Last week, security firm Armis revealed that as many as 15 billion Amazon Echo devices and five billion Google Home speakers may be subject to external attack due to BlueBorne vulnerabilities. Since these devices are unmanaged and closed sources, users are unaware of the fact that their Bluetooth implementation is based on potentially vulnerable code borrowed from Linux and Android.
Armis first disclosed the Bluetooth vulnerabilities, dubbed BlueBorne, in September when a number of serious security flaws were discovered to be affecting Bluetooth devices. Now, BlueBorne is plaguing billions of voice-activated IoT devices. According to researchers, Amazon Echo is susceptible to two primary vulnerabilities related to BlueBorne: Remote code execution vulnerability in the Linux Kernel (CVE-2017-1000251) and Information leak vulnerability in the SDP Server (CVE-2017-1000250). Other Alexa powered products are affected by either the vulnerabilities found in Linux or those discovered in Android, since different devices use different variants of the operating systems. Google Home devices are affected by one vulnerability: Information leak vulnerability in Android’s Bluetooth stack (CVE-2017-0785). These vulnerabilities can lead to a complete takeover of the device in the case of the Amazon Echo, or lead to Disk Operating System (DoS) of the Home’s Bluetooth communications.
Due to limited UI, there is no way to turn Bluetooth off on these devices – as is the case of many IoT devices, such as Smart TVs – and with the devices constantly listening to Bluetooth communications, there is no way to put antivirus on the devices. Using BlueBorne, hackers can take control of the device and use it for a wide range of malicious purposes, including spreading malware, stealing sensitive information and more.
While previous vulnerabilities were found at the protocol level of Bluetooth, BlueBorne resides at the implementation level, making it deeper and more serious than other vulnerabilities. This also makes BlueBorne to be the most severe attack on IoT devices to date. As a response to the vulnerabilities, Armis worked with Google, Microsoft, Apple, and Linux on the disclosure process in order to ensure that patches were made available when the vulnerability was made public. The patches were deployed as part of an automatic update, so as long as the device is plugged in and connected to the internet, it should have received the update.
IoT devices are not only more prevalent today, but are also subject to more attack vectors, with little to no protection. The airborne attack vector is posing a severe threat to all IoT devices, and is particularly threatening because it is completely overlooked by traditional security measures. Users and businesses should treat IoT devices like any other device in their network and implement proper protections as best they can.