IoT security firm Armis reported in September that billions of Android, iOS, Windows and Linux devices using Bluetooth had been exposed to a new attack that can be carried out remotely without any user interaction.
A total of eight Bluetooth implementation vulnerabilities allow a hacker who is in range of the targeted device to execute arbitrary code, obtain sensitive information, and launch man-in-the-middle (MitM) attacks. There is no need for the victim to click on a link or open the file in order to trigger the exploit, and most security products would likely not detect an attack.
Google patched the vulnerabilities affecting Android in September and Microsoft released fixes for Windows in July. Apple had already addressed the issue in iOS one year prior to disclosure, and Linux distributions released updates shortly after disclosure.
However, Armis has now revealed that the voice-activated personal assistants Google Home and Amazon Echo are also vulnerable to attacks leveraging the BlueBorne flaws.
Echo is affected by a remote code execution vulnerability in the Linux kernel (CVE-2017-1000251) and an information disclosure bug in the SDP server (CVE-2017-1000250). Google Home is exposed to attacks by an information leakage issue affecting Android’s Bluetooth implementation (CVE-2017-0785). This Android flaw can also be exploited to cause a denial-of-service (DoS) condition. Since the Bluetooth feature cannot be disabled on either of the devices, attackers can easily launch an attack as long as they are in range. Armis has published a video showing how an Amazon Echo device can be hacked and manipulated by a remote attacker:
The security firm pointed out that this is the first remote attack demonstrated against Echo. An attack method was previously described by MWR, but it required physical access to the device.
Amazon Echo and Google Home represent 99 percent of the U.S. market for voice-controlled personal assistants, with 15 million and 5 million units sold, respectively. This normally indicates a significant number of potential victims, including many enterprises that use these products. However, Armis has notified Google and Amazon of the vulnerabilities and both companies released patches that have likely reached a majority of devices via automatic updates.
“The Amazon Echo and Google Home are the better examples as they were patched, and did not need user interaction to update. However, the vast bulk of IoT devices cannot be updated,” Armis researchers said. “However, even the Echos and the Homes will eventually be replaced by new hardware versions (as Amazon and Google recently announced), and eventually the old generations will not receive updates - potentially leaving them susceptible to attacks indefinitely.”
Armis has released an Android app that is designed to help users identify vulnerable devices.