Blueborne discovered to affect Amazon Echo and Google Home

Blueborne discovered to affect Amazon Echo and Google Home

Intelligent speaker vendors forced to patch up AI-enabled voice assistants after devices shown to be vulnerable to Blueborne virus. 

Back in September, we reported how researchers at IT security company Armis had revealed the existence of an ‘airborne’ IoT malware called Blueborne.

The flaw was shown to be affect many devices using Bluetooth connectivity – from smartphones to medical devices – potentially enabling hackers to take control of them and spread the malware ‘over the air’ to other vulnerable systems.

Now, in an update, researchers at Armis have issued an update revealing that the flaw also affects Amazon Echo and Google Home voice assistants.

“Since these devices are unmanaged and closed source, users are unaware of the fact their Bluetooth implementation is based on potentially vulnerable code borrowed from Linux and Android,” they write.

Read more: Security researchers warn of ‘airborne’ IoT malware, Blueborne

Amazon Echo and Google Home

According to the update, the Amazon Echo devices are affected by two vulnerabilities: first, a remote code execution vulnerability in the Linux Kernel (CVE-2017-1000251), and an information leak vulnerability in the SDP Server (CVE-2017-1000250).

Google Home devices, meanwhile, are affected by one such vulnerability: an information leak vulnerability in Android’s Bluetooth stack (CVE-2017-0785).

“These vulnerabilities can lead to a complete takeover of the device in the case of the Amazon Echo, or lead to DoS of the Home’s Bluetooth communications,” said Armis.

The researchers note that this is the first severe remote vulnerability found to affect the Amazon Echo, “which was an impregnable wall up until now, with the only known vulnerability requiring an extensive physical attack.”

Researchers said the company both Amazon and Google about the findings, and both companies have issued automatic updates for the Amazon Echo and Google Home.

“Customer trust is important to us and we take security seriously. Customers do not need to take any action as their devices will be automatically updated with the security fixes,” said Amazon in a statement.

Read more: Amazon’s Alexa can now control your smart home cameras

Armis CTO speaks out

In an interview with US IT publication e-Week, Nadir Izrael, co-founder and CTO of Armis Security said that organisations can find themselves full of devices that basically have open microphones that can “listen to everything and the organisation has no idea they are even there”.

That’s a problem, he explained, because these devices are constantly listening to Bluetooth communications. There’s no way to put an agent or antivirus software on them and, given their limited user interface, there is no way to turn their Bluetooth off, as can be done with many other IoT devices in the home, such as smart TVs.

“With BlueBorne, hackers can take complete control over a vulnerable device, and use it for a wide range of malicious purposes; including spreading malware, stealing sensitive information and more,” said Izrael.

And the problems aren’t confined to homes. A recent survey by Armis of its clients showed that over four-fifths (82 percent) have at least one Amazon Echo in their corporate environment, “sometimes in very sensitive environments.” In many cases, corporate IT may not even be aware that these devices are attached to the network.

Read more: Honeywell launches Smart Home Security System

 

The post Blueborne discovered to affect Amazon Echo and Google Home appeared first on Internet of Business.

Internet of Business

BlueBorne put billions of IoT devices at risk – including Echo and Google Home

A serious vulnerability affecting billions of IoT devices also put Amazon Echo and Google Home users at risk.

The vulnerability, known as BlueBorne, was discovered by IoT security company Armis and found to put more than five billion devices at risk of attack. Researchers have now confirmed the attack surface included as many as 20 million Amazon Echo and Google Home devices.

If compromised by BlueBorne, the device can be used to establish a ‘man-in-the-middle’ attack to gain access to critical data, personal information, web traffic, and network availability.

As the name suggests, BlueBorne is an airborne vulnerability over Bluetooth. A hacker does not have to be in the vicinity of the vulnerable device and can launch a remote attack from a compromised device with Bluetooth capabilities.

With many computers and smartphones featuring Bluetooth, the initial device could become infected through clicking on malicious links or downloading files. Once compromised, it can then use the BlueBorne vulnerability to infect other Bluetooth-enabled devices — such as the Amazon Echo and Google Home.

