Published: 07/06/2019 Updated: 12/09/2019
CVSS v2 Base Score: 8.3 | Impact Score: 10 | Exploitability Score: 6.5
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 739
Vector: AV:A/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

In the Bluetooth Low Energy (BLE) specification, there is a provided example Long Term Key (LTK). If a BLE device were to use this as a hardcoded LTK, it is theoretically possible for a proximate malicious user to remotely inject keystrokes on a paired Android host due to improperly used crypto. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-128843052.

Vulnerability Trend

Affected Products

Vendor Product Versions
GoogleAndroid7.0, 7.1.1, 7.1.2, 8.0, 8.1, 9.0

Recent Articles

Microsoft Blocks Some Bluetooth Devices Due to Security Risks
BleepingComputer • Sergiu Gatlan • 11 Jun 2019

Microsoft says that certain Bluetooth devices might start experiencing pairing and connectivity issues after Windows users apply cumulative, security, or monthly rollup updates released today.
As detailed by the Windows support document published today by Microsoft, "These security updates address a security vulnerability by intentionally preventing connections from Windows to unsecure Bluetooth devices. Any device using well-known keys to encrypt connections may be affected, including ...

It's that time again: Android kicks off June's patch parade with fixes for five hijack holes
The Register • Shaun Nichols in San Francisco • 05 Jun 2019

Updates are on the way… if you have a Google device, at least

Google has released its June bundle of security vulnerability patches for Android, with fixes for 22 CVE-listed flaws included.
This month's update, including eight critical fixes, includes patches to close up four confirmed remote code execution vulnerabilities. Google says none of the bugs have been targeted in the wild, yet.
Those with Google-branded devices like the Pixel phone line will get the update directly from the Chocolate Factory, while others will need to rely on their v...