Around 20 million Google Home and Amazon Echo digital assistants have received a firmware update that patches critical vulnerabilities in their implementation of Bluetooth communication. The two devices are affected by different security bugs, which could lead to full compromise or to breaking the Bluetooth capabilities in the product, without physical access.
The problems are part of a set of eight vulnerabilities disclosed in mid-September, collectively known as BlueBorne, that impact the Bluetooth protocol in billions of devices running Android, Windows, Linux and iOS. The errors are severe and could allow a hacker to take control of unpatched products, gain a foothold on the network and try to access critical data, traffic and personal information, or spread malware.
In a blog post last week, security researchers from Armis said Amazon Echo is affected by two vulnerabilities from the BlueBorne stack, one causing remote code execution and another leading to an information leak. They also released a video showing how they gained access with the highest privileges to an Echo and managed to reprogram Alexa’s response. The result? The attacker said the wake word and Alexa replied by stating her name and saying “I have been hacked. Take me to your leader.”
“It is also worth mentioning that this is the first severe remote vulnerability found to affect the Amazon Echo, which was an impregnable wall up until now, with the only known vulnerability requiring an extensive physical attack,” reads a blog post from Armis.
In the case of Google Home, the bug is an information leak that could be used to break the device’s Bluetooth communication, which may cause more trouble to some users than others. Google Home uses Bluetooth to stream audio from a laptop phone or tablet, but it also takes the role of a smart home hub and sends commands to compatible devices in the house, some of them communicating over Bluetooth.
Both Google and Amazon were informed of the vulnerabilities before the research was published and pushed security updates to fix the issues. Affected devices received the new software automatically, without user intervention.
Credit: Armis
tags
September 06, 2024
September 02, 2024
August 13, 2024