A flaw in Bluetooth protocol was recently disclosed which not only just affects all mobile devices including Android, iOS, Windows, and Linux, but they it also effects AI-based voice-activated personal assistants, including Google Home and Amazon Echo. This is alarming because these Io devices are updated less frequently, and are more vulnerable to BlueBorne.
What is BlueBorne?
It’s a sophisticated attack which exploits a total of eight Bluetooth implementation vulnerabilities. This allows an attacker to run malicious code, steal sensitive information, take complete control, and launch man-in-the-middle attacks and stays undetected.
The primary reason why it’s more alarming for IoT devices is that they control other devices which could include your router, connected PC, Smart Home network, and so on. The infection can be spread across.
The Good news & the Bad news:
According to Hacker news, these Bluetooth vulnerabilities were patched by Google, Microsoft, Apple, and Linux already.
Amazon Echo is affected by the following two vulnerabilities:
- A remote code execution vulnerability in the Linux kernel (CVE-2017-1000251)
- An information disclosure flaw in the SDP server (CVE-2017-1000250)
Since different Echo’s variants use different operating systems, other Echo devices are affected by either the vulnerabilities found in Linux or Android. Whereas, Google Home devices are affected by one vulnerability:
- Information disclosure vulnerability in Android’s Bluetooth stack (CVE-2017-0785)
If you have used these Echo devices, there is no option to turn off Bluetooth. They are always available to be connected, and hence the degree of attack could be higher for them. Here is a live demo of Echo device being taken over:
Amazon Echo is Safe:
Both Google, and Amazon has been notified about the finding, and they have released patches and issued automatic updates for the Amazon Echo and Google Home that fixes the BlueBorne attacks.
If you have an Amazon Echo device, you should be running v591448720 or later. When I checked my EchoDot version, it says “591552520” which means its pretty much safe. Though I am not sure when I received this update. Your best bet is to keep it connected to get the update if you haven’t got it yet.