A critical Bluetooth vulnerability has been silently lurking in Pixel phones since at least March, impacting Bluetooth Low Energy (LE) audio with certain devices. The bug, codenamed CVE-2024-23694, only recently received its official fix in the May 2024 security update, but only after leaving users potentially exposed for months without their knowledge.

    Bluetooth

  • General improvements in stability or performance for Bluetooth LE audio
  • Camera

  • Fix for camera performance under certain conditions when recording video

The story unfolds with the watchful eye of GrapheneOS, a privacy-focused Android operating system. Their team, known for its meticulous security measures, utilizes hardware memory tagging on the latest Pixel 8 and 8 Pro models. Memory tagging extension (MTE) detects and prevents memory-related errors and use-after-free vulnerabilities akin to the one in question here. It is this eagle-eyed technology that identified a memory corruption issue in Android 14 QPR2 build, specifically affecting Bluetooth LE audio on Pixel devices.

Further investigation by the GrapheneOS team revealed the bug wasn’t isolated to the new Pixel 8 and 8 Pro. Older Pixel devices running Android versions that rely on the standard “hardened_malloc” memory protection were also susceptible. This broadens the potential pool of affected users significantly.

While GrapheneOS explored disabling memory tagging as a temporary fix, they rightly deemed it a risky proposition. This safety measure acts as a crucial defense against various attacks, and compromising it, even temporarily, would leave users vulnerable on a different front. They did, however, fix the bug not long after, which is what you expect from a big company like Google.

The lack of transparency from Google throughout this ordeal is concerning. The May 2024 security bulletin simply acknowledges that there’s a fix for a high severity Bluetooth vulnerability with the codename CVE-2024-23694, offering no details about its nature, potential exploitation, or the timeframe of its existence. Even the National Vulnerability Database (NVD) remains tight-lipped, currently lacking specifics about the flaw.

Thankfully, the update addressing this high-risk bug (rated 7.5 on the Vulners severity scale) is finally here. Pixel users are strongly advised to install the latest May 2024 security update immediately to patch this Bluetooth LE vulnerability and safeguard their devices.

This incident highlights the importance of proactive security measures. The GrapheneOS team’s commitment to robust security features not only uncovered this critical vulnerability but also prevented a potentially risky workaround. While the specifics of the bug and its potential exploitation remain shrouded in secrecy by Google, Pixel users should prioritize installing the May update to eliminate this silent threat.

Hopefully, the future holds more transparency from Google regarding such critical vulnerabilities. Keeping users informed allows them to make informed decisions about their digital security.

Hillary Keverenge
2127 Posts

Tech has been my playground for over a decade. While the Android journey began early, it truly took flight with the revolutionary Lollipop update. Since then, it's been a parade of Android devices (with a sprinkle of iOS), culminating in a mostly happy marriage with Google's smart home ecosystem. Expect insightful articles and explorations of the ever-evolving world of Android and Google products coupled with occasional rants on the Nest smart home ecosystem.