Following the disclosure of the BlueBorne attack vector this past September, Armis discovered that critical Bluetooth vulnerabilities impact the Amazon Echo and Google Home. These new IoT voice-activated Personal Assistants join the extensive list of affected devices. Personal Assistants are rapidly expanding throughout the home and workplace, with an estimated 15 million Amazon Echo and 5 million Google Home devices sold. Since these devices are unmanaged and closed sourced, users are unaware of the fact their Bluetooth implementation is based on potentially vulnerable code borrowed from Linux and Android.
Which BlueBorne Vulnerabilities Impact the Devices?
Amazon Echo devices are affected by two vulnerabilities:
- Remote code execution vulnerability in the Linux Kernel (CVE-2017-1000251)
- Information leak vulnerability in the SDP Server (CVE-2017-1000250)
Other Echo products are affected by either the vulnerabilities found in Linux or those discovered in Android, since different Echo's variants use different OSs.
Google Home devices are affected by one vulnerability:
- Information leak vulnerability in Android' Bluetooth stack (CVE-2017-0785)
These vulnerabilities can lead to a complete take over of the device in the case of the Amazon Echo, or lead to DoS of the Home' Bluetooth communications.
What Is The Risk?
These devices are constantly listening to Bluetooth communications. There is no way to put an agent/antivirus on these devices. And given their limited UI, there is no way to turn their Bluetooth off - as is the case of other IoT devices (Smart TVs for example). With BlueBorne, hackers can take complete control over a vulnerable device, and use it for a wide range of malicious purposes; including spreading malware, stealing sensitive information and more.
According to a recent survey of Armis clients and deployments, 82% of companies (including the F1000 and G2000) have an Amazon Echo device in their corporate environment. In many cases, Corporate IT may not be aware that these IoT devices are even on the network.
Given that airborne attacks are virtually invisible to traditional security solutions, a hacker only needs to exploit one device to penetrate further into a network or spread to other devices.
It is also worth mentioning that this is the first severe remote vulnerability found to affect the Amazon Echo, which was an impregnable wall up until now, with the only known vulnerability requiring an extensive physical attack.
Updates Have Been Provided
Armis has notified both Amazon and Google about the findings, and both companies have issued automatic updates for the Amazon Echo and Google Home.
"Customer trust is important to us and we take security seriously. Customers do not need to take any action as their devices will be automatically updated with the security fixes," says Amazon.
Amazon Echo users can verify that their devices are using a version that is newer than v591448720, to validate they have received the patch.
Protecting IoT and Unmanaged Devices
The main concern arising from these new discoveries is this - what other devices are vulnerable? Unlike in the PC and mobile world, in which two or three main OSs control the absolute majority of the market, for IoT (or unmanaged) devices, no such dominant players exist. This creates an environment even more fragmented than the one currently seen with Android operating systems. An individual or company using an IoT device has no way of knowing whether a newly discovered vulnerability will affect them. If there is a patch, there may be a significant delay in getting the patch or it may be very complicated to apply. Too often, no patch is provided.
The Amazon Echo and Google Home are the better examples as they were patched, and did not need user interaction to update. However, the vast bulk of IoT devices cannot be updated. However, even the Echos and the Homes will eventually be replaced by new hardware versions (as Amazon and Google recently announced), and eventually the old generations will not receive updates - potentially leaving them susceptible to attacks indefinitely.
Amazon Echo is based on an old Linux Kernel version, and the Google Home is based on Android. The reason both companies chose to integrate their Bluetooth implementations from external sources is quite obvious - it is a complex protocol which was difficult to implement in the first place. It is more efficient to use the code is embedded in the proprietary systems. However, it is not updated every time a new version is released. This means the device remains vulnerable to archaic attacks. Moreover, developers often refrain from implementing basic security measures such as stack protectors since they can be inconvenient, making the hacker's job much easier.
IoT devices are no longer a negligible threat. They are becoming a cornerstone in every corporate environment and network. These personal assistants are increasingly popular with businesses. The Wynn Hotel in Las Vegas announced it will install an Amazon Echo in every room on the premises. TheBest Western and Marriott hotels are considering doing the same thing, which will provide productivity and potential risks to consumers and business travelers. This trend will only increase in the coming years.
IoT devices are not only more prevalent today, but also subject to more attack vectors, with virtually no protection. The airborne attack vector is posing a severe threat to all IoT devices and is completely overlooked by traditional security measures. Aside of BlueBorne, new Wi-Fi vulnerabilities were found in Broadcom' chips (Broadpwn), as well as in the WPA2 protocol itself with the most recent Krack Attack. Users and businesses should treat IoT devices like any other device in their network, and implement proper protections.