Vulnerabilities. There's a new flavor of the week every few days and in this highly connected world, it's tough to keep up, whether it's for users who don't know which of their devices are vulnerable and have/haven't been patched or for companies who are scrambling to fix one bug only to see the next one around the corner.
The BlueBorne vulnerability affected Bluetooth devices and could be exploited by hackers to completely take over a device with Bluetooth just turned on, without pairing with it first. Android patched it in September, but it appears that Amazon Echo and Google Home devices were left vulnerable for a while. Armis, the enterprise IoT security company that had first discovered BlueBorne, made the news public yesterday saying that 20M voice assistants (15M Echos and 5M Homes) had been found vulnerable, which if exploited could lead to a complete takeover of the Echo, as shown in the video below, or a DoS of the Home's Bluetooth communication. As a user, you couldn't do anything to avoid this, beside completely unplugging your devices of course, since both don't surface the option to turn on or off the Bluetooth connection.
However, Armis relayed this information to both Amazon and Google before making the announcement public. This allowed the two companies to issue patches, with Google releasing the patch data to its partners as well (which I assume means other Assistant-enabled speakers?). If you own an Echo, Armis says your device will be patched if it runs a version newer than v591448720, and if you own a Home, it should have been patched several weeks ago already.
We've reached out to both Amazon and Google to verify and got statements from both companies. Here is Amazon:
A fix has already started rolling out for this. Customer trust is important to us and we take security seriously. Customers do not need to take any action as their devices will be automatically updated with the security fixes.
And here is Google:
Users do not need to take any action. We automatically patched Google Home several weeks ago, and neither Google nor Armis found evidence of this attack in the wild. As always, we appreciate researchers’ efforts to help keep all users safe.
So at least in this case, you can rest a little easy knowing you don't have to do anything and your device should be secured with an automatic update.
Airborne Cyber Threats Reach Amazon Echo and Google Home, Reveals IoT Security Company Armis
20M IoT Devices Putting Enterprises, Homes at Risk
/PRNewswire/ -- Armis, the enterprise IoT security company, today announced that popular, voice-activated personal assistant devices including the Amazon Echo and Google Home were impacted by BlueBorne vulnerabilities recently discovered by Armis researchers. By exploiting unpatched devices, hackers can take them over, spread malware, and establish a "man-in-the-middle" attack to gain access to critical data, personal information, traffic and networks. BlueBorne is especially dangerous as hackers can execute airborne attacks through any vulnerable Bluetooth-enabled device without having to fool users by clicking on malicious links, downloading a file, or interacting with them in any way.
In the first wave of BlueBorne vulnerabilities announced, Armis revealed that more than 5 billion devices were subject to attack. In this new phase, researchers have confirmed the attack surface includes as many as 20 million Amazon Echo and Google Home devices running on Android and Linux. BlueBorne is the first severe airborne vulnerability found to affect the Amazon Echo; it doesn't require an extensive physical attack.
Device Demand Climbing
Amazon and Google voice-activated intelligent personal assistants have created a multibillion-dollar market. It is estimated that there are 15 million Amazon Echoes sold and 5 million Google Home devices sold, according to September report by Consumer Intelligence Research Partners (CIRP). Additional estimates indicate that more than 128 million Echoes will be installed by 2020 and that they will drive more than $10 billion in revenue for the company by then.
"Burgeoning demand for digital personal assistants is expanding the avenues by which attackers can infiltrate consumers' lives to steal personal information and commit fraud," said Yevgeny Dibrov, CEO of Armis. "Consumers and businesses need to be aware how their devices are connecting via Bluetooth, and the networks they may be accessing, in order to take security precautions to protect their information."
In addition to Echo and Google-powered smart devices and assistants being present in consumers' homes around the world, both are making their way into business environments, with usage taking place from the boardroom to the copy room. Armis data shows that 82% of its customers have the Amazon Echo in their businesses. A 2016 survey from Spiceworks revealed that almost half of IT professionals polled are either using intelligent assistants or will be within three years at their organizations. With the increased adoption of the devices, it become all the more critical that they are secured in their interactions.
"Rising airborne threats such as BlueBorne and KRACK are a wakeup call to the enterprise that traditional security simply cannot defend against new attack vectors that are targeting IoT and connected devices in the corporate environment," added Dibrov. "Every organization must gain visibility over sanctioned and unsanctioned IoT devices in their environments. If they don't, they'll be victimized by a breach that can lead to stolen identities for customers and employees, impact their bottom lines, and even cost top executives their jobs."
Armis coordinated the disclosed these latest BlueBorne vulnerabilities directly with Google and Amazon ahead of making the discovery publicly known. This allowed them to release appropriate security patches and updates ahead of hackers gaining knowledge of the vulnerabilities. Google has already released patches to its partners to address the BlueBorne vulnerabilities. Both Amazon and Google have released security updates to the Echo and Home respectively. Updates are automatic and users do not have to do anything to get them.
Scanning App, Patching Available
To help consumers, device manufacturers and business users determine if any devices in use are vulnerable to BlueBorne, Armis has released an app on the Google Play Store that can be used to identify impacted devices. It has been downloaded between over 260,000 times since being released in September, and can be downloaded here.
For a video explanation of how BlueBorne works and may spread, click here.
For a video demonstration of BlueBorne impacting an Amazon Echo, click here.
For additional information, please visit https://www.armis.com/blueborne/.