CVE-2021-39738
📋 TL;DR
This vulnerability in Android's CarSettings allows Bluetooth device pairing without user consent due to a missing permission check. It enables local privilege escalation without requiring additional execution privileges or user interaction. Affects Android devices running versions 10 through 12L.
💻 Affected Systems
- Android devices with CarSettings
📦 What is this software?
Android by Google
Android by Google
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
An attacker with physical access could pair malicious Bluetooth devices to intercept communications, inject malicious data, or exploit other Bluetooth vulnerabilities to gain full device control.
Likely Case
Malicious apps or users with physical access could pair unauthorized Bluetooth devices to eavesdrop on communications or perform man-in-the-middle attacks on Bluetooth connections.
If Mitigated
With proper security controls and updated devices, the risk is limited to devices that haven't been patched or are running vulnerable configurations.
🎯 Exploit Status
Exploitation requires local access or malicious app execution. No user interaction needed once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android Security Bulletin May 2022 patches
Vendor Advisory: https://source.android.com/security/bulletin/aaos/2022-05-01
Restart Required: Yes
Instructions:
1. Check for Android system updates in Settings > System > System update. 2. Install the May 2022 security patch or later. 3. Reboot device after installation.
🔧 Temporary Workarounds
Disable Bluetooth when not in use
androidTurn off Bluetooth functionality to prevent unauthorized pairing attempts
Settings > Connected devices > Connection preferences > Bluetooth > Toggle off
Restrict Bluetooth visibility
androidSet Bluetooth to non-discoverable mode to reduce attack surface
Settings > Connected devices > Connection preferences > Bluetooth > Device name > Turn off 'Make device visible'
🧯 If You Can't Patch
- Disable Bluetooth completely on affected devices
- Implement physical security controls to prevent unauthorized device access
🔍 How to Verify
Check if Vulnerable:
Check Android version in Settings > About phone > Android version. If version is 10, 11, 12, or 12L and security patch level is before May 2022, device is vulnerable.Check Version:
adb shell getprop ro.build.version.release && adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify security patch level in Settings > About phone > Android security patch level shows May 2022 or later.📡 Detection & Monitoring
Log Indicators:
- Unexpected Bluetooth pairing events in system logs
- Bluetooth pairing without user consent prompts in CarSettings logs
Network Indicators:
- Unauthorized Bluetooth MAC addresses paired to devices
- Unexpected Bluetooth traffic patterns
SIEM Query:
source="android_system" AND "Bluetooth pairing" AND "CarSettings" AND NOT "user_consent=true"