
Critical Bluetooth vulnerability in Android - photon-torpedo
https://insinuator.net/2020/02/critical-bluetooth-vulnerability-in-android-cve-2020-0022/
======
TekMol
That's heavy. There are tons of phones out there that will never be patched
again.

The situation on the phone market is so miserable.

The industry forces us to throw away perfectly fine hardware after just 3
years or so.

~~~
madez
The solution is rather simple; buy devices with better documented and open
internals rather than what's cheapest, shiniest, and most convenient. There
are alternatives, and we all vote with our wallets.

~~~
taspeotis
Or just buy Apple. The iPhone 5s was released in 2013 and got an update less
than a fortnight ago (January 28).

~~~
eithed
Can you make assurances that iPhone doesn't suffer from similar issues, given
it's not open source solution?

~~~
objclxt
Depends what you mean by "similar issues"

If you mean "a bunch of relatively new Android phones not getting security
updates because their manufacturer doesn't support them", then yes. Apple is
actively providing not just security patches but entire feature software
updates for the iPhone 6S, which is 4.5 years old at this point.

~~~
eithed
Yup, that's what I mean. While I do have an Android phone that is patched
(Samsung), I understand that many people will be hmm... irritated that this
vulnerability won't be fixed and requires them to upgrade. I'd not treat
switching to Apple ecosystem as panacea to everything though and would be more
for security through audit, not obscurity.

~~~
why_only_15
Apple's security is heavily audited in a lot of ways. They give special phones
to researchers that make it easier to audit them, and there are significant
bug bounties.

~~~
dewey
> They give special phones to researchers that make it easier to audit them

Did this already happen? I only remember the announcement and then researchers
on Twitter complaining that the first one is yet to be seen.

------
m1r3k
My OnePlus 3 phone just got its last security patch and is now out of support
from the manufacturer.

I use bluetooth constantly for my smartwatch and headphones.

I think it's time for custom firmware just because of this. Goodby banking
apps and Google Pay, because apparently a newer but unofficial OS is more
insecure [1].

[1]
[https://developer.android.com/training/safetynet](https://developer.android.com/training/safetynet)

~~~
guimoz
You can usually still pass safetynet with latest magisk, even on custom Roms.
Go check the xda forums and you might find that.

~~~
zozbot234
> You can usually still pass safetynet with latest magisk, even on custom
> Roms.

It's unreliable by definition. You're better off keeping a device around with
the stock OS on it, that you only use for SafetyNet-required stuff.

------
tjoff
> _Only enable Bluetooth if strictly necessary. Keep in mind that most
> Bluetooth enabled headphones also support wired analog audio._

Reason #4373 that ditching the headphone jack is pure insanity.

Sigh.

~~~
gchokov
I haven’t missed the jack for a single day.

~~~
magicalhippo
I miss the jack every single day.

Recently the wire of my regular ear buds gave up (as they do) and, since I had
gotten some BT ones, I decided to use them. They're Jabra Elite Sport, which
got good reviews from what I can recall.

They're dropping out like crazy. It's seldom to get an entire minute of music
without a small dropout. The area around the bus stop at work is particularly
bad, with sound drops every few seconds until I get away from that area.

I upgraded the firmware and it got a bit better, but still pretty poor. If I
hold the phone in my hands and keep still it's usually ok, but as soon as it
goes into my pocket, all bets are off.

I don't miss the cable tangle, but I miss being able to enjoy music.

~~~
neuronic
I am probably adding to the pile of fanboyist Apple blah blah but I honestly
think my AirPods are the single best tech purchase I have made in the last 5
years. They took away so much hassle and work exactly like I would expect.

AirPods are one fine product for daily casual use. Obviously they aren't going
to meet an audiophiles demand at $150 but AirPods Pro might even be enough in
that case.

My AirPods drop out at the rate of once a month or something. When it happens
it's a quick fix and they have been nothing but convenient otherwise.

Would never use wired headphones again unless I am trying to analyze a
Beethoven piece.

~~~
that_jojo
I have my $20 wired Sony buds drop out about once every never.

