A serious vulnerability affecting billions of IoT devices also put Amazon Echo and Google Home users at risk.
The vulnerability, known as BlueBorne, was discovered by IoT security company Armis and found to put more than five billion devices at risk of attack. Researchers have now confirmed the attack surface included as many as 20 million Amazon Echo and Google Home devices.
If compromised by BlueBorne, the device can be used to establish a ‘man-in-the-middle’ attack to gain access to critical data, personal information, web traffic, and network availability.
As the name suggests, BlueBorne is an airborne vulnerability over Bluetooth. A hacker does not have to be in the vicinity of the vulnerable device and can launch a remote attack from a compromised device with Bluetooth capabilities.
"Burgeoning demand for digital personal assistants is expanding the avenues by which attackers can infiltrate consumers' lives to steal personal information and commit fraud," said Yevgeny Dibrov, CEO of Armis. "Consumers and businesses need to be aware how their devices are connecting via Bluetooth, and the networks they may be accessing, in order to take security precautions to protect their information."
With many computers and smartphones featuring Bluetooth, the initial device could become infected through clicking on malicious links or downloading files. Once compromised, it can then use the BlueBorne vulnerability to infect other Bluetooth-enabled devices — such as the Amazon Echo and Google Home.
Although thought of as consumer products, these devices are making their way into business environments for their digital assistant capabilities. This will raise concerns about IoT devices being used for espionage and/or blackmail.
“Rising airborne threats such as BlueBorne and KRACK are a wakeup call to the enterprise that traditional security simply cannot defend against new attack vectors that are targeting IoT and connected devices in the corporate environment,” added Dibrov.
“Every organisation must gain visibility over sanctioned and unsanctioned IoT devices in their environments. If they don’t, they’ll be victimised by a breach that can lead to stolen identities for customers and employees, impact their bottom lines, and even cost top executives their jobs.”
It is estimated there are 15 million Amazon Echos and 5 million Google Home devices sold, according to a report in September by Consumer Intelligence Research Partners. Additional estimates indicate that more than 128 million Echos will be installed by 2020 and drive more than $ 10 billion in revenue for the company.
Google Home and Amazon Echo have since been patched to address the BlueBorne vulnerability, but many others remain vulnerable. Armis has released an app on the Play Store which can be downloaded here and used to identify impacted devices.
Are you concerned about IoT device vulnerabilities such as BlueBorne? Let us know in the comments.