A security flaw has been found in Android that allows attackers to access a phone via Bluetooth with no user interaction required.
Android’s most recent monthly security update, released on February 3rd, fixes the flaw. The vulnerability is rated “critical” — the highest rating — for Android versions 8 and 9. In Android 10, the same bug allows a remote attacker to crash the Bluetooth system, but does not present the same security vulnerability.
Attackers must be within Bluetooth range (typically around 30 feet) to exploit the flaw. Users can ensure they’re not vulnerable by turning off Bluetooth until their phone receives the February update. There are ways to continue using Bluetooth in public while making it difficult to exploit the flaw. Attackers need to know your Bluetooth MAC address (device ID). This can be obtained in two ways: The first is if your phone is in Bluetooth “discoverable” (pairing) mode. Also, on some devices, the Bluetooth MAC address can be deduced from the Wi-Fi MAC address.
Therefore users with a non-updated Android phone who are concerned about the issue should avoid pairing new Bluetooth devices while near any public areas, and keep Wi-Fi turned off on their phone.
