Blueborne discovered to affect Amazon Echo and Google Home

Blueborne discovered to affect Amazon Echo and Google Home

Intelligent speaker vendors forced to patch up AI-enabled voice assistants after devices shown to be vulnerable to Blueborne virus. 

Back in September, we reported how researchers at IT security company Armis had revealed the existence of an ‘airborne’ IoT malware called Blueborne.

The flaw was shown to be affect many devices using Bluetooth connectivity – from smartphones to medical devices – potentially enabling hackers to take control of them and spread the malware ‘over the air’ to other vulnerable systems.

Now, in an update, researchers at Armis have issued an update revealing that the flaw also affects Amazon Echo and Google Home voice assistants.

“Since these devices are unmanaged and closed source, users are unaware of the fact their Bluetooth implementation is based on potentially vulnerable code borrowed from Linux and Android,” they write.

Read more: Security researchers warn of ‘airborne’ IoT malware, Blueborne

Amazon Echo and Google Home

According to the update, the Amazon Echo devices are affected by two vulnerabilities: first, a remote code execution vulnerability in the Linux Kernel (CVE-2017-1000251), and an information leak vulnerability in the SDP Server (CVE-2017-1000250).

Google Home devices, meanwhile, are affected by one such vulnerability: an information leak vulnerability in Android’s Bluetooth stack (CVE-2017-0785).

“These vulnerabilities can lead to a complete takeover of the device in the case of the Amazon Echo, or lead to DoS of the Home’s Bluetooth communications,” said Armis.

The researchers note that this is the first severe remote vulnerability found to affect the Amazon Echo, “which was an impregnable wall up until now, with the only known vulnerability requiring an extensive physical attack.”

Researchers said the company both Amazon and Google about the findings, and both companies have issued automatic updates for the Amazon Echo and Google Home.

“Customer trust is important to us and we take security seriously. Customers do not need to take any action as their devices will be automatically updated with the security fixes,” said Amazon in a statement.

Read more: Amazon’s Alexa can now control your smart home cameras

Armis CTO speaks out

In an interview with US IT publication e-Week, Nadir Izrael, co-founder and CTO of Armis Security said that organisations can find themselves full of devices that basically have open microphones that can “listen to everything and the organisation has no idea they are even there”.

That’s a problem, he explained, because these devices are constantly listening to Bluetooth communications. There’s no way to put an agent or antivirus software on them and, given their limited user interface, there is no way to turn their Bluetooth off, as can be done with many other IoT devices in the home, such as smart TVs.

“With BlueBorne, hackers can take complete control over a vulnerable device, and use it for a wide range of malicious purposes; including spreading malware, stealing sensitive information and more,” said Izrael.

And the problems aren’t confined to homes. A recent survey by Armis of its clients showed that over four-fifths (82 percent) have at least one Amazon Echo in their corporate environment, “sometimes in very sensitive environments.” In many cases, corporate IT may not even be aware that these devices are attached to the network.

Read more: Honeywell launches Smart Home Security System

 

The post Blueborne discovered to affect Amazon Echo and Google Home appeared first on Internet of Business.

Internet of Business

BlueBorne put billions of IoT devices at risk – including Echo and Google Home

A serious vulnerability affecting billions of IoT devices also put Amazon Echo and Google Home users at risk.

The vulnerability, known as BlueBorne, was discovered by IoT security company Armis and found to put more than five billion devices at risk of attack. Researchers have now confirmed the attack surface included as many as 20 million Amazon Echo and Google Home devices.

If compromised by BlueBorne, the device can be used to establish a ‘man-in-the-middle’ attack to gain access to critical data, personal information, web traffic, and network availability.

As the name suggests, BlueBorne is an airborne vulnerability over Bluetooth. A hacker does not have to be in the vicinity of the vulnerable device and can launch a remote attack from a compromised device with Bluetooth capabilities.

"Burgeoning demand for digital personal assistants is expanding the avenues by which attackers can infiltrate consumers' lives to steal personal information and commit fraud," said Yevgeny Dibrov, CEO of Armis. "Consumers and businesses need to be aware how their devices are connecting via Bluetooth, and the networks they may be accessing, in order to take security precautions to protect their information."

With many computers and smartphones featuring Bluetooth, the initial device could become infected through clicking on malicious links or downloading files. Once compromised, it can then use the BlueBorne vulnerability to infect other Bluetooth-enabled devices — such as the Amazon Echo and Google Home.

Business threat

Although thought of as consumer products, these devices are making their way into business environments for their digital assistant capabilities. This will raise concerns about IoT devices being used for espionage and/or blackmail.

“Rising airborne threats such as BlueBorne and KRACK are a wakeup call to the enterprise that traditional security simply cannot defend against new attack vectors that are targeting IoT and connected devices in the corporate environment,” added Dibrov.

“Every organisation must gain visibility over sanctioned and unsanctioned IoT devices in their environments. If they don’t, they’ll be victimised by a breach that can lead to stolen identities for customers and employees, impact their bottom lines, and even cost top executives their jobs.”

It is estimated there are 15 million Amazon Echos and 5 million Google Home devices sold, according to a report in September by Consumer Intelligence Research Partners. Additional estimates indicate that more than 128 million Echos will be installed by 2020 and drive more than $ 10 billion in revenue for the company.

Google Home and Amazon Echo have since been patched to address the BlueBorne vulnerability, but many others remain vulnerable. Armis has released an app on the Play Store which can be downloaded here and used to identify impacted devices.

Are you concerned about IoT device vulnerabilities such as BlueBorne? Let us know in the comments.

iottechnews.com: Latest from the homepage

BlueBorne vulnerability affected Google Home and Amazon Echos, but both have been patched

Vulnerabilities. There’s a new flavor of the week every few days and in this highly connected world, it’s tough to keep up, whether it’s for users who don’t know which of their devices are vulnerable and have/haven’t been patched or for companies who are scrambling to fix one bug only to see the next one around the corner.

The BlueBorne vulnerability affected Bluetooth devices and could be exploited by hackers to completely take over a device with Bluetooth just turned on, without pairing with it first.

Read More

BlueBorne vulnerability affected Google Home and Amazon Echos, but both have been patched was written by the awesome team at Android Police.

Android Police – Android News, Apps, Games, Phones, Tablets

AT&T starts pushing BlueBorne fix to BlackBerry Keyone

AT&T has started pushing out a new update to BlackBerry Keyone units on its network. Arriving as build number AAP606 and weighing in at over 40MB, the update brings along a couple of security-related changes. Firstly, it includes fix for the BlueBorne vulnerability, which – as you might already know – is a major security issue, as it allows a remote attacker to take control of devices via Bluetooth, even if they are set in non-discoverable mode. The second change included in the update is the regular monthly security fixes. The patch the update brings along is for the month of…

GSMArena.com – Latest articles

New Samsung Galaxy J5 (2017) update brings BlueBorne fix

Samsung has started pushing out a new update to its Galaxy J5 (2017) smartphone. Currently hitting units in Europe, the update weighs in at 392MB, arrives as version J530FXXU1AQI3, and brings along fix for the BlueBorne vulnerability. The vulnerability, for those who aren’t aware, allows a remote attacker to take control of devices via Bluetooth. What’s more bothersome is that the process doesn’t even require the device being attacked to be paired to the attacker’s device, or even to be set on discoverable mode. So this is no doubt an important update. In addition, it also includes…

GSMArena.com – Latest articles