2020 ... I expect the fix for this new bug will have missed the February update, so I'll get it in the March update in about five weeks. It's an Android One device and so should get monthly updates until about September 2021 (three years after the model was launched).

      That's a LOT better than most Android users enjoy, but really not as good as we should be able to expect.

      1. Charlie Clark Silver badge

        Re: "you'll want to get these latest security patches"

        My S10e is security update: 1st February 2010. So, some manufacturers have finally got their game together.

        1. dfsmith
          Pirate

          Re: "you'll want to get these latest security patches"

          Given that Android was only 16 months old at the time of your update, I'd say you were fairly safe from any kind of attack that relies on a modern communication channel.

        2. Ken Hagan Gold badge

          Re: "you'll want to get these latest security patches"

          My A10 is still sitting at last October, so it is more a case of some (expensive?) models rather than manufacturers.

    3. Martin Summers Silver badge

      Re: "you'll want to get these latest security patches"

      "Your device is up to date. 1st Feb 2019"

      Not sure if you think that is the last update you got or if you realise (and I hate to break it to you if this is the case) that is just the last date your phone *checked* for an update.

      1. Nunyabiznes

        Re: "you'll want to get these latest security patches"

        The problem is that neither phone manufacturers nor service providers are pushing patches. You can ask your phone to check, but if you are one of the majority it will be blissfully ignorant of all the patches that have come out since it shipped from the factory.

    4. Tom 35

      Re: "you'll want to get these latest security patches"

      Guess I should be happy with my Moto G7 at June 1, 2019

      Might get android 10 in the next 6 months.

    5. guyr

      Re: "you'll want to get these latest security patches"

      I came here to say the same thing. We may *want* to get updates, but unless the maker of our phone and our carrier both provide the updates, then it ain't happening. Telling phone users to get an update accomplishes about as much as telling your dog to get a driver's license.

      1. ThatOne Silver badge
        Devil

        Re: "you'll want to get these latest security patches"

        > Telling phone users to get an update

        Is taking the piss out of the users. Like they actually can "get an update"...

        If they are lucky, and have been good obedient customers by throwing away last year's phone for a new one, they might get some update (although nobody knows what, or even if, that update fixes something).

  7. AndersH

    Why is the advice from ERNW "to switch to wired headphones *and* make sure their devices are not in discovery mode in public.". My already paired Bluetooth headphones aren't at risk, are they? (Let's not get started on the remove of 3.5mm jacks from phones!)

    1. ThatOne Silver badge
      Devil

      > (Let's not get started on the remove of 3.5mm jacks from phones!)

      No, no, on the contrary! Let's get started on the fact that most design choices stuffed down our throat in the pretty name of "progress" are actually limitations and downgrades.

      Removable batteries, headphone jacks, memory card slots, all those things that get removed "to enhance user experience" - and the worst thing is stupid users actually believe their "experience" has been 'improved". Less is more, isn't it.

  8. Anonymous Coward
    Anonymous Coward

    This is what I find annoying about android phones, is that you have to wait for your phone maker to provide an update. You can't get it direct from Google.

    My Xperia E5 is currently on Android 6.0 it would be nice to see if it could run anything higher than that but Sony haven't made any further updates available for my phone.

    I suppose I could try rooting the thing...

  9. Terje

    My Pixel 4 is on 1st January 2020 as well, so feels like they haven't pushed anything since then.

  10. The Griff

    Compulsory maintenance periods

    Vendors should be required to provide security updates for a minimum period from product release (e.g. 5 years). And this end date should be clearly printed on the box when you purchase it.

    My moto g5 ceased to receive updates in Feb 2019, which means it got 23 months of updates from release (pathetic).

    Of course vendors will never do this voluntarily because it takes away one reason for you to buy their next shiny model with a bunch features you'll never use and a screen the size of a barn door.

