CVE-2024-23717 Overview
CVE-2024-23717 is an input validation flaw in the Android Bluetooth stack, specifically in the access_secure_service_from_temp_bond function of btm_sec.cc. The vulnerability allows an attacker within Bluetooth range to inject keystrokes into a target device. Successful exploitation results in escalation of privilege without requiring any user interaction or additional execution privileges. The flaw affects Android versions 12.0, 12.1, 13.0, and 14.0. Google addressed the issue in the Android Security Bulletin March 2024.
Critical Impact
An adjacent attacker within Bluetooth proximity can inject keystrokes into a victim device with no user interaction, leading to remote privilege escalation.
Affected Products
- Google Android 12.0
- Google Android 12.1
- Google Android 13.0 and 14.0
Discovery Timeline
- 2024-03-11 - CVE-2024-23717 published to NVD
- 2024-03-01 - Google releases fix in Android Security Bulletin March 2024
- 2024-12-16 - Last updated in NVD database
Technical Details for CVE-2024-23717
Vulnerability Analysis
The vulnerability resides in the access_secure_service_from_temp_bond routine within btm_sec.cc, a core component of the Android Bluetooth Manager (BTM) security module. The function governs how a temporarily bonded peer device can access secure Bluetooth services. Improper input validation [CWE-20] allows a peer device established under a temporary bond to interact with secure services it should not be authorized to reach.
Because Human Interface Device (HID) profiles operate over secure Bluetooth services, an attacker can leverage this gap to act as an unauthorized input device. The result is keystroke injection: the attacker delivers arbitrary key events to the victim device while the screen and lock state remain untouched.
Root Cause
The root cause is missing enforcement of bond persistence and security level checks before granting service access. A temporary bond should not grant equivalent privileges to a fully bonded, authenticated device, yet the affected code path treats them similarly when authorizing access to secure services. The patch in the Android Bluetooth Module Update tightens these checks so secure service access requires a persistent, authenticated bond.
Attack Vector
Exploitation requires the attacker to be within Bluetooth radio range of the target device with Bluetooth enabled. The attacker initiates a pairing handshake that establishes a temporary bond, then attempts to interact with the device as an HID peripheral. Once the flawed authorization path is reached, the attacker sends crafted HID reports to inject keystrokes. No tap, prompt acceptance, or other user action is required on the victim device. See the Android Security Bulletin March 2024 for additional vendor context.
Detection Methods for CVE-2024-23717
Indicators of Compromise
- Unexpected Bluetooth pairing events or temporary bonds appearing in the device's Bluetooth settings or bt_stack logs.
- HID device connections from unknown Bluetooth addresses, particularly in environments where no HID peripherals are expected.
- Unsolicited input activity such as application launches, command execution, or settings changes correlated with Bluetooth connection events.
Detection Strategies
- Monitor Mobile Device Management (MDM) telemetry for Android fleet build fingerprints lagging behind the 2024-03-01 security patch level.
- Inspect logcat and HCI snoop logs for repeated temporary-bond establishment followed by HID descriptor exchanges from non-allowlisted peers.
- Correlate proximity-based Bluetooth pairing events with anomalous user-input activity on managed mobile endpoints.
Monitoring Recommendations
- Use enterprise mobility management to enforce reporting of ro.build.version.security_patch and flag devices below 2024-03-01.
- Audit Bluetooth pairing history regularly on high-value devices and alert on unfamiliar HID peers.
- Restrict Bluetooth use in sensitive areas and log Bluetooth state transitions for forensic review.
How to Mitigate CVE-2024-23717
Immediate Actions Required
- Install the Android security update with patch level 2024-03-01 or later on all affected devices.
- Disable Bluetooth when not actively in use, particularly in public or untrusted environments.
- Remove unknown or stale paired devices from each device's Bluetooth settings.
- Enforce minimum patch-level policies through MDM and quarantine non-compliant devices from corporate resources.
Patch Information
Google released the fix as part of the Android Security Bulletin March 2024. The corresponding source change to the Bluetooth module is published in the Android Bluetooth Module Update. OEM rollout schedules vary, so verify the security patch level on each device rather than relying solely on the Android version string.
Workarounds
- Keep Bluetooth disabled on devices that cannot yet receive the March 2024 patch.
- Decline pairing requests from unknown devices and avoid leaving devices in discoverable mode.
- Apply MDM policies that disable Bluetooth or restrict it to allowlisted peripherals on managed Android fleets.
# Verify Android security patch level via adb
adb shell getprop ro.build.version.security_patch
# Expected output: 2024-03-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
