Attackers looking to steal sensitive information like contacts, call history, and SMS verification codes from Android devices only need to target Bluetooth protocols, according to new DBAPPSecurity research presented at the 2020 Black Hat conference Wednesday.
These exploits, one of which takes advantage of a zero-day vulnerability, could also allow hackers to send fake text messages if manipulated properly, researchers found.
It works by allowing attackers to disguise themselves as a trusted application, requesting permissions that allow one Bluetooth-enabled device to share data with another device, such as a headset or car’s “infotainment” system. For the attack to run successfully, Bluetooth must be enabled on the target device and victims must approve the attackers’ request for privileges. In the end, this action gives attackers access to data on the victim’s device, according to the California-based company.
The other attack allows researchers to take advantage of an authentication bypass vulnerability, dubbed “BlueRepli.” Would-be attackers can bypass authentication by imitating a device that has previously been connected with a target. Victims do not need to give permission to a device for the exploit to work.
“The actual effect of this vulnerability is the victim has no [awareness] at all when attackers access their phone book or [SMS messages],” Sourcell Xu, a security researcher at DBAPPSecurity, told CyberScoop.
Generally, hackers can exploit BlueRepli to steal users’ contacts, call logs, and short messages, but can go one step further and send fake text messages from victim devices if they are exploiting any device made by one particular Android manufacturer, which the researchers did not name. This manufacturer has made approximately 100 million Android devices, the researchers said.
“We are aware of the issue, and are currently working with our partners to develop a fix,” the Google spokesperson said.
The researchers said the vulnerability does not affect iPhones.
Bluetooth has long been plagued with vulnerabilities, including those that could allow hackers in close proximity to execute code on victim devices. There have also been issues with coronavirus contact tracing plans and Google Titan keys.
The National Security Agency warned earlier this week that users seeking to avoid exposing sensitive location data from their cellphones should be mindful that mobile devices calculate location using WiFi or Bluetooth, even when GPS or location services are turned off.