CVE-2024-34730 is a logic error vulnerability in Google Android operating systems versions 12, 12L, 13, and 14 that allows an attacker to bypass user consent mechanisms for enabling new Bluetooth Human Interface Devices (HIDs). The flaw exists in multiple code locations responsible for managing Bluetooth HID permissions, where the logic incorrectly permits enabling these devices without explicit user approval. This bypass leads to a local elevation of privilege, meaning an attacker with limited local access rights can escalate their privileges without needing additional execution privileges or user interaction. The vulnerability is classified under CWE-276 (Incorrect Default Permissions) and has a CVSS v3.1 score of 7.8, indicating high severity. The attack vector is local (AV:L), requiring low attack complexity (AC:L) and low privileges (PR:L), with no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), meaning an attacker could gain full control over the device, access sensitive data, modify system settings, or disrupt device functionality. Although no known exploits have been reported in the wild, the vulnerability's nature makes it a significant risk for Android users and organizations relying on these devices. The absence of patch links suggests that fixes may still be pending or in the process of deployment. This vulnerability highlights the critical need for robust permission and consent checks in Bluetooth device management on Android platforms.

The vulnerability allows local attackers to bypass user consent and escalate privileges on affected Android devices, potentially gaining full control over the system. This can lead to unauthorized access to sensitive data, modification or deletion of files, installation of malicious software, and disruption of device functionality. The high impact on confidentiality, integrity, and availability means that compromised devices could be used for espionage, data theft, or as footholds for further network attacks. Organizations with employees using vulnerable Android versions face risks of data breaches and operational disruptions. The lack of required user interaction and low privilege requirements increase the likelihood of exploitation in environments where local access is possible, such as shared devices or those exposed to malicious insiders or malware. The vulnerability also poses risks to consumer privacy and security, especially in sectors relying heavily on mobile device security such as finance, healthcare, and government.

1. Monitor official Google Android security bulletins and apply patches immediately once available to address CVE-2024-34730. 2. Restrict local access to Android devices by enforcing strong physical security controls and device management policies to prevent unauthorized users from gaining local access. 3. Employ Mobile Device Management (MDM) solutions to enforce security policies, restrict Bluetooth usage, and monitor device behavior for suspicious activity. 4. Disable Bluetooth or restrict Bluetooth HID device pairing where not necessary, especially in high-security environments. 5. Educate users about the risks of unauthorized physical access and the importance of device lock screens and strong authentication. 6. For organizations, consider network segmentation and endpoint detection solutions to identify and contain compromised devices. 7. Regularly audit device configurations and permissions related to Bluetooth and HID devices to detect anomalies. 8. Until patches are available, consider deploying temporary mitigations such as disabling Bluetooth HID profiles or using custom security policies to limit Bluetooth device pairing capabilities.