Approximately two and a half months ago Armis, an Internet of Things (IoT) cybersecurity research company, disclosed BlueBorne – Bluetooth implementation vulnerabilities that affected Windows, Android, Linux, and iOS devices. These Bluetooth vulnerabilities ultimately allow an attacker to remotely execute code, obtain sensitive information, or conduct man-in-the-middle (MitM) attacks against these devices. Recently, Armis discovered that around a total of 20 million Amazon Echo and Google Home, smart speaker voice-activated personal assistant IoT devices, are also susceptible to MitM BlueBorne attacks. According to Armis, Amazon Echo devices are vulnerable to CVE-2017-1000251: Linux Kernel Bluetooth Stack Overflow and CVE-2017-1000250: Sessions Description Protocol (SDP) Server Bluetoothd Process Sensitive Information Disclosure. The Google Home devices are vulnerable to CVE-2017-0785: Android Bluetooth Stack Sensitive Information Disclosure.
The YouTube Proof of Concept (PoC) video that Armis provided demonstrates a generic attack process for remotely exploiting an Amazon Echo device. First a malicious actor would launch a custom script that takes advantage of the BlueBorne vulnerability using the Bluetooth Media Access Control (MAC) address of the Echo device. The malicious actor would then be connected and running the device on the highest permission level of root. From this point on, the malicious actor could upload a file onto the Echo device by having it transferred on a specified port using the Netcat command. Once the file has been uploaded and mounted, the Echo device would take the input and apply it without any warning. In the video above, the PoC showed that the personal assistant on the Echo, Alexa, was reprogrammed to say that she has been hacked when someone says “Alexa”.
The Bluetooth features native on Amazon Echo and Google Echo are unable to be disabled. Both smart speaker personal assistant devices are also incompatible with antivirus software. These restrictions make it difficult to prevent or mitigate system device vulnerabilities, so the only known mitigation is to hope that Amazon and Google provide software patches that address vulnerabilities. The good news is that these two IoT devices automatically receive and install software updates. For the Amazon Echo, users can verify that their device has been patched by having a version newer than v591448720. Armis did not specify which version of Google Home is secure from the BlueBorne attack, so it is best to have the most current updates applied. Armis also has a BlueBorne vulnerability scanner available on the Google Play Store that scans nearby devices for devices vulnerable to the attack, so that users can apply software updates to mitigate the vulnerabilities.
Common Vulnerabilities and Exposures (CVE):
Echo and Home Articles and Advisory: