bad spread

Patch for self-propagating Bluetooth worm released last month

Imagine a virus spreading from one person to the next person and the next and so on, just by virtue of their proximity to each other.

No, I don’t mean the coronavirus, or influenza, or viruses that affect the physical body. But due to how much a majority of us use our phones everyday, there is potential of us unwittingly creating another kind of epidemic.

Last November, an Android vulnerability was found, which if unpatched could lead to self-spreading Bluetooth worms. This bug is tracked as CVE-2020-0022, and a phone infected with this worm could spread it to other phones without any action on the part of these phones’ users. The phones would only need to be Bluetooth-enabled, something which many phones are by default.

Even if not Bluetooth-enabled out-of-the-box, there is a slew of companion devices that require devices to be have Bluetooth switched on, these days. For example, watches, headphones, and yes, even selfie sticks.

Go to any public place, and when you do a quick Bluetooth scan, the number of devices you can discover will give you an idea of how many are at risk of catching this Bluetooth bug.

Once it latches onto a phone, it can silently execute arbitrary code with privileges of the Bluetooth daemon. This translates to data on the phone being compromised, and the phone potentially being used to spread the worm over short distances.

Attend any mass gatherings, for example seminars, shopping malls, trade fairs, conferences, and the number of discoverable devices increases many times over. The mechanics of how this worm ‘transmission’ works is no different from that of a virus transmission to our physical bodies.

Thankfully, there are steps we can take to mitigate it. Users of Android phones are advised by security researchers ERNW, to install the latest security patch from February 2020, or at least to disable Bluetooth (or discoverability feature) on their phones unless it is necessary for use.