Amazon Echo and Google Home were vulnerable to Bluetooth exploit

David Lumb

Back in September, Bluetooth-connected device owners got a little scare when security firm Armis disclosed a new hack exploit known as BlueBorne. In theory, bad actors could target smartphones, tablets and such using specific vectors in Bluetooth connectivity. Armis had informed Apple, Microsoft and Google months before and they patched up the vulnerabilities ahead of the news release. But today the firm disclosed that it wasn't just handheld devices that might have been affected -- Amazon's Echo and Google Home were vulnerable, too.

Once again, Armis notified the companies in question long enough for them to patch out the vulnerabilities, so updated devices should be safe. (Echo owners can verify for themselves by making sure their devices are using version v591448720 or newer.) But the firm noted in its release that each of the 15 million Amazon Echoes and 5 million Google Homes sold were potentially at risk from BlueBorne.

The former used Linux code that could have been targeted by a remote code execution vulnerability in the Linux kernal, while the latter had an information leak vulnerability in Android's Bluetooth stack. That means Amazon Echoes could have been taken over and Google Homes shut down via denial-of-service. Below, Armis simulated how an Echo would be taken over.

Just like the other BlueBorne vulnerabilities, users wouldn't have known if their Echoes or Homes had been affected. But those devices posed additional risk given that they're constantly listening to Bluetooth communications and, thanks to their limited UI, there's no way to turn it off.

Armis

  • This article originally appeared on Engadget.