Advisories

Bluetooth Pairing Authentication Bypass

Product Android Open Source Project (AOSP)
Severity High
CVE Reference CVE-2016-0850
Type Bluetooth Pairing Authentication Bypass

Description

A vulnerability in Bluetooth Security Manager could enable an untrusted device to pair with a phone during an initial pairing process. This could lead to unauthorized access of the device resources.

Impact

An attacker would have access to a range of Bluetooth Profiles [1] compatible with the device such as the HID Profile for the support of mice, keyboards or GAVDP Profile for relaying video/audio stream; some require additional authorization. As proof of concept, an untrusted device was paired with the victim’s phone and was then able to use the Bluetooth tethering feature to access the Internet connection. 

Before the initial pairing authentication process times out, multiple devices can be paired in a row without user validation. The Bluetooth User Interface does not reveal the successful pairing(s) in the paired devices list.

Cause

An untrusted device could abuse the Porsche car-kit pairing workaround to generate a reply to a legacy pin code request during an initial pairing process.

Solution

Google have released a security update through an over-the-air (OTA) update as part of its Android Security Bulletin Monthly Release process.  Please refer to the Nexus Security Bulletin - April 2016 [2]. The Porsche car-kit pairing workaround has been removed. (Change-Id: I14c5e3fcda0849874c8a94e48aeb7d09585617e1)

Technical Details

Refer to attached detailed advisory above.

Detailed Timeline

Date

Summary

2016-01-13

Reported to Android Open Source Project (AOSP) Issue Tracker

2016-01-13

Report acknowledged by Google

2016-01-21

Technical details reviewed by The Android Security Team and Severity set

2016-02-24

Google informed to release a patch in an upcoming bulletin

2016-04-04

Nexus Security Bulletin (April 2016) Published

References

[1] https://developer.bluetooth.org/TechnologyOverview/Pages/Profiles.aspx

[2] https://source.android.com/security/bulletin/2016-04-02.html