Billions of voice-activated Internet of Things devices may be subject to external attack due to BlueBorne vulnerabilities,Armis revealed on Wednesday.
Hackers could exploit BlueBorne to mount an airborne attack, using Bluetooth to spread malware and access critical data, including sensitive personal information.
More than 20 million Amazon Echo and Google Home digital assistant speakers could have been impacted by the flaws, but both Amazon and Google already have taken the matter in hand.
Amazon customers don’t need to take any action, as its devices will be updated automatically with the needed security fixes, said spokesperson Sarah Sobolewski.
“Customer trust is important to us, and we take security seriously,” she told TechNewsWorld.
Google users also need not take any action, as Google Home was patched several weeks ago, the company said.
Neither Google nor Armis have found any evidence of BlueBorne in the wild.
BlueBorne Attack Scenario
The BlueBorne vulnerabilities could allow a man-in-the-middle attack, which would enable hackers to access personal data even if users don’t visit any malicious sites, download any suspicious file attachments, or take any other direct action to enable it.
“We discovered the Bluetooth vulnerability while doing research into Bluetooth connectivity and vulnerabilities of Linux-based IoT devices,” said Nadir Israel, CTO of Armis.
The firm’s researchers initially found the info leak and remote code execution vulnerability, and then tested Android, Windows and iOS devices to confirm the issues, he told TechNewsWorld. They identified eight vulnerabilities, four of them critical.
The Bluetooth vulnerabilities are the most severe to date, Israel said. While previous vulnerabilities were found at the protocol level of Bluetooth, BlueBorne resides at the implementation level, making it deeper and more serious than the others.
Armis worked with Google, Microsoft, Apple and Linux on the disclosure process to make sure patches were made available when the vulnerability was made public.
The researchers originally found that all Linux devices from 3.3 rc1, released six years ago, were affected. However, additional research found that devices dating back to version 2.6.32 from July 2009 to version 4.14 were impacted.
One critical point is that BlueBorne could become a “forever day” point of exposure, because Linux-based IoT devices have no clear upgrade path to address the vulnerability.
IoT and intelligent home devices have been a growing area of concern for cybersecurity professionals, in part because of the sensitive nature of the tasks that smart home devices engage in — for example, making sure homes are properly secured.
Consumers should be wary of in-home devices, suggested Andrew Howard, chief technology officer at Kudelski Security.
“Smarter and more feature-rich devices inherently mean enhanced security risks for the consumer,” he told TechNewsWorld. “These devices track, store and share more data than the average user understands, and vulnerabilities are inevitable.”
Amazon Echo and Google Home are the two leading devices in the exploding category of smart speakers — voice-controlled devices that can answer questions, play music, read news, give horoscopes and, perhaps most importantly, act as hubs for a growing list of IoT devices in the home that use artificial intelligence to control security and energy use, run home appliances, and perform remote operations like starting automobiles.
Amazon Echo and Google Home account for about 27 million devices in the U.S. smart speaker market, with Amazon controlling about 73 percent, or 20 million devices, according to research Consumer Intelligence Research Partners released last week.
The installed base grew about 7 million — from 20 million to 27 million — in the most recent quarter, the report shows.
The entire smart speaker installed base in the U.S. consisted of about 5 million Amazon Echos just last year. The market now is set to be flooded with devices, ranging from the high-end Apple HomePod to a new device from Microsoft and Harman Kardon called “Invoke,” and a new device from Lenovo.
Amazon and Google plan several new additions to their lines, ranging from high-end smart speakers for audiophiles to mass market devices that will be more portable or expand the system within the home.
The BlueBorne vulnerabilities likely won’t have much of an impact on demand for smart speakers going forward, said Mark Beccue, principal analyst at Tractica.
“Hackers will hack, and over time security folks will have to work to protect this new interface,” he told TechNewsWorld, “but there is nothing inherently different about it than other interfaces to make it more susceptible.”