"Burgeoning demand for digital personal assistants is expanding the avenues by which attackers can infiltrate consumers' lives to steal personal information and commit fraud," said Yevgeny Dibrov, CEO of Armis. "Consumers and businesses need to be aware how their devices are connecting via Bluetooth, and the networks they may be accessing, in order to take security precautions to protect their information."

Business threat

Although thought of as consumer products, these devices are making their way into business environments for their digital assistant capabilities. This will raise concerns about IoT devices being used for espionage and/or blackmail.

“Rising airborne threats such as BlueBorne and KRACK are a wakeup call to the enterprise that traditional security simply cannot defend against new attack vectors that are targeting IoT and connected devices in the corporate environment,” added Dibrov.

“Every organisation must gain visibility over sanctioned and unsanctioned IoT devices in their environments. If they don’t, they’ll be victimised by a breach that can lead to stolen identities for customers and employees, impact their bottom lines, and even cost top executives their jobs.”

It is estimated there are 15 million Amazon Echos and 5 million Google Home devices sold, according to a report in September by Consumer Intelligence Research Partners. Additional estimates indicate that more than 128 million Echos will be installed by 2020 and drive more than $ 10 billion in revenue for the company.

Google Home and Amazon Echo have since been patched to address the BlueBorne vulnerability, but many others remain vulnerable. Armis has released an app on the Play Store which can be downloaded here and used to identify impacted devices.

Are you concerned about IoT device vulnerabilities such as BlueBorne? Let us know in the comments.

iottechnews.com: Latest from the homepage

How to review and permanently delete voice recordings from a Google Home or Amazon Echo

Digital assistants are great, except when they aren’t.

This week, for example, a software glitch recorded everything people said when doing their reviews of the new Google Home Mini. Yes, everything they said all day and all night was stored on Google’s servers, which is not how these devices are supposed to work. The only voice recordings saved in the cloud for a Google Home or Amazon Echo product are supposed to be short snippets captured after saying the wake word, such as “OK Google” or “Alexa”.

Google has already patched the Home Mini software so don’t fret if you pre-ordered a device. Even so, it’s not a bad idea to periodically check to see what’s actually being recorded and saved by your digital assistant. Here’s how to do it.

Removing what Google Home and Google Assistant have heard

Google lumps the recordings into your Google account, which also captures search history, Google Assistant usage, and Play Music usage, to name a few things. So you’ll have to dig a little to get at your cloud-stored voice recordings. To do that, navigate to http://myaccount.google.com and make sure you’re signed in with your Google account.

On the main My Account page, look for the card titled “My Activity” and click the “Go to my activity link”. Here you’ll find a chronological stream of the data Google has captured and stored that’s associated with your account. While it’s generally a good idea to review all of the data, if you want to filter it for just the voice data, click the “Filter by date & product” link and then choose “Voice and Audio”.

Now you can easily see all of the stored voice snippets, complete with a Play button for each one so you can hear what your Google Home or Google Assistant app recorded.

While you can delete individual recordings, removing them all will take time. That’s where the “nuclear” option comes in handy because it will remove all recordings from Google’s servers in one fell swoop. To do this, choose the “Delete activity by” option in the menu on the left. Here you can choose a time-frame, with “All time” being one of the options. You can also limit the action to “Voice and Audio”.

Choose those, click “Delete” and all of your recordings will be erased from the cloud. Keep in mind, however, that if you continue to use Google Home or Assistant going forward, all new voice commands will be saved. And it’s possible that the digital assistant experience will be worse, at least for a little while, since Google uses the recordings to make its assistant smarter and personalized for you.

If you’d rather do all of this in the Google Assistant app, you can. The process is generally the same. Just look for the “My Activity” option in the app settings to review or delete saved voice conversations.

Removing what Amazon Echo and Alexa have heard

You can actually do this at an individual snippet level right in the Alexa app for iOS and Android as well. Just open the Alexa app and tap the little Home icon at the bottom left to see a stream of cards, which each card representing a voice interaction. Each of these has a little “More” link, so tap it to see or hear what Alexa heard.

To remove all voice history from Amazon’s servers, however, you have to visit their website here and log in. Tapping the “Your Content and Devices” tab will show all of your Echo devices. Click the little menu button to the left of any Echo device for a pop-up menu that provides a “Manage Voice Recordings” option.

