There’s a new reason to consider disabling your phone's Bluetooth connection when it’s not in use.
A security firm has uncovered a serious bug in Android’s Bluetooth subsystem that can be exploited to hack the device.
The vulnerability opens the door for a nearby hacker to execute computer code on phones running Android 8.0 to 9.0, according to Germany-based ERNW.
“No user interaction is required,” it warned.
The only factor that needs to be known is the device’s Bluetooth MAC address, which is often readily transmitted when the Bluetooth connectivity has been turned on.
If the vulnerability is exploited, the hacker can execute code on the Android device as a Bluetooth "daemon,” or background process.
For now, ERNW is refraining from offering more specifics to prevent anyone from abusing the flaw, but the security firm warns: “This vulnerability can lead to theft of personal data and could potentially be used to spread malware.” As an example, ERNW points to the danger of a hacker launching a “short-distance” computer worm to attack vulnerable Android phones within the vicinity.
The good news is that Google patched the flaw with its February 2020 Android security update.
The only problem is that Android smartphone vendors can be notoriously slow to roll out updates to customer phones, sometimes taking weeks or months.
In other cases, the vendor may have dropped security support altogether on the pretense the phone model is too old.
As a result, ERNW is advising affected customers to only enable Bluetooth connectivity when necessary until their phones receive the patch.
Unfortunately, the growing prevalence of wireless headphones may make that difficult.
But the cybersecurity firm says another option is to keep your Bluetooth connection “non-discoverable,” which you can toggle on within an Android phone’s settings, usually under the Bluetooth panel.
It isn't the first time security researchers have uncovered a serious flaw in the Bluetooth protocol.
In 2017, a separate security firm discovered eight vulnerabilities in the technology that could also be used to spread malware among Android, iOS, and Windows devices.
Recommended by Our Editors
The key limitation with Bluetooth flaws is how the attacker usually has to be physically near your device to exploit them.
So it's not exactly practical for a cybercriminal to abuse.
The vulnerability also affects unpatched Android 10 systems, but it’ll only trigger the Bluetooth background processes to crash if exploited.