~~~
hombre_fatal
My wired buds pop out if I do anything more than sit still while listening
with them. Any other activity I'm bound to accidentally karate chop the cord
out of my ears. Or they catch on something. It's quite a bad experience.

I didn't think BT headphones were worth anything until I tried them. They are
surprisingly liberating for someone active like me.

------
mavhc
Why haven't most of the billions of Android phones been hacked already? Most
never get updates and seems like there's 100 ways to hack them.

~~~
anotheryou
I think phones are also relatively hardened so the attack surfaces are not
super convenient.

Bluetooth: get in reach of an attacker (and from another comment: have your
device searching for bluetooth devices)

Web-stuff: if a patched browser doesn't help you are still relatively safe
browsing all the non-infecting websites in the world.

file-stuff: you have to be stupid enough to open files, on your phone, from
phishy mails (unless you are targeted they are always suspiciously generic,
even when spreading from a hacked acquaintance )

I guess if there was a vulnerability where you could remotely gain full
control over a phone without any action on the phone side you'd indeed have
phone botnets. Looks like there are no such vulnerabilities.

Take what I write with a grain of salt, I'm actually just a noob trying to
make sense of this, too.

~~~
tgsovlerkhgsel
> Bluetooth: get in reach of an attacker

This part looks very different if the attack is a worm.

How many phones are _not_ in reach of another vulnerable phones at least once
a workday?

------
microcolonel
Gotta say, having worked with the Android Bluetooth stack, I'd be surprised if
there weren't lots of serious issues like this. The handling of pointers in
there is often both _clever_ and _not helpful_.

------
billpg
"We could roll out the patches, or we could make all our customers buy new
phones!"

Stagefright again.

------
aedron
So some questions:

> with the privileges of the Bluetooth daemon

Which priviliges is that? Can it access user data? Snoop on input/output?

> For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC
> address

So if wifi is off, I'm safe?

I have bluetooth on all the time, because it automatically pairs with my car
for cellular and audio, and turning it on and off would be a hassle. I rarely,
however, use wifi unless I have to download a very big amount of data, which
is almost never.

~~~
e12e
> Which priviliges is that? Can it access user data? Snoop on input/output?

This is somewhat addressed in a comment/reply by jorge:

[https://insinuator.net/2020/02/critical-bluetooth-
vulnerabil...](https://insinuator.net/2020/02/critical-bluetooth-
vulnerability-in-android-cve-2020-0022/#comment-103506)

> Hi, the Bluetooth daemon is a process on the Android system that runs in the
> background (daemon) that is responsible for managing the Bluetooth
> controller and handling of various Bluetooth related protocols, such as HCI,
> L2CAP and GATT. As it has to process attacker-controlled input it is
> susceptible to attacks. In addition, it has to run with high privileges (not
> as ‘root’ like on Linux) to support features like: – file transfer => read
> files – share Internet connection => configure network and VPN – Human
> Interaction Devices => emulate keyboard and mouse

------
joelthelion
On the plus side, could this be used to root phones?

------
nickcw
> As soon as we are confident that patches have reached the end users, we will
> publish a technical report on this vulnerability including a description of
> the exploit as well as Proof of Concept code.

It is likely to be a long time to never for most Android phones to receive
patches for this :-(

------
2T1Qka0rEiPr
> Keep in mind that most Bluetooth enabled headphones also support wired
> analog audio.

Is this true?

~~~
lima
Actual headphones, yes - many of them have an analog jack.

But I haven't ever seen a bluetooth headset that support analog audio.

~~~
zeisss
My Bose QuietComfort 35 has a cable and jack for analog audio. It is quite
common among germans, afaict.

~~~
rahuldottech
Those are headphones. I think OP was talking about wireless earphones.

------
FraKtus
Am I right to understand that this vulnerability only works when Bluetooth is
in discoverable mode?

If yes, then most phones are safe even if they have this vulnerability, it's
only when you go in the Bluetooth menu that you are at risk...

------
beatgammit
It's exactly this type of reason that I'm excited for the Librem 5 and
PinePhone. I don't use many apps, and I value security updates, so using a
community supported phone based on standard Linux sounds a lot more appealing
to me than getting another Android phone. My current phone is an Android One
device and so _should_ still be getting updates, so hopefully I can stay
reasonably secure until those phones are usable as replacements.

