IoT security company Armis has released a report which finds that an estimated 20 million personal assistant devices may be vulnerable to an attack from BlueBorne, which exploits a vulnerability in Bluetooth-dependent technology to mine personal data and completely take over a device. The primary targets reported as at-risk of these vulnerabilities are the Amazon Echo and Google Home personal assistants, whose operating systems, borrowed from Linux and Android respectively, contained flaws which have since been patched. These vulnerabilities allowed for hackers to, in some cases, completely ‘take over’ the devices which are capable of monitoring sensitive conversations and withholding data thought by most users to be private.
In the case of the Amazon Echo, the vulnerabilities include a ‘remote code execution vulnerability’ and an ‘information leak vulnerability’ arising from its Linux OS. Google Home devices contain an ‘information leak vulnerability’ which arises from Android’s Bluetooth stack, according to the report. Armis offers a BlueBorne Vulnerability Scanner, and updates for the Google Home, Amazon Echo, and Samsung Galaxy devices which are said to make devices less susceptible to a hack have been issued, but these steps may have come too late for the estimated 20 million users left vulnerable to breach.
The estimated 15 million users of compromised Amazon Echo devices in addition to 5 million Google Home owners who have divulged personal details and asked embarrassing questions to their Bluetooth-connected personal assistants will likely be alarmed at the ease with which experienced hackers would have been able to gain access to their information and even reprogram Alexa’s responses in the creepiest of fashions. Armis reported that they forwarded the results of their findings to Google and Amazon before issuing a public report.
Amazon responded with a statement which read, ‘A fix has already started rolling out for this. Customer trust is important to us and we take security seriously. Customers do not need to take any action as their devices will be automatically updated with the security fixes.’
Google similarly assured their customers that, ‘Users do not need to take any action. We automatically patched Google Home several weeks ago, and neither Google nor Armis found evidence of this attack in the wild. As always, we appreciate researchers’ efforts to help keep all users safe.’
For customers who assumed that their devices would be made safe from the point of initial purchase, it’s unclear how re-assuring such statements may be.