Hey, Android users: You might not want to use Bluetooth in public for a while, because there's a serious flaw that could let anyone within Bluetooth range -- say, in a subway car, on a busy street or in a parking lot -- wirelessly hack your device without your knowledge.
"No user interaction is required," states a security advisory posted yesterday (Feb. 6) by the flaw's finder, Jan Ruge (opens in new tab) of the Technische Universität Darmstadt in Germany. "This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm)."
There are two exceptions. Android 10, the most recent version, is largely unaffected by this flaw. An attack will simply crash Bluetooth. So if your phone runs Android 10, you should be okay.
And owners of Google Pixel and Android One phones running Android 9 Pie or Android 8/8.1 Oreo can install the patch that came with the February Android security updates (opens in new tab) earlier this week. (Pixel and Android One phones running Android 10 should as well.)
But everyone else running Android 8 or 9, the most widely used versions of Android, has to wait for their phone's manufacturer to test and release the February security update.
If your phone can't be updated to Android 8, 9 or 10, then it's probably never going to get the patch. And because we don't yet know the details of how this attack works, it's not clear if even the best Android antivirus apps will help protect you.
How to prevent your phone from getting hacked
In that case, Ruge has some advice.
One, he wrote, "only enable Bluetooth if strictly necessary. Keep in mind that most Bluetooth-enabled headphones also support wired analog audio."
Second, "keep your device non-discoverable. Most are only discoverable if you enter the Bluetooth scanning menu. Nevertheless, some older phones might be discoverable permanently."
The attacker has to know your device's Bluetooth MAC address, or network-interface identifier. Bluetooth devices generally broadcast the MAC address only when they want to be found by other devices, and you can turn that off.
Go into your Android devices's settings, find the wireless or Bluetooth settings, and disable "Discoverable" if you can. You'll still be able to link to Bluetooth devices you've already paired with, but not to new Bluetooth devices.
Before everyone panics, this flaw has not been exploited in the wild, and its discoverers are keeping the details under wraps for the time being so that no bad guys can start using it right away.
But you can bet the baddies are already at work reverse-engineering this month's Android patch to try to find what got fixed and how to exploit it.