This seems critical enough to warrant a discussion here:
The key quote:
- On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).
- Android versions even older than 8.0 might also be affected but we have not evaluated the impact.
Are there plans to release updates to FP users to fix this critical vulnerability in the short term or should we just stop using Bluetooth for the time being?