Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Amazon Echo, Google Home Vulnerable to BlueBorne Attacks

Amazon Echo and Google Home devices are vulnerable to attacks exploiting a series of recently disclosed Bluetooth flaws dubbed “BlueBorne.”

Amazon Echo and Google Home devices are vulnerable to attacks exploiting a series of recently disclosed Bluetooth flaws dubbed “BlueBorne.”

IoT security firm Armis reported in September that billions of Android, iOS, Windows and Linux devices using Bluetooth had been exposed to a new attack that can be carried out remotely without any user interaction.

A total of eight Bluetooth implementation vulnerabilities allow a hacker who is in range of the targeted device to execute arbitrary code, obtain sensitive information, and launch man-in-the-middle (MitM) attacks. There is no need for the victim to click on a link or open the file in order to trigger the exploit, and most security products would likely not detect an attack.

Google patched the vulnerabilities affecting Android in September and Microsoft released fixes for Windows in July. Apple had already addressed the issue in iOS one year prior to disclosure, and Linux distributions released updates shortly after disclosure.

However, Armis has now revealed that the voice-activated personal assistants Google Home and Amazon Echo are also vulnerable to attacks leveraging the BlueBorne flaws.

Echo is affected by a remote code execution vulnerability in the Linux kernel (CVE-2017-1000251) and an information disclosure bug in the SDP server (CVE-2017-1000250). Google Home is exposed to attacks by an information leakage issue affecting Android’s Bluetooth implementation (CVE-2017-0785). This Android flaw can also be exploited to cause a denial-of-service (DoS) condition.

Since the Bluetooth feature cannot be disabled on either of the devices, attackers can easily launch an attack as long as they are in range. Armis has published a video showing how an Amazon Echo device can be hacked and manipulated by a remote attacker:

Advertisement. Scroll to continue reading.

The security firm pointed out that this is the first remote attack demonstrated against Echo. An attack method was previously described by MWR, but it required physical access to the device.

Amazon Echo and Google Home represent 99 percent of the U.S. market for voice-controlled personal assistants, with 15 million and 5 million units sold, respectively. This normally indicates a significant number of potential victims, including many enterprises that use these products. However, Armis has notified Google and Amazon of the vulnerabilities and both companies released patches that have likely reached a majority of devices via automatic updates.

“The Amazon Echo and Google Home are the better examples as they were patched, and did not need user interaction to update. However, the vast bulk of IoT devices cannot be updated,” Armis researchers said. “However, even the Echos and the Homes will eventually be replaced by new hardware versions (as Amazon and Google recently announced), and eventually the old generations will not receive updates – potentially leaving them susceptible to attacks indefinitely.”

Armis has released an Android app that is designed to help users identify vulnerable devices.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.