You’ll get an informational warning message explaining that your Echo experience may degrade since like Google, Amazon uses the recordings to make Alexa smarter and personalized.

If you’re OK with that just tap the “Delete” button and the recordings will be erased.

What you give and what you get

Remember that our personal digital assistants are just that: Personal. For them to be customized to individual users, they need to learn about us. And not just how we speak, but also about our preferences, purchases, and the type of information we search for. So yes, we’re giving up that data for any of these devices. In return, for those who find that acceptable, our assistants can make our life easier. It’s a trade-off for sure, and one that we all need to individually decide if we’re willing to accept it or not.

Stacey on IoT | Internet of Things news and analysis

Google is preparing an Amazon Echo Show competitor

Perhaps it was only a matter of time, but rumours indicate Google is preparing to launch a competitor to the Amazon Echo Show.

TechCrunch reports hearing from multiple sources that Google is building a smart home device with a screen. Like with the Echo Show, this would allow the device to display useful information visually such as the weather forecast.

Amazon has left itself somewhat vulnerable in this space with the Echo Show often seen as having the right idea, but with a lackluster execution.

The original Echo Show, in particular, suffered from a low-resolution screen by today’s standards of just 1024×600. This is much lower than most smartphone screens while also being larger than most at 7-inches.

Earlier this week, Amazon launched its updated Echo models but the Show was left untouched. Instead, a new device called the ‘Echo Spot’ was launched which can only be described as a small orb with a screen. Its small size will likely be used primarily as a bedside alarm clock, but it’s little use for a primary “home control” device.

This leaves the goal open for Google to close the sales gap between the far more successful Echo line. In fact, Google is said to have planned to launch this device in 2018 but plans have been fast-tracked to release this year.

What may add fuel to this rumour is that Google has just yanked support for YouTube from the Echo Show. This would, of course, be seen as a key feature on any similar device coming from Google.

A device similar to the Amazon Echo from Google may also boost usage of its ‘Duo’ video-calling service which seems to have received a recent marketing push with new ads appearing here on UK television.

If you ask us, all the signs are pointing towards an incoming announcement. Google does have a press event coming up on October 4th…

Are you excited for an Echo Show rival from Google? Share your thoughts in the comments.

iottechnews.com: Latest from the homepage

Can’t find your phone at home? Let your Amazon Echo or Google Home help

Surely this has happened to you or to someone you know: You put your phone down at home, walk away and a few minutes later, you’re wondering where you left it. There are a number of services, apps, third-party skills and Bluetooth trackers to help in this case but don’t overlook the obvious.

Now that both the Amazon Echo and Google Home support voice calls and conversations, you don’t need to complicate the solution to this problem. Instead just ask your digital assistant for a hand!

Back in May at its I/O conference, Google announced phone calls through Google Home would be coming. It took until August to deliver on the promise, but placing calls simply by speaking to a Google Home device works fine.

So if you have a Home device and can’t find your phone, simply say, “OK Google, call 215-123-4567”, substituting your own phone number in the command, of course. Home will place the call, causing your phone to ring until you can (hopefully!) pinpoint its location nearby. Since the call goes over the cellular network, this will work even if you have Wi-Fi disabled on your phone.

Amazon Echo owners can do the same thing, although it was a little tricky for me to figure this out. That’s partially because when Amazon introduced its voice calling feature, it limited the service to calls between Echo device users. But it also works on phones with the Amazon Alexa app, which let me to try to calling my phone from my Echo Dot.

Voice calling works with through the contact list in the Alexa app, so I first tried to add my phone as a separate contact. That didn’t work. Then I realized that my own name and profile above the in-app contact list, so I told my Dot to “call Kevin Tofel”. Sure enough, it placed the call to my phone with a recurring notification chime.

Of course, right after I got this working using my Echo, Amazon announced all new Echo devices and support for actual voice calls to rival the Google Home. So once that functionality is rolled out to your Echo, you can simply tell Alexa to ring your cell so you can find it.

Clearly, if you’ve lost your phone outside of the house, these approaches won’t work. So don’t throw out that Bluetooth or GPS tracker just yet. And remember that both Apple and Google provide a “find my phone” online service to track down that lost phone. But inside the house, I’ll rely on my digital assistant to lend a hand.

Stacey on IoT | Internet of Things news and analysis