Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Security Google Operating Systems Privacy Software Hardware Technology

Bluetooth Hack Affects 20 Million Amazon Echo, Google Home Devices ( 40

In September, security researchers discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. We have now learned that an estimated 20 million Amazon Echo and Google Home devices are also vulnerable to attacks leveraging the BlueBorne vulnerabilities. The Hacker News reports: Amazon Echo is affected by the following two vulnerabilities: a remote code execution vulnerability in the Linux kernel (CVE-2017-1000251); and an information disclosure flaw in the SDP server (CVE-2017-1000250). Since different Echo's variants use different operating systems, other Echo devices are affected by either the vulnerabilities found in Linux or Android. Whereas, Google Home devices are affected by one vulnerability: information disclosure vulnerability in Android's Bluetooth stack (CVE-2017-0785). This Android flaw can also be exploited to cause a denial-of-service (DoS) condition. Since Bluetooth cannot be disabled on either of the voice-activated personal assistants, attackers within the range of the affected device can easily launch an attack. The security firm [Armis, who disclosed the issue] notified both Amazon and Google about its findings, and both companies have released patches and issued automatic updates for the Amazon Echo and Google Home that fixes the BlueBorne attacks.
This discussion has been archived. No new comments can be posted.

Bluetooth Hack Affects 20 Million Amazon Echo, Google Home Devices

Comments Filter:
  • by Freshly Exhumed ( 105597 ) on Thursday November 16, 2017 @09:33PM (#55567131) Homepage

    Thankfully any exploits against Bluetooth were quickly ruined by... well... Bluetooth.

    • by Anonymous Coward on Thursday November 16, 2017 @11:26PM (#55567547)

      I wish I was a registered user capable of modding you up, registration and login feels like too much of a hassle though.

      Bluetooth is quite possibly the worst commercial technology I have ever seen widely implemented. It's inability to stay connected, weird issues cropping up all the time, battery usage, distance problems etc. I have a logitec wireless keyboard/mouse with a very tiny usb dongle, works perfectly, works across the room, takes a year to wear down a AA battery, always is connected and requires no setup to do so.

      When I compare the two it feels as though bluetooth was going for what the logictec has, but never really got there and didn't bother to go back and fix the issues before rushing it into production. Now years later it still has not been properly fixed and it seems that the companies who create bluetooth devices are completely fine with having the architecture behind it all remain a complete user experience mess with no end in sight.

      I used to do technical support for Dell, one of my most common and least favorite calls was about bluetooth devices because even if you follow the tree of steps the same each time, the outcome was different and it seemed like you might as well just cut the head off a chicken and dance around naked as it would have about the same effect on the damned things.

      Bluetooth should in my opinion be disabled as a non functional incomplete architecture/standard/hardware, I don't know wtf is wrong with it, but it NEVER works correctly. It seems to come pre-enabled on most operating systems, however I'd much rather it was something you downloaded and added on vs having it just detect the chip is there and immediately proceed to install the drivers and wake the stupid chip up.

      I have an uneasy suspicion that if it's basic operation is so flawed and random, the security is more than likely a total cluster F just waiting to happen. This article begins to confirm that fear for me, though more examples must arrive before I am entirely convinced that the security of this standard is also fatally flawed like the rest of it.

      • If Bluetooth NEVER works for you, you're probably the problem. I had a nice pair of Bluetooth headphones. Worked perfectly. I saw the knock off version from China for a quarter of the price. It was clearly inferior product and couldn't maintain connection with phone in pocket two feet away. The original, legit LG headphones worked like 30meters away through a wall. It was clearly the device at fault, not my phone or protocol. Not to say I don't experience issues, just rarely, not often.
  • by Anonymous Coward
    The biggest problem wasn't even mentioned - the complete loss of control over personal data and privacy and the intention of Google and Amazon to collect as much information about you and your life as possible. This is one hole that isn't going to be plugged ... ever.
  • Does this mean I can finally jailbreak the hardware to talk to a different (local) server? Because the hardware is nice...

  • To me the astonishing thing is that there are 20 million of these devices in service.
    • Shipped, not in service. IIRC, there were quite a few given out as part of signing up for some other service.

    • To me the astonishing thing is that there are 20 million of these devices in service.

      Even if there were only a million, that's still a shitload no matter how you slice it.

      I can't imagine having one in my home, but that's just me.

  • Don't buy a home spying device!

    Not that hard to walk five feet or expend the effort to look at a cell phone or tablet.

    Just for fun with a PA system at an apartment building...."Alexa Buy Adult Diapers"

    Floors it!

    • Re: Better idea (Score:2, Interesting)

      by Anonymous Coward

      Cellphone and tablet are portable spying devices.

      • by nnull ( 1148259 )
        And that just as inexcusable. The very intention that most big brand tablet and phone makers are making it difficult to root and install your own custom roms onto your device is evidence enough for me of their nefarious activities. Already had enough with my LG phone pushing random app installs and standby ads.
    • by Anonymous Coward

      This is a good sentiment, but a difficult reality.

      You often require a cellphone for work, and a smartphone helps with it's blinken lights, socializing, and data etc to calm our monkey minds.

      It extends beyond that though.

      Your vehicle most likely has a black box installed, your vehicle possibly has a factory or dealership added GPS tracker. If you are utilizing something like OnStar, your vehicle is part of a collective and is monitored and tracked, with the possibility that an outside actor can manipulate y

    • It's also not that hard to STFU and not talk about something you don't know about, either. I have no idea how walking to and LOOKING at a phone replaces what an Alexa does. You clearly don't have a fucking clue. All you paranoid people, we get it. Now keep it to yourself.
  • The 6 most exploitable ones are overflow/underflow related, what a surprise.

    • by DrYak ( 748999 )

      Then shut the fuck up, stop complaining here, and join the rest of Rust developers in trying to write a full operating system (RedOx) instead of bitching and moaning about the language that the majority of the world has settled upon.

  • So, can I do "alexa sudo apt-get update" "alexa sudo apt-get upgrade linux-image"?

  • "anyone within Bluetooth range..." can always disable the device. Isn't Bluetooth range ~30 feet?

    So someone in my kitchen is going to disable my device (not that I'd have one) with a Bluetooth exploit? They could disable it with a glass of orange juice, a tennis ball, or by simply pulling the power.

    Bluetooth exploit is a long way to go to cover a few steps.

  • Overbearing surveillance in the guise of convenience, hmmm.

No amount of careful planning will ever replace dumb luck.