US tech giants Google and Amazon released security updates for their respective Google Home and Amazon’s Alexa devices after being warned by US-Israeli cybersecurity company Armis that the smart speakers which respond to voice commands were at risk for cyber breaches from security exploit called BlueBorne. The Israeli-founded firm warned that as many as twenty million users of Amazon Echo, Google Home, and other voice-activated personal assistant devices running on Android and Linux were subject to BlueBorne vulnerabilities activated via Bluetooth.
Armis, an IoT (Internet of Things) security solution company, said in a statement that its researchers recently uncovered that hackers can exploit these non-secure devices, take them over, spread malware and establish an attack to “gain access to critical data, personal information, traffic, and networks.” These vulnerabilities allow attackers to create malware infections that are spread from one infected device to many others through a wireless connection over Bluetooth. The device-to-device connectivity aspect of Bluetooth means an airborne attack could easily spread without any action from the user.
Sign up for our free weekly newsletterSubscribe
“The current situation is that many devices are becoming smart and connected, with many different wireless options embedded into them including WiFi and Bluetooth, and this creates a huge and growing attack surface for attackers to use the airborne attack vector,” Armis CEO Yevgeny Dibrov tells NoCamels.
With BlueBorne, hackers can attack without going through the trouble of tricking users into clicking on malicious links or downloading a file. Potential attackers don’t have to interact with users at all.
Armis tells NoCamels its representatives have spoken with both Google and Amazon security teams directly about the vulnerability before issuing a public statement. Both companies were very responsive, Armis said, adding that it helped them fix their code and pushed them to release automated updates. According to Armis, Google has already released patches and Amazon said “customers do not need to take any action as their devices will be automatically updated with the security fixes.”
How Google and Amazon were affected
BlueBorne is one of eight Bluetooth flaws known to potentially affect billions of Bluetooth-connected devices, including smartphones, laptops and home assistants, running iOS, Android, Windows, and Linux around the world. In the first wave of BlueBorne vulnerabilities announced by Armis in September, it was revealed that more than five billion devices were subject to attack, according to the California-based firm. At the time, Armis had already alerted manufacturers like Apple, Microsoft, and Google about their findings.
Armis says these latest BlueBorne vulnerabilities are the most serious to date, because hackers could easily bypass various authentication mechanisms to completely take over the devices.
According to a report published in ZDNet, a business technology website, BlueBorne had a more serious impact on Echo than it did on the Home device. The report said “the Echo was vulnerable to a remote code execution vulnerability in its Linux kernel and an information leakage flaw in its SDP server.”
Google was affected by an information leakage flaw in Android’s Bluetooth stack where a hacker could use the flaw to keep Home’s Bluetooth communication from its core function.
Google said it issued a patch and that while neither it nor Armis found evidence of the Bluborns attack “in the wild,” expressed gratitude “to researchers’ efforts to help keep all users safe.”
A growing market for the threat
Amazon and Google personal-assistant devices are part of a multibillion-dollar market. According to a September report by Consumer Intelligence Research Partners (CIRP), 15 million Amazon Echoes and five million Google Home devices have been sold. It is estimated that there will be more than 128 million Echoes by 2020 with more than $10 billion in revenue for Amazon.
“Burgeoning demand for digital personal assistants is expanding the avenues by which attackers can infiltrate consumers’ lives to steal personal information and commit fraud,” Dibrov said in a statement from Armis. “Consumers and businesses need to be aware how their devices are connecting via Bluetooth, and the networks they may be accessing, in order to take security precautions to protect their information.”
Data from Armis shows that 82 percent of its customers have the Amazon Echo in their businesses.
“These devices are in corporate headquarters, executive offices, medical facilities, and manufacturing floors – not just at homes,” Dibrov said, “Every one of these devices is like a computer – and so it shares the risks that computer traditionally have, except it lacks the security and visibility of a traditional computer.”