​Google Home and Amazon Echo hit by big bad Bluetooth flaws

Google and Amazon patch 20 million smart speakers that were vulnerable to serious Bluetooth attack.
Written by Liam Tung, Contributing Writer

Video: Google's tech to woo Bluetooth device makers

Google and Amazon have rolled out patches for their respective smart home speakers, Home and Echo, to plug the widespread Bluetooth flaws known as BlueBorne.

BlueBorne, a set of eight Bluetooth flaws, was already known to affect billions of phones and computers running iOS, Android, Windows, and Linux. The flaws were discovered by security vendor Armis, which now warns that the flaws in Home and Echo could be used as an entry point to attacking other devices with malware.

An attacker would need to be in Bluetooth range but can use the flaws to attack any device with Bluetooth enabled without pairing with it.

According to Armis, Amazon has provided an update to around 15 million Echo devices and Google has patched five million Google Home devices.

BlueBorne had a more serious impact on Echo than it did on Home. The Echo was vulnerable to a remote code execution vulnerability in its Linux kernel, and an information leakage flaw in its SDP Server.

Google Home was affected by an information leakage flaw in Android's Bluetooth stack. An attacker could use the flaws to own an Echo, and prevent Home's Bluetooth communications from functioning.

Armis says a survey it conducted found that 82 percent of companies had an Echo within their corporate environment. It warns that these devices could serve as a beachhead into the corporate network.

Though Armis didn't mention that Echo and Home were affected in its initial disclosure, the company said all Bluetooth devices, including IoT products, may be affected depending how their manufacturers implemented Bluetooth.

The Bluetooth SIG estimates 8.2 billion devices have Bluetooth integrated, spanning vehicles, medical devices, wearables, and Bluetooth beacons used in retail.

Some examples of Linux IoT devices that Armis has confirmed are affected by BlueBorne include Samsung's Tizen-based Gear S3 watch, Samsung Smart TVs, and Samsung Family Hub smart fridge.

Worryingly, Armis notified Samsung on three occasions before its September disclosure, but claims never to have received a response from the company. Google, Microsoft, and Linux have addressed the issue. Only pre-iOS 10 Apple products were affected.

One feature of Home and Echo that make BlueBorne potentially more dangerous is that there's no way to turn off Bluetooth.

Amazon Echo devices on a version newer than v591448720 have received the patch. Details about the current firmware versions for the Home and Home Mini are available on Google's Home support page.


The BlueBorne flaws had a more serious impact on Amazon's Echo than on Google's Home.

Image: CNET

Previous and related coverage

Security flaws put billions of Bluetooth phones, devices at risk

It's thought to be the most widescale set of vulnerabilities based on the number of devices affected, hitting Windows desktops, Android devices, older iPhones and iPads, and smart devices.

Linux gets blasted by BlueBorne too

BlueBorne is a set of Bluetooth security holes that just keeps on hitting. Besides smartphones and Windows, it seriously impacts Linux desktops and servers.

Cloud security and IoT are the new peanut butter and jelly [Tech Pro Research]

For enterprises using cloud services with IoT, it's critical to adhere to as many security practices as possible. Experts weigh in on the best approaches to take.

Read more about Amazon Echo and Google Home

Editorial standards