Vulnerabilities. There's a new flavor of the week every few days and in this highly connected world, it's tough to keep up, whether it's for users who don't know which of their devices are vulnerable and have/haven't been patched or for companies who are scrambling to fix one bug only to see the next one around the corner.

The BlueBorne vulnerability affected Bluetooth devices and could be exploited by hackers to completely take over a device with Bluetooth just turned on, without pairing with it first. Android patched it in September, but it appears that Amazon Echo and Google Home devices were left vulnerable for a while. Armis, the enterprise IoT security company that had first discovered BlueBorne, made the news public yesterday saying that 20M voice assistants (15M Echos and 5M Homes) had been found vulnerable, which if exploited could lead to a complete takeover of the Echo, as shown in the video below, or a DoS of the Home's Bluetooth communication. As a user, you couldn't do anything to avoid this, beside completely unplugging your devices of course, since both don't surface the option to turn on or off the Bluetooth connection.

However, Armis relayed this information to both Amazon and Google before making the announcement public. This allowed the two companies to issue patches, with Google releasing the patch data to its partners as well (which I assume means other Assistant-enabled speakers?). If you own an Echo, Armis says your device will be patched if it runs a version newer than v591448720, and if you own a Home, it should have been patched several weeks ago already.

We've reached out to both Amazon and Google to verify and got statements from both companies. Here is Amazon:

A fix has already started rolling out for this. Customer trust is important to us and we take security seriously. Customers do not need to take any action as their devices will be automatically updated with the security fixes.

And here is Google:

Users do not need to take any action. We automatically patched Google Home several weeks ago, and neither Google nor Armis found evidence of this attack in the wild. As always, we appreciate researchers’ efforts to help keep all users safe.

So at least in this case, you can rest a little easy knowing you don't have to do anything and your device should be secured with an automatic update.

PRESS RELEASE