In September 2017, the IT security researchers at Armis found eight zero-day vulnerabilities in Bluetooth protocol. Dubbed BlueBorne by researchers, these vulnerabilities affected millions of IoT and Windows, Linux, iOS and Android-based devices when their Bluetooth was enabled. Although Windows issued a quick patch for the vulnerability, Armis has now discovered that Amazon Echo and Google Home smart speakers are also vulnerable to BlueBorne attack.
Researchers warn that [PDF] if targeted device is unpatched, attackers can take over them to spread malware and establish a “man-in-the-middle” attack to gain access to critical data, personal information, traffic, and networks. The vulnerability is different and dangerous from others since it doesn’t require attackers to trick users into downloading malware or click on a link. Everything can be done remotely and without triggering a warning.
According to the survey, five million Google Home and more than 20 million Amazon Echo devices have been sold so far. That means millions of devices are currently vulnerable to BlueBorne attacks worldwide while they are being used by people at home and businesses respectively.
“Rising airborne threats such as BlueBorne and KRACK are a wakeup call to the enterprise that traditional security simply cannot defend against new attack vectors that are targeting IoT and connected devices in the corporate environment,” said Yevgeny Dibrov, CEO of Armis. “Every organization must gain visibility over sanctioned and unsanctioned IoT devices in their environments. If they don’t, they’ll be victimized by a breach that can lead to stolen identities for customers and employees, impact their bottom lines, and even cost top executives their jobs.”
Armis has also released an app called BlueBorne Vulnerability Scanner that will scan if your device is vulnerable to BlueBorne.
In an email conversation with HackRead, Google said that “Users do not need to take any action. We automatically patched Google Home several weeks ago, and neither Google nor Armis found evidence of this attack in the wild. As always, we appreciate researchers’ efforts to help keep all users safe.”
Amazon, on the other hand, said the company had released security patches today to protect Amazon Echo from BlueBorne attack. In a conversation with The Register, Amazon said that “Customer trust is important to us and we take security seriously. Customers do not need to take any action as their devices will be automatically updated with the security fixes.”
Both Amazon Echo and Google Home users are advised to download and install patches right now and secure their devices from BlueBorne attack. Also, disable your Bluetooth feature.
Previously, Amazon Echo 2015 and 2016 models were vulnerable to physical hack attack while Google Home was caught secretly recording user conversations however Google claimed it wasn’t intentional but due to a bug.