Amazon, Google inject Bluetooth vuln vaccines into Echo, Home AI pals

The BlueBorne ultimatum

Updated Amazon and Google have automatically patched people's Echo and Home AI assistant devices, respectively, to defend against recently discovered Bluetooth-related security vulnerabilities.

BlueBorne – described in the video below – is the collective name for eight exploitable flaws found in Bluetooth stacks used by major hardware vendors. The eight blunders affect an estimated 5.3 billion Android, iOS, Linux, and Windows devices, California-based IoT security biz Armis disclosed in September. Amazon Echo and Google Home were also vulnerable, but this info was held back pending the development of patches now pushed to endpoints.

By exploiting unpatched bugs in voice-driven personal assistant devices, hackers can take over the gizmos, spread malware, and establish a "man-in-the-middle" attack to siphon off data or hack other devices on the same home networks, the researchers warned. BlueBorne is potentially attractive to miscreants because vulnerable Bluetooth-enabled devices cane be hacked without having to fool users by clicking on malicious links, downloading a file, or interacting with them in any way – the holes can be attacked and gadgets compromised over the air, provided the attackers are physically in range.

A close up at atomic level of limpits' teeth. Image via Portsmouth University

Bluetooth bugs bedevil billions of devices

READ MORE

About 15 million Amazon Echoes and five million Google Home devices have been sold, according to September estimates from Consumer Intelligence Research Partners (CIRP). Smart devices and assistants are also making their way into some corporate environments.

"Rising airborne threats such as BlueBorne and KRACK are a wakeup call to the enterprise that traditional security simply cannot defend against new attack vectors that are targeting IoT and connected devices in the corporate environment," said Yevgeny Dibrov, chief exec of Armis. "Every organisation must gain visibility over sanctioned and unsanctioned IoT devices in their environments."

Armis has released a bespoke vulnerability scanning app on the Google Play Store that can be used to identify impacted devices.

Youtube Video

In a statement, Google told El Reg it automatically released patches to people's devices to address the BlueBorne vulnerabilities some weeks ago:

Users do not need to take any action. We automatically patched Google Home several weeks ago, and neither Google nor Armis found evidence of this attack in the wild. As always, we appreciate researchers' efforts to help keep all users safe.

A spokesperson for Amazon, which released updates today for the Echo, told The Register its gizmos will also be automatically patched: "Customer trust is important to us and we take security seriously. Customers do not need to take any action as their devices will be automatically updated with the security fixes."

In other words, by the time you read this, your AI chatty pal is already inoculated against BlueBorne. ®

Updated to add

A spokesperson for Google has been in touch to stress Homes have been updated in the field, and there is no need to manually update the gizmos.




Biting the hand that feeds IT © 1998–2018