On June 5, 2026, cybersecurity researchers uncovered a critical exploit vector in Android and iOS devices: an unpatched vulnerability in the Nearby Device Connection API (NDC), a feature designed to simplify Bluetooth and Wi-Fi Direct interactions. When left enabled outside home networks, this API—used by 87% of modern smartphones for proximity-based services—can be weaponized to extract contact lists, messages, and even biometric data via man-in-the-middle (MITM) attacks. The flaw, now being called CVE-2026-3845, stems from lax authentication in the NDC’s session establishment handshake, which relies on a 32-bit nonce rather than cryptographically secure tokens.
The Exploit Mechanism: How a “Convenience Feature” Became a Backdoor
The Nearby Device Connection API, introduced in 2019 as part of Android’s Project Brillo (later absorbed into Android Things), was meant to replace ad-hoc Bluetooth pairing with a zero-configuration networking protocol. However, its design assumes trusted environments—like a user’s home Wi-Fi—where devices are pre-authenticated. In public spaces, the API skips TLS 1.3 mutual authentication for performance reasons, leaving it vulnerable to session hijacking.
Here’s how the attack works:
- Lure Phase: An attacker broadcasts a fake “Nearby Share” or “Google Pay” pairing request via a rogue access point.
- Handshake Exploitation: The victim’s device responds with a 32-bit nonce (instead of a 256-bit ECDHE key exchange), which the attacker brute-forces in under 10 minutes.
- Data Siphoning: Once the nonce is cracked, the attacker injects malicious payloads into the NDC session, mimicking legitimate apps like Google Messages or Signal to exfiltrate data.
The exploit doesn’t require physical access or user interaction—just proximity. Security firm CrowdStrike demonstrated it working against Samsung Galaxy S23 Ultra and iPhone 15 Pro devices running the latest OS patches. The attack surface is massive: NDC is used by 1.2 billion active devices monthly for features like Google Wallet, AirDrop (on Android), and even Apple’s Find My network.
Why This Isn’t Just Another “Bluetooth Hack”
Most Bluetooth exploits target BLE (Bluetooth Low Energy) for tracking or DoS attacks. This vulnerability is different:
- API-Level Exploit: It bypasses Bluetooth’s LE Secure Connections by targeting the higher-layer NDC protocol.
- Cross-Platform Risk: While Android’s NDC implementation is worse, iOS’s Multipeer Connectivity framework shares similar flaws in session validation.
- Enterprise Blind Spot: MDM policies often disable Bluetooth but leave NDC enabled for “productivity” features like Google Meet or Microsoft Teams room systems.
The Broader Ecosystem War: Why Google and Apple Are Caught in a “Feature vs. Security” Tug-of-War
This vulnerability exposes a fundamental tension in modern tech ecosystems: platform lock-in vs. Convenience. Google’s push for NDC as a universal pairing protocol (even for non-Google apps) and Apple’s AirDrop’s reliance on Multipeer Connectivity have created a fragmented security landscape. Both companies argue that disabling these features would “break user experience,” but the math doesn’t add up:
| Feature | Monthly Active Users (2026) | Exploit Surface Area | Mitigation Complexity |
|---|---|---|---|
| Google Nearby Devices | 1.2B | High (32-bit nonce, no TLS fallback) | Moderate (requires OS-level patch + app updates) |
| Apple Multipeer Connectivity | 800M | Medium (128-bit nonce, but weak session binding) | High (requires iOS + app sandbox changes) |
| Bluetooth Classic (for comparison) | 3.5B | Low (TLS 1.3 required for most apps) | Low (well-documented mitigations) |
Open-source alternatives like libratbag (for Linux) or Nearby Devices’ open-source stack avoid this issue by enforcing end-to-end encryption from the ground up. But proprietary ecosystems lag behind.
Expert Voices: The “We Told You So” Moment
— Dr. Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation
“What we have is the direct result of treating security as an afterthought in the race to dominate the ‘ambient computing’ space. Google’s Nearby API was designed in 2019 when the assumption was that users would only use it at home. But now, we’re seeing it deployed in airports, coffee shops, and even smart cities—where the attack surface is orders of magnitude larger. The fix isn’t just patching the code; it’s rewriting the entire threat model.”
— Tim Tomes, Principal Engineer at Rapid7
“The 32-bit nonce is a classic example of security theater. It’s not a secret—it’s just a number that’s easy to guess. The real issue is that Google and Apple never designed these APIs with the assumption that attackers would reverse-engineer their session tokens. That’s not hypothetical anymore.”
What So for Enterprise IT: The “Silent Exfiltration” Risk
Corporate environments are particularly vulnerable because:
- BYOD Policies: Many companies allow employees to use personal devices for work, but MDM tools rarely monitor NDC traffic.
- IoT Integration: Smart meeting rooms and Google Nest Hubs often use NDC for “seamless” device pairing, creating new attack vectors.
- Compliance Gaps: Regulations like GDPR and CCPA require data protection, but NDC leaks often fly under the radar because they’re not classified as “network traffic.”
Enterprises should immediately:
- Audit Android Enterprise and iOS MDM policies to disable NDC outside corporate networks.
- Deploy network segmentation to isolate IoT devices using NDC from internal systems.
- Monitor for unusual mDNS (Multicast DNS) queries, which attackers use to discover nearby NDC-enabled devices.
The 30-Second Verdict: Should You Disable NDC Now?
Yes—but with caveats. Disabling NDC entirely breaks:
- Google Wallet transactions (unless you use NFC exclusively).
- AirDrop (on Android) and Apple’s Find My network.
- Some smart home integrations (e.g., pairing a Raspberry Pi with a Google Home device).
A better short-term fix is to:
- Enable Android’s “Nearby Devices” toggle only when needed (Settings > Connected Devices > Connection Preferences).
- On iOS, disable Multipeer Connectivity in
Info.plistfor custom apps (see Apple’s docs). - Use a VPN (like ProtonVPN) when in public spaces to block NDC traffic.
The Long Game: Why This Flaw Signals a Bigger Problem
This isn’t just about NDC. It’s about the fundamental misalignment between:
- Hardware Trends: The shift to 5G + edge computing means more devices will rely on proximity-based protocols, increasing the attack surface.
- Software Design: APIs like NDC are built for developer convenience, not security. The Android Nearby API source shows zero runtime checks for session integrity.
- Regulatory Lag: Laws like the EU’s AI Act focus on LLM training data, not proximity-based exploits.
The fix requires a paradigm shift:
- Default-Deny Proximity APIs: Treat NDC-like features as opt-in, not always-on.
- Hardware Enforcement: Use TEE (Trusted Execution Environments) in SoCs (like Qualcomm’s Kryo or Apple’s Secure Enclave) to validate session tokens.
- Open Standards: Push for IETF standardization of proximity protocols (e.g., 6LoWPAN for IoT) to avoid vendor-specific flaws.
