Bluetooth Pairing Authentication Bypass

Product Android Open Source Project (AOSP)
Severity High
CVE Reference CVE-2016-0850
Type Bluetooth Pairing Authentication Bypass


A vulnerability in Bluetooth Security Manager could enable an untrusted device to pair with a phone during an initial pairing process. This could lead to unauthorized access of the device resources.


An attacker would have access to a range of Bluetooth Profiles [1] compatible with the device such as the HID Profile for the support of mice, keyboards or GAVDP Profile for relaying video/audio stream; some require additional authorization. As proof of concept, an untrusted device was paired with the victim’s phone and was then able to use the Bluetooth tethering feature to access the Internet connection. 

Before the initial pairing authentication process times out, multiple devices can be paired in a row without user validation. The Bluetooth User Interface does not reveal the successful pairing(s) in the paired devices list.


An untrusted device could abuse the Porsche car-kit pairing workaround to generate a reply to a legacy pin code request during an initial pairing process.


Google have released a security update through an over-the-air (OTA) update as part of its Android Security Bulletin Monthly Release process.  Please refer to the Nexus Security Bulletin - April 2016 [2]. The Porsche car-kit pairing workaround has been removed. (Change-Id: I14c5e3fcda0849874c8a94e48aeb7d09585617e1)

Technical Details

Refer to attached detailed advisory above.

Detailed Timeline




Reported to Android Open Source Project (AOSP) Issue Tracker


Report acknowledged by Google


Technical details reviewed by The Android Security Team and Severity set


Google informed to release a patch in an upcoming bulletin


Nexus Security Bulletin (April 2016) Published