Updated Your Devices to Fortify Against BlueBorne? But Did You Patch Up Your Amazon Echo and Google Home?
Remember BlueBorne? When the security attack was first discovered, it was estimated that several IoT devices would also be vulnerable to this devastating threat. It appears that millions of Google Home and Amazon Echo devices were at risk. The companies may have finally patched the flaws.
BlueBorne - a recap
Reported first in October, the attack vector has been called one of the worst security flaws reported to date as it enabled attackers in close proximity to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware laterally to adjacent devices. Basically, an epidemic that was based on several critical zero day vulnerabilities.
"Just by having Bluetooth on, we can get malicious code on your device,” Nadir Izrael, cofounder of Armis Labs had said. "BlueBorne abuses the fact that when Bluetooth is on, all of these devices are always listening for connections." The attack essentially takes advantage of how Bluetooth uses tethering to share data and is able to spread through networks, turning the victim into an attacker. "The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode," the security firm adds.
The vulnerability put over 5 billion devices at potential risk, with many still open to these flaws. Today, Armis Labs has disclosed that an estimated 20 million Amazon Echo and Google Home devices are also vulnerable to attacks via the BlueBorne exploit.
The flaw affects both the top voice-activated personal assistants, with an estimated 15 million Amazon Echo and 5 million Google Home devices at risk (based on the number of units sold).
"Since these devices are unmanaged and closed sourced, users are unaware of the fact their Bluetooth implementation is based on potentially vulnerable code borrowed from Linux and Android," Armis warned. Today's advisory is yet another reminder of how IoT devices are often at a greater security risk because their software is less frequently updated than desktop or mobile operating systems.
Not all BlueBorne vulnerabilities (there were over 8) affect the two devices.
- Amazon Echo is vulnerable to CVE-2017-1000251 (RCE flaw in Linux Kernel) and CVE-2017-1000250 (Information leak in the SDP Server)
- Google Home is at risk of CVE-2017-0785 (Information leak vulnerability in Android’s Bluetooth stack)
Researchers added that attackers can take complete control of the device in the case of the Amazon Echo and lead to denial of service in case of Google Home.
Both Google and Amazon have issued updates to their assistants. Amazon Echo consumers should confirm that their device is on v591448720 or later; Google hasn't made any information regarding this available as yet. While it's difficult to turn Bluetooth off for these and several other IoT devices, in case of computers, mobile devices, smart TVs, and products that don't completely rely on Bluetooth, security experts have advised to keep Bluetooth off when not in use.