Blueborne discovered to affect Amazon Echo and Google Home

Blueborne discovered to affect Amazon Echo and Google Home

Intelligent speaker vendors forced to patch up AI-enabled voice assistants after devices shown to be vulnerable to Blueborne virus. 

Back in September, we reported how researchers at IT security company Armis had revealed the existence of an ‘airborne’ IoT malware called Blueborne.

The flaw was shown to be affect many devices using Bluetooth connectivity – from smartphones to medical devices – potentially enabling hackers to take control of them and spread the malware ‘over the air’ to other vulnerable systems.

Now, in an update, researchers at Armis have issued an update revealing that the flaw also affects Amazon Echo and Google Home voice assistants.

“Since these devices are unmanaged and closed source, users are unaware of the fact their Bluetooth implementation is based on potentially vulnerable code borrowed from Linux and Android,” they write.

Read more: Security researchers warn of ‘airborne’ IoT malware, Blueborne

Amazon Echo and Google Home

According to the update, the Amazon Echo devices are affected by two vulnerabilities: first, a remote code execution vulnerability in the Linux Kernel (CVE-2017-1000251), and an information leak vulnerability in the SDP Server (CVE-2017-1000250).

Google Home devices, meanwhile, are affected by one such vulnerability: an information leak vulnerability in Android’s Bluetooth stack (CVE-2017-0785).

“These vulnerabilities can lead to a complete takeover of the device in the case of the Amazon Echo, or lead to DoS of the Home’s Bluetooth communications,” said Armis.

The researchers note that this is the first severe remote vulnerability found to affect the Amazon Echo, “which was an impregnable wall up until now, with the only known vulnerability requiring an extensive physical attack.”

Researchers said the company both Amazon and Google about the findings, and both companies have issued automatic updates for the Amazon Echo and Google Home.

“Customer trust is important to us and we take security seriously. Customers do not need to take any action as their devices will be automatically updated with the security fixes,” said Amazon in a statement.

Read more: Amazon’s Alexa can now control your smart home cameras

Armis CTO speaks out

In an interview with US IT publication e-Week, Nadir Izrael, co-founder and CTO of Armis Security said that organisations can find themselves full of devices that basically have open microphones that can “listen to everything and the organisation has no idea they are even there”.

That’s a problem, he explained, because these devices are constantly listening to Bluetooth communications. There’s no way to put an agent or antivirus software on them and, given their limited user interface, there is no way to turn their Bluetooth off, as can be done with many other IoT devices in the home, such as smart TVs.

“With BlueBorne, hackers can take complete control over a vulnerable device, and use it for a wide range of malicious purposes; including spreading malware, stealing sensitive information and more,” said Izrael.

And the problems aren’t confined to homes. A recent survey by Armis of its clients showed that over four-fifths (82 percent) have at least one Amazon Echo in their corporate environment, “sometimes in very sensitive environments.” In many cases, corporate IT may not even be aware that these devices are attached to the network.

Read more: Honeywell launches Smart Home Security System

 

The post Blueborne discovered to affect Amazon Echo and Google Home appeared first on Internet of Business.

Internet of Business

How Will IoT Affect the World of iGaming?

How Will IoT Affect the World of iGaming?

By Marc, Editor at Iot Business News.

As the electronic world becomes increasingly streamlined and people grow more accustomed to the seamless movement and connectivity of their online world, we see the desire for its integration in different avenues.

In the iGaming world, the benefits of IoT technology are vast and many – in fact, it’s one of the industries where its reach is most obvious. For this reason, companies have already started delving head first into the creation new devices and software.

Year on year, profits in the iGaming business continue to grow and, at some point, will certainly usurp the land-based offerings that have traditionally kept the punters spending. If you can gamble in the palm of your hand or from the comfort of your couch, the likelihood is you’ll do it more often.

With $ 60 billion worth of revenue expected from the medium by the turn of the next decade, companies are eagerly putting ideas into practice to try and take their piece of the pie.

But what will we see?

Because the current generation is more au fait than ever with mobile technology, they’re more and more accepting of doing the things from “real life” via their phones, laptops, and computers.

There’s a reason that land-based casinos command such an enormous amount of revenue though, and it’s because of the experience it offers. Not just the act of a transaction trying to win money, but the buzz and excitement around it.

How about taking your hitting the casino from your living room, without the air miles or the need for the dress shirt? Virtual reality headsets could provide this experience. And there’s a reason providers go to great lengths and expense to make their tables and hosts look the part – for example, if you went to play Live Blackjack at William Hill (a live casino), you could be a VIP, have the Vegas experience, or even head to Macau, all without stepping out of the front door. The experience without the effort.