    1. Nunyabiznes

      Re: Compulsory maintenance periods

      I get a chuckle when I hear the same people that are giving the android phone manufacturers and service providers a pass complain about MS ending support for Win7 after 10 years of free security updates.

      Say what you will about Apple, but they were still offering patches for my 6S when I sold it earlier this month.

      1. Charlie Clark Silver badge
        Facepalm

        Re: Compulsory maintenance periods

        10 years of free security updates

        Since when has Windows ever been free?

        The current state of affairs is not good, though it has got better but the comparison with Windows is technically invalid due to the contract being the user and Microsoft whereas you just buy a phone from the manufacturer with no contract regarding the OS. It's up to consumers to hold manufacturers acccount.

        Apple's approach is indeed exemplary, though it is also easier if you control hardware and software. But it's also clever marketing because replacement cycles are the same if not shorter for Apple's phones, with the promise of timely updates, are part of the value proposition that attracts people to Apple. Of coure, they should also be held to account for their restrictive practices: you can have any browser as long as it's webkit, you can only buy stuff from the Apple store, etc.

    2. RM Myers

      Re: Compulsory maintenance periods

      I completely agree with you. I have an HP laptop that came originally with Windows Vista, and has been updated to Windows 10, and it still gets security updates. Why can't my Samsung phone get more than 15 month of updates (2 years if I had bought it when it first came out)? This is ridiculous.

      1. Lorribot

        Re: Compulsory maintenance periods

        Because Android was designed to destroy Microsoft and no care was given by developer on iterate fast and give OEMs something they can butcher and control, lifecycle management was never a consideration, they are trying to rework it all but they are still in Windows 98 era at the moment as far as OS development is concerned. It should be possible to run vanilla versions of android on anything but the issue is getting the drivers, Android has no distribution method and when have you ever seen android drivers on Quallcom or Broadcom web site let alone any of the others.

        Handsets are closed device buy and throw every 12-24 months. That is the market.

        Apparently no one wanted Windows 10 on their phone, not enough apps apparently and they didn't steal your information as efficiently, so no money in it.

      2. Grinning Bandicoot

        Re: Compulsory maintenance periods

        Not if you consider that in the US telco contracts were written on a two year cycle. Once started it became Cannon; hence after two years that device does not exist to MARKETING.

      3. Grinning Bandicoot

        HP and service

        I will not say that you are seeking office but my experience as long expressed on these august pages have doubts as it goes against past behavior!

  11. cantankerous swineherd

    weigh up the chances of screwing your phone via dastardly hacker versus screwing it via the update.

    tough choice? not really.

  12. Anonymous Coward
    Anonymous Coward

    Fit for purpose?

    So if any phone bought in the last 12/24 months from a UK/EU retailer that runs an affected version of Android, and does not receive a security update, can the owner rightfully return it for a full refund as "not fit for purpose"?

    If a large number of people returned phones within the statutory warranty period because of a lack of security updates, the retailers might have to be more selective about which makes of phone they stock.

  13. Lorribot

    Samsung J3(2017) up to date as of November 2019, on version 9, no updates available, so no December or January ones. Will possibly get the update in August if at all. But then that is the Android lottery for you.

    Wonder when someone will sue a manufacturer for not supplying updates in a timely manner if they get hacked by a known security bug?

    The millions on older version won't get anything, May 2019 data (only one I could find) had 60% of devices on version 7 or earlier, and Lenovo still sell the Tab 3 with Android 7 (https://www.lenovo.com/gb/en/tablets/android-tablets/tablets-a-series/Lenovo-Tab-7-Essential/p/ZA300158GB) and I am sure many no brand devices have older versions yet.

    Still you get what the device manufacture pays for.

  14. A random security guy

    Would like to see the code diffs for RCE

    RCE is interesting ... anyone have the access to the code diffs? Or is that hidden till they are sure that all the hackers know about it? (sarcasm intended)

  15. Stuart Halliday
    Trollface

    What security updates?

    I'm a Samsung owner, so I expect to wait another month...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like