Intelligent speaker vendors forced to patch up AI-enabled voice assistants after devices shown to be vulnerable to Blueborne virus.
Back in September, we reported how researchers at IT security company Armis had revealed the existence of an ‘airborne’ IoT malware called Blueborne.
The flaw was shown to be affect many devices using Bluetooth connectivity – from smartphones to medical devices – potentially enabling hackers to take control of them and spread the malware ‘over the air’ to other vulnerable systems.
Now, in an update, researchers at Armis have issued an update revealing that the flaw also affects Amazon Echo and Google Home voice assistants.
“Since these devices are unmanaged and closed source, users are unaware of the fact their Bluetooth implementation is based on potentially vulnerable code borrowed from Linux and Android,” they write.
Amazon Echo and Google Home
According to the update, the Amazon Echo devices are affected by two vulnerabilities: first, a remote code execution vulnerability in the Linux Kernel (CVE-2017-1000251), and an information leak vulnerability in the SDP Server (CVE-2017-1000250).
Google Home devices, meanwhile, are affected by one such vulnerability: an information leak vulnerability in Android’s Bluetooth stack (CVE-2017-0785).
“These vulnerabilities can lead to a complete takeover of the device in the case of the Amazon Echo, or lead to DoS of the Home’s Bluetooth communications,” said Armis.
The researchers note that this is the first severe remote vulnerability found to affect the Amazon Echo, “which was an impregnable wall up until now, with the only known vulnerability requiring an extensive physical attack.”
Researchers said the company alerted both Amazon and Google to the findings, and they have issued automatic updates for the Amazon Echo and Google Home.
“Customer trust is important to us and we take security seriously. Customers do not need to take any action as their devices will be automatically updated with the security fixes,” said Amazon in a statement.
Armis CTO speaks out
In an interview with US IT publication e-Week, Nadir Izrael, co-founder and CTO of Armis Security said that organisations can find themselves full of devices that basically have open microphones that can “listen to everything and the organisation has no idea they are even there”.
That’s a problem, he explained, because these devices are constantly listening to Bluetooth communications. There’s no way to put an agent or antivirus software on them and, given their limited user interface, there is no way to turn their Bluetooth off, as can be done with many other IoT devices in the home, such as smart TVs.
“With BlueBorne, hackers can take complete control over a vulnerable device, and use it for a wide range of malicious purposes; including spreading malware, stealing sensitive information and more,” said Izrael.
And the problems aren’t confined to homes. A recent survey by Armis of its clients showed that over four-fifths (82 percent) have at least one Amazon Echo in their corporate environment, “sometimes in very sensitive environments.” In many cases, corporate IT may not even be aware that these devices are attached to the network.