This seems critical enough to warrant a discussion here:
The key quote:
On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).
Android versions even older than 8.0 might also be affected but we have not evaluated the impact.
Are there plans to release updates to FP users to fix this critical vulnerability in the short term or should we just stop using Bluetooth for the time being?
Google has fixed this in the Android Security Patch for February. Fairphone should have the update ready later this month. Until then: Don’t panic. Pretty much every monthly patch fixes some serious vulnerabilities. Only users of older phones that no longer receive regular security updates should be worried.
Well, until we actually are on the February patch level, we should worry as well, at least as far as taking the published advice:
"If you have no patch available yet or your device is not supported anymore, you can try to mitigate the impact by some generic behavior rules:
Only enable Bluetooth if strictly necessary. Keep in mind that most Bluetooth enabled headphones also support wired analog audio.
Keep your device non-discoverable. Most are only discoverable if you enter the Bluetooth scanning menu. Nevertheless, some older phones might be discoverable permanently."
AFAIK there is no usable version of LineageOS for the FP3 (yet).
Also, I personally would not install an OS on my phone that is not being officially supported by Fairphone. But I do not want to turn this into another ideological discussion (there’s too many of those here already) …
Whenever I see mention of critical bugs like this I wonder if those really have been exploited so far? Never heard of an outbreak of viruses on smartphones on a scale like it used to be on (windows) computers.
I’m not saying one shouldn’t pay attention to those security issues or shouldn’t update once the fixes are there. But it often sounds a bit of a “hype” to me (for lack of a better word).
For me Bluetooth is a must on my Fairphone 3 as I use Bluetooth to connect the Fairphone 3 with a Compilot II which in return connects with my hearing aids.
Is it possible to make the Fairphone 3 not visible for other devices, but still to be able to connect with Compilot II?
Keep your device non-discoverable. Most are only discoverable if you enter the Bluetooth scanning menu. Nevertheless, some older phones might be discoverable permanently.
My desktop PC at home doesn’t have bluetooth so I can’t check if the FP3 is visible while connected to some BT device.
Google releases a bunch of security updates every month and does inform its OEM partners another month in advance so they know whats upcoming. Don’t panic.
My Surface Pro 6 does have Bluetooth. I have just tried it an I can confirm that our beloved FP3 behaves as described above, namely that it’s only discoverable when entering the Bluetooth settings (scanning menu). So no worries.
But then, while BT is actually in use I assume the phone (or at least the running connection) will be “visible” to some degree. From the article I’m not 100% sure if that makes the phone vulnerable (but I’d assume so).
I am sorry to say but a security researcher claiming that Bluetooth is only visible when the device is in discovery mode is, well, it is a clueless statement. When there is Bluetooth traffic (and there is when Bluetooth is enabled), there are Bluetooth addresses visible.
With Developer Mode in Android, you can see Bluetooth addresses around you.
Anyone with a device capable of capturing Bluetooth (e.g. Bluetooth device, SDR, or pseudo SDR (like an Ubertooth)) can see Bluetooth addresses.
Therefore, I recommend everyone to disable Bluetooth on Android 8 and 9, despite the advisory suggesting otherwise.
There is no exploit in the wild known, but that does not stop anyone from developing one.
I do have a question: is Android Wear vulnerable as well?
I think they didn’t, it was probably my misinterpretation of the two items they said to avoid. It’s an “all of them”, not “one of them” kind of situation.
From what I understand now is what they’re saying that the only situation when BT is enabled and you wouldn’t be vulnerable is when you’re not actively using BT and are also not in scanning mode. But that would be rather pointless and one could simply disable BT completely.
?