CVE-2020-0023 Overview
CVE-2020-0023 is a missing permission check vulnerability in the setPhonebookAccessPermission function of AdapterService.java within Google Android. This flaw allows a malicious application to enable disclosure of user contacts over Bluetooth without proper authorization. The vulnerability affects the Bluetooth adapter service, which is responsible for managing Bluetooth device connections and permissions on Android devices.
Critical Impact
A malicious app with local access can silently enable contacts sharing over Bluetooth, potentially exposing sensitive user contact information to unauthorized Bluetooth-paired devices without user knowledge or consent.
Affected Products
- Google Android 10.0
Discovery Timeline
- 2020-02-13 - CVE-2020-0023 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-0023
Vulnerability Analysis
This vulnerability falls under CWE-862 (Missing Authorization), indicating that the setPhonebookAccessPermission method in AdapterService.java fails to verify that the calling application has the appropriate permissions before modifying phonebook access settings for Bluetooth connections. The flaw requires local access and user execution privileges, but notably does not require any user interaction to exploit.
When a Bluetooth connection is established between devices, Android typically prompts users to authorize phonebook sharing. However, this vulnerability allows a malicious application to programmatically enable phonebook access without triggering this authorization flow, effectively bypassing the intended security control.
Root Cause
The root cause of CVE-2020-0023 is the absence of a proper permission check in the setPhonebookAccessPermission method within the Android Bluetooth Adapter Service. The method should validate that the calling application possesses the necessary Bluetooth and contacts permissions before allowing modification of phonebook access settings. Without this validation, any application running with user-level privileges can manipulate these settings.
Attack Vector
The attack vector is local, requiring a malicious application to be installed on the target Android device. The attack scenario involves:
- A malicious app is installed on an Android 10.0 device
- The app calls the vulnerable setPhonebookAccessPermission method
- Due to the missing permission check, the method allows the app to enable phonebook access for Bluetooth connections
- When the device connects to a Bluetooth device (such as a car's infotainment system or headset), the contacts are automatically shared
- An attacker with access to the paired Bluetooth device can harvest the victim's contact information
The vulnerability is particularly concerning because it can silently leak personal data through seemingly innocuous Bluetooth connections that users may establish regularly.
Detection Methods for CVE-2020-0023
Indicators of Compromise
- Unexpected phonebook access being enabled for Bluetooth devices without user consent
- Unknown or suspicious applications making calls to Bluetooth adapter services
- Contacts data appearing on paired Bluetooth devices that weren't explicitly shared by the user
- Unusual Bluetooth service activity in system logs related to phonebook permissions
Detection Strategies
- Monitor for applications attempting to access AdapterService.java or Bluetooth adapter APIs without appropriate permissions
- Review installed applications for apps requesting Bluetooth permissions in combination with contacts-related functionality
- Analyze Android system logs for unauthorized calls to setPhonebookAccessPermission
- Deploy mobile threat detection solutions capable of identifying apps exploiting Bluetooth permission bypass vulnerabilities
Monitoring Recommendations
- Enable detailed logging for Bluetooth service interactions on managed Android devices
- Implement mobile device management (MDM) policies to monitor and control Bluetooth access and phonebook sharing settings
- Regularly audit installed applications on enterprise devices for suspicious Bluetooth-related behavior
- Use SentinelOne Mobile Threat Defense to detect applications attempting to exploit Android permission vulnerabilities
How to Mitigate CVE-2020-0023
Immediate Actions Required
- Update all Android 10.0 devices to the latest security patch level that includes the February 2020 security bulletin fixes
- Review and audit all installed applications for unnecessary Bluetooth or contacts permissions
- Disable Bluetooth when not in use to reduce the attack surface
- Remove or disable any untrusted applications from affected devices
Patch Information
Google addressed this vulnerability in the Android Security Bulletin February 2020. The fix implements proper permission checking in the setPhonebookAccessPermission method to ensure that calling applications have the necessary authorization before modifying phonebook access settings for Bluetooth connections.
Organizations should ensure all Android 10.0 devices are updated to security patch level 2020-02-01 or later to receive the fix for this vulnerability.
Workarounds
- Disable Bluetooth functionality on devices that cannot be immediately patched
- Review and revoke Bluetooth and contacts permissions from untrusted applications
- Use enterprise MDM solutions to enforce policies that prevent unauthorized phonebook sharing over Bluetooth
- Consider network segmentation for managed Bluetooth devices in enterprise environments
- Implement application allowlisting to prevent installation of potentially malicious apps
# Check Android security patch level via ADB
adb shell getprop ro.build.version.security_patch
# Expected output should be 2020-02-01 or later
# If earlier, update the device to the latest available security patch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
