Google and Amazon have rolled out patches for their respective smart home speakers, Home and Echo, to plug the widespread Bluetooth flaws known as BlueBorne.
BlueBorne, a set of eight Bluetooth flaws, was already known to affect billions of phones and computers running iOS, Android, Windows, and Linux. The flaws were discovered by security vendor Armis, which now warns that the flaws in Home and Echo could be used as an entry point to attacking other devices with malware.
An attacker would need to be in Bluetooth range but can use the flaws to attack any device with Bluetooth enabled without pairing with it.
According to Armis, Amazon has provided an update to around 15 million Echo devices and Google has patched five million Google Home devices.
BlueBorne had a more serious impact on Echo than it did on Home. The Echo was vulnerable to a remote code execution vulnerability in its Linux kernel, and an information leakage flaw in its SDP Server.
Google Home was affected by an information leakage flaw in Android’s Bluetooth stack. An attacker could use the flaws to own an Echo, and prevent Home’s Bluetooth communications from functioning.
Armis says a survey it conducted found that 82 percent of companies had an Echo within their corporate environment. It warns that these devices could serve as a beachhead into the corporate network.
Submitted by: Arnfried Walbrecht