Bluetooth Pairing Authentication Bypass
- Published: 8 Apr 2016
Bluetooth Pairing Authentication Bypass
CVE-2016-0850
Share
Type
- Bluetooth Pairing Authentication Bypass
Severity
- High
Affected products
- Android Open Source Project (AOSP)
CVE Reference
- CVE-2016-0850
Timeline
| 2016-01-13 | Reported to Android Open Source Project (AOSP) Issue Tracker |
| 2016-01-13 | Report acknowledged by Google |
| 2016-01-21 | Technical details reviewed by The Android Security Team and Severity set |
| 2016-02-24 | Google informed to release a patch in an upcoming bulletin |
| 2016-04-04 | Nexus Security Bulletin (April 2016) Published |
Description
A vulnerability in Bluetooth Security Manager could enable an untrusted device to pair with a phone during an initial pairing process. This could lead to unauthorized access of the device resources.
Impact
An attacker would have access to a range of Bluetooth Profiles 1 compatible with the device such as the HID Profile for the support of mice, keyboards or GAVDP Profile for relaying video/audio stream; some require additional authorization. As proof of concept, an untrusted device was paired with the victim’s phone and was then able to use the Bluetooth tethering feature to access the Internet connection.
Before the initial pairing authentication process times out, multiple devices can be paired in a row without user validation. The Bluetooth User Interface does not reveal the successful pairing(s) in the paired devices list.
Cause
An untrusted device could abuse the Porsche car-kit pairing workaround to generate a reply to a legacy pin code request during an initial pairing process.
Solution
Google have released a security update through an over-the-air (OTA) update as part of its Android Security Bulletin Monthly Release process. Please refer to the Nexus Security Bulletin - April 2016 2. The Porsche car-kit pairing workaround has been removed. (Change-Id: I14c5e3fcda0849874c8a94e48aeb7d09585617e1)
Technical Details
Refer to attached detailed advisory above.