Android Bluetooth Stack Privilege Escalation Vulnerability via SMP Authentication Bypass

A vulnerability has been identified in the Android Bluetooth stack, specifically within the Secure Simple Pairing (SMP) implementation. This issue allows a malicious peer to bypass SMP authentication by falsely claiming to have out-of-band (OOB) data, which can lead to unauthorized privilege escalation. The vulnerability arises from an incorrect protocol implementation that fails to properly validate OOB data claims. Exploitation of this vulnerability does not require any additional execution privileges or user interaction.

Impact

Exploitation of this vulnerability could result in unauthorized privilege escalation, allowing a user to gain elevated rights or access within the system.

Reproduction

The vulnerability can be reproduced by initiating a pairing process between two Bluetooth devices. One device should be configured to claim it has OOB data available, while the other device should not have any local OOB data stored. This can be done by manipulating the Bluetooth pairing process to introduce a false OOB data claim, which the Android Bluetooth stack will accept, thereby bypassing the SMP authentication requirement.

Remediation

Users can update their devices to the May 2025 security patch level, which addresses this vulnerability.