BlueBorne, a form of attack that exploited critical Bluetooth vulnerabilities impacting many mobile devices over the last few months, had also affected a huge number of voice-activated digital assistants such as Amazon Echo and Google Home, according to findings from IoT (Internet of Things) security platform, Armis. The BlueBorne attack vector was first discovered this September by the researchers at Armis Labs, threatening to infect devices running the Android operating system with either malware or ransomware through a Bluetooth vulnerability that could be used to transmit and install potentially damaging software even without pairing a handset with an infected device. Thankfully, Armis Labs was quick to release a vulnerability checker for Android designed to test whether or not a given device was susceptible to BlueBorne. A few months later, the same security research firm unearthed the same attack vector in another category of connected devices.
Smart speakers like Amazon Echo and Google Home were affected by BlueBorne because of the potentially susceptible code taken from the Android and Linux platforms, according to Armis, adding that it was difficult to detect the vulnerability because these devices lack constant monitoring and are closed sourced. Amazon Echo smart speakers in particular had two vulnerabilities, one being found in the Linux Kernel that could allow attackers to execute code remotely and the other in the SDP Server that could potentially leak confidential information. Meanwhile, Google Home devices ran the risk of having private information exposed to attackers through a vulnerability found in Android’s Bluetooth stack. Armis noted that the vulnerabilities were even further made worse by the fact that the smart speakers could not be installed with antivirus and that it is impossible to switch the Bluetooth off due to their limited interface.
For users of these connected devices, there is no need to do anything to try addressing the vulnerabilities since Armis had brought the attention of Amazon and Google to it, prompting the two giant companies to issue automatic updates to their respective smart speakers. Users of Amazon Echo in particular can rest assured that their smart speaker is free from the vulnerability by seeing to it that it has been updated to the latest version v591448720, which would indicate that a patch has been rolled out to their device.