BlueBorne Exploit Could Have Exposed 20 Million Amazon Echo And Google Home Devices To Bluetooth Attacks

echo 2
We first got a glimpse at the BlueBorne vulnerability back in September, when it was revealed that that Bluetooth-based attack vector was exploitable on phones, computers, and IoT devices -- basically, anything with a Bluetooth radio. BlueBorne was especially nasty since it is capable of man-in-the-middle attacks and remote code execution.

It was initially revealed that both Windows- and iOS-based devices had been updated to defend against BlueBorne, while Android device manufacturers should have already delivered updates to address the exploit. However, we're now learning about another category of devices that are susceptible to BlueBorne's nefarious deeds: digital AI assistants.


According to cybersecurity firm Armis, both the Amazon Echo and Google Home could be exploited with existing BlueBorne vulnerabilities (there are eight in total). In the case of the Amazon Echo, those include CVE-2017-1000251 and CVE-2017-1000250. On the Google Home side of things, it is vulnerable to CVE-2017-0785.

There are roughly 15 million Amazon Echo and 5 million Google Home devices out in the wild according to Consumer Intelligence Research Partners (CIRP) and Armis says that BlueBorne represents the first "severe" over-the-air vulnerability that has infiltrated the Amazon Echo. It is especially troubling considering that once hackers are able to wrestle control from a Bluetooth-enabled device, its tentacles can then spread to other vulnerable devices on a connected network.

"Burgeoning demand for digital personal assistants is expanding the avenues by which attackers can infiltrate consumers' lives to steal personal information and commit fraud," said Armis CEO Yevgeny Dibrov. "Consumers and businesses need to be aware how their devices are connecting via Bluetooth, and the networks they may be accessing, in order to take security precautions to protect their information."

If there's any good news out of this latest BlueBorne case, it that Armis disclosed the vulnerabilities both to Amazon and Google ahead of time, giving them the opportunity to push updates out to devices. Since updates to Amazon Echo and Google Home devices are pushed automatically without user intervention, you should now be protected against BlueBorne.

However, there's no way to determine how many devices may have been affected between the time before BlueBorne was first publicly disclosed this summer and when the software patches were released.