Bluetooth
Naked Security Naked Security

Amazon Echo and Google Home patched against BlueBorne threat

The attack doesn't require the targeted to be paired to the attacker’s device, or to be in discoverable mode

The Amazon Echo and Google Home are being marketed to the world as the “smart speakers” to put helpful, voice-assisted Internet of Things (IoT) AI into people’s homes.

This week we had wearying confirmation that they also, less helpfully, distribute the same security failings into people’s homes as every other device.

Specifically, Amazon and Google have quietly patched flaws in these devices to protect them against BlueBorne, a haul of eight Bluetooth security vulnerabilities reported by Armis Labs in September:

BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode.

Nobody knew Amazon and Google’s products were affected until Armis announced the following issues, which mercifully should already have been automatically patched for the Echo’s 15 million, and the Google Home’s five million users, respectively:

For the Echo range:

  • A remote code execution vulnerability in the Linux kernel (CVE-2017-1000251)
  • An information leak in the SDP (Service Discovery Protocol) Server (CVE-2017-1000250)

If left unpatched, the first of these can allow an attacker to gain full control of an Echo device (demonstrated in a proof-of-concept video), while the second exposes it to what Armis described as a Heartbleed-style attack on the encryption keys used to secure wireless communication.

Updated Echo devices will be running software version 591448720, which can be checked by following the company’s instructions.

For Google Home:

  • An information leak vulnerability in the Android Bluetooth stack (CVE-2017-0785) that could be used to run a DoS (Denial of Service) attack on the device.

The updated Google Home software version is 1.28.99956 (1.28.100429 for the Home Mini). Instructions on how to find this are on Google’s support pages.

Armis has also released a Google Play Store app that will scan for devices vulnerable to BlueBorne.

In fairness to Amazon and Google, BlueBorne is a family of vulnerabilities affecting a technology used by huge numbers of Bluetooth devices across many product classes, including computers, phones and other IoT devices.

What this episode hints at is the potential damage a vulnerability in this kind of device (now being bought by businesses as well as home users) could cause, were it successfully exploited.

Take for instance last month’s glitch in Google’s Home Mini that caused a device to secretly record its owner’s conversations for two days. That was a product design issue but the surveillance potential of these devices was being spelled out.

Armis is also worried about the general sprawl of the Internet of Things itself:

Unlike in the PC and mobile world, in which two or three main OSs control the absolute majority of the market, for IoT devices, no such dominant players exist.

The point being that in a fragmented market, vendors can struggle to work out whether an issue affects them or not.

Perhaps, then, the Echo and Home are at the positive end of the spectrum because, unlike too many IoT devices, at least they can be updated without the user having to do anything. But what happens when they are declared obsolete a few years from now and their makers have moved on to greater things?

History tells us that some of the Echo and Home speakers being bought today will still be out there somewhere. The simple but troubling truth is that while these always-listening products will eventually become obsolete, their vulnerabilities will hang around indefinitely.