Over 20 million Amazon Echo and Google Home smart speakers have been found to be vulnerable to the BlueBorne Bluetooth security flaw. The flaw was first discovered back in September by security firm Armis.
The vulnerability was originally thought to be isolated to Android smartphones or PCs with Bluetooth capabilities but has now been found to affect digital assistants and AI smart speakers, according to Armis.
What is a BlueBorne attack ?
A BlueBorne attack can be executed by exploiting eight separate Bluetooth security vulnerabilities, making the attack harder to secure and prevent. The vulnerabilities which allow hackers to gain access to Google and Amazon devices are; CVE-2017-1000251 and CVE-2017-1000250 on Amazon devices and CVE-2017-0785 on Google Home devices.
Armis has called BlueBorne the first ‘severe’ vulnerability which affects smart speakers, as the attack is ‘virtually invisible to traditional security solutions,’ and that once a smart speaker has been compromised, the vulnerability opens a connection to spread to other devices.
The severity extends to what the attacker can access and take from the device once they have bypassed security. Data such as purchasing information as well as other sensitive and personal information can be transferred to an attacker in addition to the entire control of the device being handed over to the person behind the attack.
Stopping the transmission of personal data, via wifi, to an attackers server can be made more difficult by utilising VPN services either on the device itself or your home router. Many VPN services now have built-in malware, trojan and suspicious website recognition and protection. In most cases, this can effortlessly encrypt and block attempts to upload your data to a server that has been deemed suspicious by a VPN provider but is not a surefire way to protect your data. ExpressVPN and NordVPN are two leading VPN service providers that we have personally used and would recommend.
It has also been assumed that this could result in attackers building an ‘army’ of infected devices to be used as a global DDoS attack to take major websites offline, although this is currently just speculation.
The Good News
Despite the fact that the vulnerability is exceptionally serious, there is some good news. As Armis provided details of the vulnerabilities to both Google and Amazon before making their findings public, it gave the companies time to push out security updates to their smart speakers.
Amazon stated in a press release that: “A fix has already started rolling out for this. Customer trust is important to us and we take security seriously. Customers do not need to take any action as their devices will be automatically updated with the security fixes.”
Google also stated: “Users do not need to take any action. We automatically patched Google Home several weeks ago, and neither Google nor Armis found evidence of this attack in the wild.”
This is great news for anyone who may be concerned that their device’s security may have been comprised.
Amazon Echo users should check to ensure their device is running software version v591448720 or later. Google has not yet realised information on which update contains its BlueBorne patch.