Google Home device

Over 20 million Amazon Echo and Google Home devices running on Android and Linux are vulnerable to attacks via the BlueBorne vulnerability, IoT cyber-security firm Armis announced today.

Both Amazon and Google have issued patches for the affected products, hence today's disclosure from Armis.

BlueBorne is a set of eight vulnerabilities in the Bluetooth implementations deployed on Android, iOS, Microsoft, and Linux. Affected OS makers and several IoT device makers issued updates in mid-September to address the flaws.

BlueBorne allows attackers to take over devices that have Bluetooth enabled and run malicious code on the underlying OS or firmware.

Amazon Echo: I have been hacked! Take me to your leader!

The initial BlueBorne announcement did not mention anything about personal home assistants as being vulnerable, albeit if an attacker put some of the clues together he could have deduced that BlueBorne could be used to attack a wide range of devices that rely on Bluetooth communications, and which have not been mentioned in the Armis initial disclosure.

In research published today, Armis said it successfully exploited Amazon and Google voice-activated intelligent digital assistants. Amazon Echo is vulnerable to CVE-2017-1000251 and CVE-2017-1000250, while Google Home is vulnerable to CVE-2017-0785. The company released the following video.

Armis researchers pointed out that 82% of companies that use its IoT cyber-security protection platform also have an Amazon Echo on their network.

Experts are now warning companies to patch Amazon Echo and Google Home devices to prevent attackers from taking over vulnerable equipment and using it to record nearby conversations or as a pivot point for other more damaging hacks. For Amazon Echo customers, the patched version is v591448720. There's no information available on the Google Home patched version.

A 2016 survey from Spiceworks revealed that almost half of IT professionals polled in the study were either using voice-driven assistants or were intending to buy one sometimes in the next three years.

All sorts of devices most likely still vulnerable to BlueBorne

Back in September, Armis released an Android app to scan for BlueBorne vulnerable devices, and later released proof-of-concept exploit code on GitHub that security researchers could use to test if their personal or work devices are vulnerable to one of the eight BlueBorne flaws.

The easiest way to prevent BlueBorne attacks is to patch devices or disable the Bluetooth function.

A technical report on the BlueBorne flaws is available here. Below is a video describing the BlueBorne attack.