Google and Amazon Personal Home Assistants Contain BlueBorne Vulnerability
On September 14, the NJCCIC alerted members to a set of eight Bluetooth vulnerabilities dubbed BlueBorne by researchers at the Armis cyber-security firm. This week, the same company announced that over 20 million Amazon Echo and Google Home devices are at risk for attacks via the BlueBorne vulnerability. Amazon Echo devices are impacted by a remote code execution vulnerability in the Linux kernel (CVE-2017-1000251) and an information disclosure bug in the SDP server (CVE-2017-1000250). An information leakage issue affecting Android’s Bluetooth implementation (CVE-2017-0785) impacts Google Home devices. If left unpatched, a threat actor could exploit these vulnerabilities to gain complete control over the device or leverage a compromised device to spread malware or establish a man-in-the-middle attack. Both Amazon and Google have released security updates to patch affected devices. The NJCCIC recommends users who own Amazon Echo or Google Home devices verify that the security patches have been automatically applied. We also suggest that users disable Bluetooth on any devices that do not require it and ensure all devices are kept up-to-date with the latest software.