Security Update Fixes Smart Speaker Vulnerability

Amazon and Google have rolled out security updates for their Echo and Home smart speakers to prevent a flaw in Bluetooth known as BlueBorne from making the speakers vulnerable to malicious attacks, according to press reports.

The flaw, uncovered earlier this year by researchers at IoT security firm, Armis Labs, affects billions of Bluetooth-enabled devices.

Amazon has provided an update to around 15 million Echo smart speakers and Google has patched 5 million Google Home devices, according to a ZDNet report.

From the report:

BlueBorne had a more serious impact on Echo than it did on Home. The Echo was vulnerable to a remote code execution vulnerability in its Linux kernel, and an information leakage flaw in its SDP Server.

Google Home was affected by an information leakage flaw in Android's Bluetooth stack. An attacker could use the flaws to own an Echo, and prevent Home's Bluetooth communications from functioning.

Armis says a survey it conducted found that 82 percent of companies had an Echo within their corporate environment. It warns that these devices could serve as a beachhead into the corporate network.

Though Armis didn't mention that Echo and Home were affected in its initial disclosure, the company said all Bluetooth devices, including IoT products, may be affected depending how their manufacturers implemented Bluetooth.

The Bluetooth SIG estimates 8.2 billion devices have Bluetooth integrated, spanning vehicles, medical devices, wearables, and Bluetooth beacons used in retail.

Some examples of Linux IoT devices that Armis has confirmed are affected by BlueBorne include Samsung's Tizen-based Gear S3 watch, Samsung Smart TVs, and Samsung Family Hub smart fridge.

Worryingly, Armis notified Samsung on three occasions before its September disclosure, but claims never to have received a response from the company. Google, Microsoft, and Linux have addressed the issue. Only pre-iOS 10 Apple products were affected.

One feature of Home and Echo that make BlueBorne potentially more dangerous is that there's no way to turn off Bluetooth.

Amazon Echo devices on a version newer than v591448720 have received the patch. Details about the current firmware versions for the Home and Home Mini are available on Google's Home support page.