The software will continue to make strides, until you can take a full stroll around the casino floor, no doubt engaging with the tables and croupiers, deciding what takes your fancy and which table deserves your money. You’ll have to source your own refreshments, but other than that the experience will all be done for you.

That’s the most fanciful operation that is coming into play, but from the more tech-savvy perspective and for increasing revenues for the operators, tapping into the location and habits of players would give vital data.

If you know the time, the duration, and the movement of players that choose to play your games, you can make adjustments to your output. Do they need to be faster, slower, more engaging? Do you need to time your promotions in the morning, or the evening? This is all information that can lead to increasing gameplay and revenues.

smartwatchTaking that one step further, smartwatches could even track what gets the heart rate going – do wins or close wins cause a spike, and how does that affect gameplay? The ways to manipulate the technology to better target your audience are massive.

It’s also where the physical casinos can sign up to the technology – apps can track movements and spending habits, to help casinos know when to send offers for refreshments, or when to invite them back to the tables.

It’s still in the building stages, yet already we can see that the benefits will be huge now there’s a generation open to sharing so much information with the providers they use.

The post How Will IoT Affect the World of iGaming? appeared first on IoT Business News.

IoT Business News

Senrio: Devil’s Ivy vulnerability could affect ‘millions’ of surveillance cameras

Senrio Devils Ivy vulnerability in security cameras

Researchers find flaw in security cameras that could allow hackers access to video surveillance feeds.

Security researchers at Senrio have found a vulnerability that could enable hackers to access the video feeds of millions of surveillance cameras sold by Axis Communications. They’ve named it ‘Devil’s Ivy’, because, like the plant, it is hard to eliminate and spreads quickly.

In a blog post, the researchers write that the flaw, which they uncovered while investigating the cameras’ Simple Object Access Protocol (SOAP) code, “results in remote code execution and was found in an open-source third-party code library from gSOAP”.

“When exploited,” they add, “it allows an attacker to remotely access a video feed or deny the owner access to the feed.”

The Senrio team said that the Devil’s Ivy vulnerability was initially found in Axis Communications’ M3004 security camera and that they disclosed it to the manufacturer. Axis then informed Senrio that the flaw was in fact present in 249 distinct camera models, the exceptions being three of its older cameras, but the manufacturer was quick to address the problem head-on.

“Once we verified Axis’s fix prevented our exploit from working, Axis quickly began releasing patched firmware and prompting partners and customers to upgrade,” Senrio’s researchers report.

Axis Communications camera spotted by Senrio researchers at Los Angeles International Airport (LAX)

Impact goes far beyond Axis

But Senrio warned that the impact goes “far beyond” cameras from Axis. The communication layer that the vulnerability uses, an open source third-party toolkit called gSOAP, is widely used by developers around the world as part of the software stack that enables devices of all kinds to ‘talk’ to the internet.

“Software or device manufacturers who rely on gSOAP to support their services are affected by Devil’s Ivy, though the extent to which such devices may be exploited cannot be determined at this time,” they write.

Servers are more likely to be exploited, they maintain, but clients (such as IoT devices) can be vulnerable as well, if they receive a SOAP message from a malicious server.

To help understand the magnitude and reach of this vulnerability, the company turned to Genivia, the company that manages gSOAP. Genivia claims that the code has been downloaded over one million times and counts IBM, Microsoft, Adobe and Xerox as customers.

“Once gSOAP is downloaded and added to a company’s repository, it’s likely used many times for different product lines,” Senrio researchers said. “It is likely that tens of millions of products – software products and connected devices – are affected by Devil’s Ivy to some degree.”

Genivia has now released a patch. In the meantime, Senrio is warning that all cameras vulnerable to Devil’s Ivy are potentially exploitable. “Devices like security cameras should be connected to a private network, which will make exploitation much more difficult,” the company recommends.

It advises that patches to devices should be made as soon as possible: “If this is not within your control, place other layers of security between your vulnerable device and the external internet.”

The post Senrio: Devil’s Ivy vulnerability could affect ‘millions’ of surveillance cameras appeared first on Internet of Business.

Internet of Business

What is this ‘GDPR’ I keep hearing about and how does it affect me?

A lot has been written and said lately about GDPR, not least of all by VanillaPlus. (See: GDPR compliance: We need to comply but where to begin? and More than half of companies in data protection survey will be affected by GDPR, but 5% don’t know what it is. In case your compliance people have been hiding […]

The post What is this ‘GDPR’ I keep hearing about and how does it affect me? appeared first on IoT Now – How to run an IoT enabled business.

Blogs – IoT Now – How to run an IoT enabled business