Google security researcher Andy Nguyen has just revealed “Bleeding Tooth”, a major security flaw in BlueZ, a Linux subsystem that implements Bluetooth technology. According to the expert, it allows the execution of arbitrary code remotely and does not require any action from the victim (“zero click”). You just need to be in the Bluetooth reception area of the targeted device. In a tweet, the researcher posted a demonstration video.
Intel, on the other hand, doesn’t present it the same way. In a security alert, the company describes the flaw as an elevation of privilege and an information leak. Which already seems less critical. Andy Nguyen intends to provide technical details in a blog post, which will help to learn more about the real level of risk involved.
In the meantime, it is advisable to update the Linux kernel to version 5.1 which fixes this flaw. Unfortunately, this will not always be possible. There are a lot of connected objects that run Linux that cannot be updated.