Google and Amazon patch 20 million smart speakers that were vulnerable to serious Bluetooth attack.
The BlueBorne flaws had a more serious impact on Amazon’s Echo than on Google’s Home.
BlueBorne, a set of eight Bluetooth flaws, was already known to affect billions of phones and computers running iOS, Android, Windows, and Linux. The flaws were discovered by security vendor Armis, which now warns that the flaws in Home and Echo could be used as an entry point to attacking other devices with malware.
An attacker would need to be in Bluetooth range but can use the flaws to attack any device with Bluetooth enabled without pairing with it.
According to Armis, Amazon has provided an update to around 15 million Echo devices and Google has patched five million Google Home devices.
BlueBorne had a more serious impact on Echo than it did on Home. The Echo was vulnerable to a remote code execution vulnerability in its Linux kernel, and an information leakage flaw in its SDP Server.
Google Home was affected by an information leakage flaw in Android’s Bluetooth stack. An attacker could use the flaws to own an Echo, and prevent Home’s Bluetooth communications from functioning.
Armis says a survey it conducted found that 82 percent of companies had an Echo within their corporate environment. It warns that these devices could serve as a beachhead into the corporate network.
Though Armis didn’t mention that Echo and Home were affected in its initial disclosure, the company said all Bluetooth devices, including IoT products, may be affected depending how their manufacturers implemented Bluetooth.
The Bluetooth SIG estimates 8.2 billion devices have Bluetooth integrated, spanning vehicles, medical devices, wearables, and Bluetooth beacons used in retail.
Some examples of Linux IoT devices that Armis has confirmed are affected by BlueBorne include Samsung’s Tizen-based Gear S3 watch, Samsung Smart TVs, and Samsung Family Hub smart fridge.
Worryingly, Armis notified Samsung on three occasions before its September disclosure, but claims never to have received a response from the company. Google, Microsoft, and Linux have addressed the issue. Only pre-iOS 10 Apple products were affected.
One feature of Home and Echo that make BlueBorne potentially more dangerous is that there’s no way to turn off Bluetooth.
Amazon Echo devices on a version newer than v591448720 have received the patch. Details about the current firmware versions for the Home and Home Mini are available on Google’s Home support page.