------
dmatech
I hate to say it, but it seems like only a large-scale worm outbreak that gets
media coverage would be enough to fix the utterly broken Android patching
landscape. From the description, this appears wormable (especially in crowds
and possibly in vehicles). And unlike other wormable vulnerabilities that go
through a service (like Google or even the phone company), this is just two
phones with no intermediary to protect devices.

------
photon-torpedo
> only the Bluetooth MAC address of the target devices has to be known

Android has a feature of "Bluetooth scanning" to improve device location
(similar to Wifi scanning). I'm not sure, but even if Bluetooth is disabled in
the menu, this might still activate Bluetooth occasionally and perhaps reveal
the Bluetooth MAC to the (nearby) world?

~~~
dspillett
IIRC that doesn't enable BT if disabled, only uses it if available.

~~~
bepvte
It says "Bluetooth scanning — Let apps use Bluetooth for more accurate
location detection, even when Bluetooth is off." I doubt it makes the device
discoverable though.

------
zepto
Surprising that Project Zero didn’t catch this.

------
magicalhippo
> For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC
> address.

Which ones would that be? Anyone know?

------
butz
Great, because of limited Android updates I have to get a new phone.

------
gaius_baltar
I'm now wondering if I can use this to root my phone.

------
Brave-Steak
> Keep your device non-discoverable. Most are only discoverable if you enter
> the Bluetooth scanning menu. Nevertheless, some older phones might be
> discoverable permanently.

Does this mean your MAC address isn't visible while on, non-discoverable and
connected to a BT device?

~~~
baybal2
Actually Android keep bluetooth on even when UI says off for Google to
radiolocate your position.

~~~
rjmunro
Are you sure? I know they keep some WiFi on, but I didn't think there was much
location value in bluetooth signals because most bluetooth devices people use
are portable (headphones, cars, etc.)

~~~
baybal2
Actually yes, I did investigate that. Can post a screenshot.

~~~
whatisthiseven
Did you also disable that setting under the "location" submenu, which
explicitly says it works even if bluetooth is off?

Not that this is good design, mind you, but if you turned both settings off
and still say BT activity, then that is much different.

~~~
baybal2
If you do that, it will disable it. Yes, it's a well hidden option deep in the
menu.

------
est31
Judging by the three commits added by the android-9.0.0_r53 tag in the
platform/system/bt android subcomponent, the vulns seem to be UAF + OOB write.
All vulnerabilities thus belong into the class of vulnerabilities that safe
Rust eliminates.

[https://android.googlesource.com/platform/system/bt/+/1d788d...](https://android.googlesource.com/platform/system/bt/+/1d788d25a8e1632eee1bfdb2b7c42176ad24b43a%5E%21/)

[https://android.googlesource.com/platform/system/bt/+/c20f24...](https://android.googlesource.com/platform/system/bt/+/c20f248f7530252c749004c1efe6e1074f92e72d%5E%21/)

[https://android.googlesource.com/platform/system/bt/+/abc302...](https://android.googlesource.com/platform/system/bt/+/abc3023b05872f49a1e0e5c078a33dc055b62afb%5E%21/)

~~~
haggy
This is not a constructive comment. Saying an entire OS "would have been safer
on this language" is just trolling. Comment should be reported IMO.

~~~
eeZah7Ux
...especially when the large majority of HN readers are already aware of rust
"thanks" to the rust evangelism strikeforce.

~~~
dx87
A day or two ago there was an embedded software developer here claiming that
low-level C developers "know what they're doing", so any languages with built-
in safety features impose unnecessary safety restrictions, and that since any
software can have bugs, there is no reason to use anything but C. Once that
kind of stubborn attitude dies out, maybe we'll stop seeing people leave
comments saying "This could have been prevented if they had used language X".

------
matchbok
Android is such a mess. Google needs to do a rewrite and dump legacy support.

~~~
drummer
Quite possibly the worst piece of software ever. Hot garbage.

