A series of recently disclosed critical Bluetooth flaws of which affect billions of Android, iOS, Windows along with Linux devices have today been discovered in millions of AI-based voice-activated personal assistants, including Google Home along with Amazon Echo.
As estimated during the discovery of This specific devastating threat, several IoT along with smart devices whose operating systems are often updated less frequently than smartphones along with desktops are also vulnerable to BlueBorne.
BlueBorne can be the name given to the sophisticated attack exploiting a total of eight Bluetooth implementation vulnerabilities of which allow attackers within the range of the targeted devices to run malicious code, steal sensitive information, take complete control, along with launch man-in-the-middle attacks.
What’s worse? Triggering the BlueBorne exploit doesn’t require victims to click any link or open any file—all without requiring user interaction. Also, most security products might likely not be able to detect the attack.
What’s even scarier can be of which once an attacker gains control of one Bluetooth-enabled device, he/she can infect any or all devices on the same network.
These Bluetooth vulnerabilities were patched by Google for Android in September, Microsoft for Windows in July, Apple for iOS one year before disclosure, along with Linux distributions also shortly after disclosure.
However, many of these 5 billion devices are still unpatched along with open to attacks via these flaws.
20 Million Amazon Echo & Google Home Devices Vulnerable to BlueBorne Attacks
IoT security firm Armis, who initially discovered This specific issue, has today disclosed of which an estimated 20 million Amazon Echo along with Google Home devices are also vulnerable to attacks leveraging the BlueBorne vulnerabilities.
If I split, around 15 million Amazon Echo along with 5 million Google Home devices sold across the entire world are potentially at risk via BlueBorne.
Amazon Echo can be affected by the following two vulnerabilities:
- A remote code execution vulnerability from the Linux kernel (CVE-2017-1000251)
- An information disclosure flaw from the SDP server (CVE-2017-1000250)
Since different Echo’s variants use different operating systems, some other Echo devices are affected by either the vulnerabilities found in Linux or Android.
Whereas, Google Home devices are affected by one vulnerability:
- Information disclosure vulnerability in Android’s Bluetooth stack (CVE-2017-0785)
This specific Android flaw can also be exploited to cause a denial-of-service (DoS) condition.
Since Bluetooth cannot be disabled on either of the voice-activated personal assistants, attackers within the range of the affected device can easily launch an attack.
Armis has also published a proof-of-concept (PoC) video showing how they were able to hack along with manipulate an Amazon Echo device.
The security firm notified both Amazon along with Google about its findings, along with both companies have released patches along with issued automatic updates for the Amazon Echo along with Google Home of which fixes the BlueBorne attacks.
Amazon Echo customers should confirm of which their device can be running v591448720 or later, while Google has not made any information regarding its style yet.