Monday, November 20, 2017

Bluetooth hack affects 20 million amazon echo and google home gadgets

A sequence of these days disclosed critical bluetooth flaws that have an effect on billions of android, ios, windows and linux gadgets have now been found in thousands and thousands of ai-based totally voice-activated private assistants, which include google home and amazon echo.

Remember BlueBorne?

As predicted in the course of the discovery of this devastating danger, several iot and smart devices whose operating systems are often updated less often than smartphones and computers also are liable to blueborne.

Blueborne is the call given to the state-of-the-art attack exploiting a total of 8 bluetooth implementation vulnerabilities that permit attackers within the range of the focused gadgets to run malicious code, thieve touchy records, take entire manage, and release guy-in-the-middle attacks.

What's worse? Triggering the blueborne take advantage of would not require sufferers to click any link or open any document—all with out requiring consumer interaction. Additionally, maximum security products could likely no longer be able to locate the attack.

What is even scarier is that after an attacker profits control of one bluetooth-enabled tool, he/she will infect all or any gadgets on the equal community.
These bluetooth vulnerabilities had been patched by using google for android in september, microsoft for home windows in july, apple for ios twelve months before disclosure, and linux distributions also shortly after disclosure.

However, many of these five billion gadgets are nevertheless unpatched and open to attacks thru those flaws.

20 Million Amazon Echo & Google Home Devices Vulnerable to BlueBorne Attacks

IoT security firm Armis, who initially discovered this issue, has now disclosed that an estimated 20 million Amazon Echo and Google Home devices are also vulnerable to attacks leveraging the BlueBorne vulnerabilities.

If I split, around 15 million Amazon Echo and 5 million Google Home devices sold across the world are potentially at risk from BlueBorne.

Amazon Echo is affected by the following two vulnerabilities:

  • A remote code execution vulnerability in the Linux kernel (CVE-2017-1000251)
  • An information disclosure flaw in the SDP server (CVE-2017-1000250)
Since different Echo's variants use different operating systems, other Echo devices are affected by either the vulnerabilities found in Linux or Android.

Whereas, Google Home devices are affected by one vulnerability:

  • Information disclosure vulnerability in Android's Bluetooth stack (CVE-2017-0785)
This Android flaw can also be exploited to cause a denial-of-service (DoS) condition.

Since Bluetooth cannot be disabled on either of the voice-activated personal assistants, attackers within the range of the affected device can easily launch an attack.

Armis has also published a proof-of-concept (PoC) video showing how they were able to hack and manipulate an Amazon Echo device.

The security firm notified both Amazon and Google about its findings, and both companies have released patches and issued automatic updates for the Amazon Echo and Google Home that fixes the BlueBorne attacks.

Amazon Echo customers should confirm that their device is running v591448720 or later, while Google has not made any information regarding its version yet.

No comments:

Post a Comment