Video: Google's tech to woo Bluetooth device makers
Google and Amazon have rolled out patches for their respective smart home speakers, Home and Echo, to plug the widespread Bluetooth flaws known as BlueBorne.
BlueBorne, a set of eight Bluetooth flaws, was already known to affect billions of phones and computers running iOS, Android, Windows, and Linux. The flaws were discovered by security vendor Armis, which now warns that the flaws in Home and Echo could be used as an entry point to attacking other devices with malware.
An attacker would need to be in Bluetooth range but can use the flaws to attack any device with Bluetooth enabled without pairing with it.
According to Armis, Amazon has provided an update to around 15 million Echo devices and Google has patched five million Google Home devices.
BlueBorne had a more serious impact on Echo than it did on Home. The Echo was vulnerable to a remote code execution vulnerability in its Linux kernel, and an information leakage flaw in its SDP Server.
Google Home was affected by an information leakage flaw in Android's Bluetooth stack. An attacker could use the flaws to own an Echo, and prevent Home's Bluetooth communications from functioning.
Armis says a survey it conducted found that 82 percent of companies had an Echo within their corporate environment. It warns that these devices could serve as a beachhead into the corporate network.
Though Armis didn't mention that Echo and Home were affected in its initial disclosure, the company said all Bluetooth devices, including IoT products, may be affected depending how their manufacturers implemented Bluetooth.
The Bluetooth SIG estimates 8.2 billion devices have Bluetooth integrated, spanning vehicles, medical devices, wearables, and Bluetooth beacons used in retail.
Some examples of Linux IoT devices that Armis has confirmed are affected by BlueBorne include Samsung's Tizen-based Gear S3 watch, Samsung Smart TVs, and Samsung Family Hub smart fridge.
Worryingly, Armis notified Samsung on three occasions before its September disclosure, but claims never to have received a response from the company. Google, Microsoft, and Linux have addressed the issue. Only pre-iOS 10 Apple products were affected.
One feature of Home and Echo that make BlueBorne potentially more dangerous is that there's no way to turn off Bluetooth.