Heard about this on the Security Now Podcast, SN753
"STEVE: So against 9.0 Pie and Oreo, Pie and Oreo 8.0, 8.1, and 9.0. The researcher said that a remote attacker within Bluetooth range can silently execute arbitrary code with the privilege of the Bluetooth Daemon, and it runs in the kernel. The flaw is worrisome because no additional interaction is required, and only the Bluetooth MAC address of the target device needs to be known to launch an attack.
Okay. So, well, there are a couple reasons that's not comforting, because it turns out that for many devices the Bluetooth MAC address can be deduced from the WiFi MAC address. They're often sequential. And so WiFi is easily known. It's being broadcast by the smartphone's WiFi. So obtaining the Bluetooth MAC address is probably a matter of adding or subtracting one, depending upon which phone you're using, and maybe they're all the same. I haven't looked.
The same vulnerability does impact Google's most recent Android v10. However, with Android 10, the severity rating is dropped to moderate rather than critical because the impact is not a remote code execution as a consequence of other changes made in Android 10. It will crash the Bluetooth daemon, but it won't give you remote code execution access. And they did not test any Android versions older than 8. So we don't know either way whether those may be affected. The flaw's discoverers said they are confident all patches - they said, sorry, once they are "confident" - and I put "confident" in quotes in the show notes because you'll see where I'm going - all patches have reached the end users, they will publish a technical report on the flaw that includes a description of the exploit as well as proof of concept code."
"STEVE: So against 9.0 Pie and Oreo, Pie and Oreo 8.0, 8.1, and 9.0. The researcher said that a remote attacker within Bluetooth range can silently execute arbitrary code with the privilege of the Bluetooth Daemon, and it runs in the kernel. The flaw is worrisome because no additional interaction is required, and only the Bluetooth MAC address of the target device needs to be known to launch an attack.
Okay. So, well, there are a couple reasons that's not comforting, because it turns out that for many devices the Bluetooth MAC address can be deduced from the WiFi MAC address. They're often sequential. And so WiFi is easily known. It's being broadcast by the smartphone's WiFi. So obtaining the Bluetooth MAC address is probably a matter of adding or subtracting one, depending upon which phone you're using, and maybe they're all the same. I haven't looked.
The same vulnerability does impact Google's most recent Android v10. However, with Android 10, the severity rating is dropped to moderate rather than critical because the impact is not a remote code execution as a consequence of other changes made in Android 10. It will crash the Bluetooth daemon, but it won't give you remote code execution access. And they did not test any Android versions older than 8. So we don't know either way whether those may be affected. The flaw's discoverers said they are confident all patches - they said, sorry, once they are "confident" - and I put "confident" in quotes in the show notes because you'll see where I'm going - all patches have reached the end users, they will publish a technical report on the flaw that includes a description of the exploit as well as proof of concept code."
Last edited: