CVE-2024-58101

CVSS v4.0 Score: 8.7 / High

 

Samsung Audio devices are Bluetooth pairable by default without user input nor a way to stop this mode.

Vendor: Samsung
Products: Galaxy Buds, Galaxy Buds 2
Discovered by: Antonio Vázquez Blanco (@antonvblanco), Jesús María Gómez Moreno
Public fix: No
Proof of Concept: https://github.com/TarlogicSecurity/BlueSpy

 

Summary:

Samsung Galaxy Buds and Galaxy Buds 2 are earphones that are pairable by default without requiring user interaction or a way to avoid it.

 

Details:

Devices fail to pass the following BSAM controls:

• BSAM-PA-01 – Pairable mode by default
• BSAM-PA-02 – Input and output capabilities
• BSAM-PA-04 – Rejection of legacy pairing
• BSAM-PA-05 – Pairing without user interaction

Impact:

This allows for device pairing without user consent nor user notification, leading to take full control of device.

As a consequence, audio playback takeover or even microphone recording without user consent or notification is achieved.

 

Recommendation:

There are no known fixes for the issue.

 

Timeline:

• 2024/03/15 – Initial report of the issue via Samsung Mobile Security platform.
• 2024/03/21 – Samsung requested separate tickets for each of the findings and report is closed as “working as intended”.
• 2024/03/22 – Created three separate reports regarding the most outstanding issues.
• 2024/03/29 – Samsung suggests closing the ticket regarding BSAM-PA-01 as “Working as intended”. Arguments against this are provided.
• 2024/06/21 – Report regarding BSAM-PA-01 is agreed to kept open as having some impact on security. A CVE assignment is requested to Samsung.
• 2024/06/27 – Report regarding BSAM-PA-02 is closed as “No Security Impact” and also flagged “Out of scope” for their rewards program.
• 2024/06/27 – Report regarding BSAM-PA-05 is closed as “No Security Impact” and also flagged “Out of scope” for their rewards program.
• 2024/06/24 – Report regarding BSAM-PA-01 is labeled as “Low severity” while also stating that “we concluded this has less security impact than Low”.
• 2024/06/24 – CVE request is denied under the argument that only moderate or higher impact vulnerabilities are assigned a CVE.
• 2024/11/05 – Samsung notifies that the report regarding BSAM-PA-01 is awarded a bounty.
• 2025/01/27 – The bounty is paid.
• 2025/02/10 – Requested a CVE assignment to MITRE.
• 2025/03/12 – CVE-2024-58101 is assigned.
• 2025/03/20 – Advisory is made public.