Google and Amazon quietly rolled out patches to their respective smart speakers to plug a widespread Bluetooth flaw that affected PCs and smartphones.
The two popular smart speakers, Google Home and Amazon Echo, were both affected by some of the eight Bluetooth bugs that are known collectively as BlueBorne. Google launches the $200 Home in Australia this July, and Amazon is expected to release the Echo locally this year.
Security firm Armis disclosed the Bluetooth bugs in September as patches were rolling out for Android, Windows, and Linux. Some of the flaws also affected iOS 10 and earlier. The impact ranged from remote code execution to denial of service, and affected each system differently depending on how Bluetooth was implemented in the OS.
Armis on Wednesday revealed that the bugs affected Home and Echo and disclosed the flaws after Google and Amazon had pushed out updates to their respective products. The bugs affected about 15 million Echo devices and five million Home devices.
It turns out two of flaws affecting Samsung’s Linux-based Tizen OS products, like Smart TVs and the Gear S3 watch, also affected the Echo thanks to Blueborne’s impact on the Linux kernel, which behind Echo’s Fire OS. One the flaws is a remote code execution flaw, allowing an attacker to take full control of the device.
An attacker within Bluetooth range can use the flaw to compromise vulnerable devices if Bluetooth is enabled. Unlike phones and smart TVs, users have no way of disabling Bluetooth in Home or Echo.
Google Home was exposed to a separate BlueBorne bug that affected the Bluetooth stack in Android.
Exploitation could result in complete takeover of an Echo and a denial of service on Google Home’s Bluetooth capabilities.
Google recently issued firmware updates for its Home and Home Mini devices. Amazon users should ensure their devices are running a version above v591448720.
That patches have been automatically pushed out to Home and Echo devices is an aberration in the world of IoT devices, which are often difficult to update even if the vendor provides a patch and has the ability to communicate this to end users.
There may be billions more devices affected in some way by the BlueBorne flaws. The Bluetooth Special Interest Group (SIG) estimates there are 8.2 billion Bluetooth capable devices, which include cars, medical devices, PC peripherals, wearables, and smart home products.
Armis points out that security flaws are frequently carried over from one platform to another due to the practice of code re-use for things such as Bluetooth implementations. In Home’s case, this was due to reusing Android’s Bluetooth stack. In the case of Samsung and Amazon, it was the Linux kernel implementation of Bluetooth that left both affected.