As contact tracing gains attention, a researcher pokes a hole in Bluetooth technology
Bluetooth came to the fore in the fight against the novel coronavirus this month when Apple and Google announced a project to use the wireless technology to trace people infected with the virus.
The ambitious program to build interoperable software for iPhone and Android devices inspired hope in some and privacy concerns in others. New research highlights the potential security implications of using Bluetooth to track smartphone users.
Jan Ruge, a researcher at the TU Darmstadt, a university in Germany, has shown how a hacker in close proximity to an Android device could use Bluetooth to execute code on it. The mobile device’s user wouldn’t need to click on anything to be compromised — the attacker would only need the Bluetooth address of the device and a software exploit. Ruge used the exploit on a Samsung Galaxy S10e, but it would work in theory on other phone models running unpatched versions of the Android 8.0-9.0 operating systems.
Ruge found the vulnerability by digging into a protocol that Bluetooth uses to stream music on the device. He reported the bug to Android’s security team in November, which issued a software fix in February. There was no indication that the vulnerability had been exploited in the wild.
The research doesn’t mean that the wireless standard shouldn’t be used to track COVID-19. It is, however, another reminder that technology that has gained traction in the health crisis could also be an opening for hackers. Like Zoom, the videoconference app whose popularity has surged during the pandemic, vendors that use Bluetooth will have to reckon with the technology’s security vulnerabilities.
Unlike Zoom, Bluetooth has been around for more than two decades. Given its ubiquitous use, Bluetooth has long drawn attention from security researchers. Last year, for example, Google addressed a Bluetooth vulnerability that could have allowed a hacker to communicate with devices paired with the company’s Titan security key, which guards against phishing.
One problem, as Ruge pointed out, is that many mobile phones are automatically configured to accept Bluetooth connections from nearby devices. That makes the first step to executing a hack like this — finding a vulnerable target — significantly easier. A security patch takes care of the problem in this case. If users can’t apply the patch, they should only enable Bluetooth when they need it, Ruge said.
