A series of recently disclosed critical Bluetooth flaws that affect billions of Android, iOS, Windows and Linux devices have now been discovered in millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo.
As estimated during the discovery of this devastating threat, several IoT and smart devices whose operating systems are often updated less frequently than smartphones and desktops are also vulnerable to BlueBorne.
BlueBorne is the name given to the sophisticated attack exploiting a total of eight Bluetooth implementation vulnerabilities that allow attackers within the range of the targeted devices to run malicious code, steal sensitive information, take complete control, and launch man-in-the-middle attacks.
What's worse? Triggering the BlueBorne exploit doesn't require victims to click any link or open any fileāall without requiring user interaction. Also, most security products would likely not be able to detect the attack. What's even scarier is that once an attacker gains control of one Bluetooth-enabled device, he/she can infect any or all devices on the same network.
These Bluetooth vulnerabilities were patched by Google for Android in September, Microsoft for Windows in July, Apple for iOS one year before disclosure, and Linux distributions also shortly after disclosure. However, many of these 5 billion devices are still unpatched and open to attacks via these flaws.
Source: https://thehackernews.com/2017/11/amazon-alexa-hacking-bluetooth.html
Related Stories
'OK Google, give everybody in America a free speaker'
Alphabet Inc. should give every household in America a free Google Home Mini smart speaker, a Morgan Stanley analyst suggested Thursday.
The speakers currently retail for $49 each, which would mean spending about $3.3 billion. Morgan Stanley analyst Brian Nowak wrote Thursday that would be a "small price to pay" for Google-parent Alphabet. He estimated that the company could compensate for that cost about five times over through the operating profits it generates more generally from retail search over the next five years.
Nowak worries that Google is losing ground to Amazon.com Inc. when it comes to retail search queries, given that more purchases are being made through voice commands and Amazon is widely thought to have a lead on Google in terms of smart-speaker penetration. He projects that roughly 70% of households will have speakers by 2022, and that Amazon will have 1.3 times more speakers in homes than Google will at that point, absent any dramatic action.
Also at VentureBeat and CNBC.
Related: Amazon Dominates Voice-Controlled Speaker Market
Voice-Powered Smart Speakers to be in 55% of U.S. Homes by 2022
Bluetooth Hack Affects 20 Million Amazon Echo and Google Home Devices
(Score: 0) by Anonymous Coward on Saturday November 18 2017, @10:59AM (2 children)
Omg! OMG! omg! Wait, who uses bluetooth for anything security wise, if they are not a total Windoze Luzer?
(Score: 1) by Ethanol-fueled on Saturday November 18 2017, @12:55PM
Who? Anybody too stupid to have to use concepts like sockets.
(Score: 2, Informative) by Anonymous Coward on Saturday November 18 2017, @12:59PM
sigh ... trolls be trollin'
No one is using bluetooth for security. This is a security flaw in bluetooth. If your device has bluetooth enabled then you are vulnerable (if you haven't applied the security patches that correct this issue).
So, not just "Windoze"?
(Score: 0) by Anonymous Coward on Saturday November 18 2017, @11:01AM (6 children)
Read the last sentence of the news!
(Score: -1, Troll) by Anonymous Coward on Saturday November 18 2017, @11:18AM
OMG! It is worse than I thought! Thank goodness I only use Windows Ten to control my teledildonic devices.
(Score: 4, Insightful) by zocalo on Saturday November 18 2017, @12:19PM (4 children)
UNIX? They're not even circumcised! Savages!
(Score: 2) by Yog-Yogguth on Saturday November 18 2017, @01:18PM (3 children)
It's the ultimate good news.
Not because people in general will start to think about security, they won't. Even if they did they can't so much about it, nor can I.
The ultimate good news is that it will be taken advantage of and while I myself might also suffer from that my suffering will be minuscule compared to the suffering of companies and governments.
And that in turn might actually translate into changes for the better if their losses are huge enough.
Nah who am I kidding, nothing will get better, this is nothing compared to the Snowden files and that sure as hell didn't change or stop anything, it only got worse and we're all paying even more for it now than before so us insignificant ones are actually getting hit harder!
How hilarious :D
(Post might contain overdose levels of black comedy... this advisory warning is too late!)
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 1) by Yog-Yogguth on Saturday November 18 2017, @01:20PM
Errata do not so :| *farts out through the other ear while I'm already at it*
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 2) by frojack on Saturday November 18 2017, @07:22PM (1 child)
Seriously? That's what your definition of GOOD is?
Does anyone know of one person harmed by this devastating vulnerability? Anyone?
I have some bluetooth headphones. I use them with my Android (patched) or my Linux computer (patched). How much of my secret data has been siphoned off through my headphones?
There is no exploit other than the one specially created in the lab.
They spread scary boogieman claims of worms. (Then they had to walk those back):
Just about every platform that could conceivably in your wildest dreams be leveraged to do actual damage has been patched.
Yeah, Your idiotic IOT device may never get patched, but you will tire of it before an actual exploit is ever developed. Just how much processing power does tat bluetooth remote controlled toothbrush have anyway?
Like virtually all of these monumental world wide hacks this is a huge pot of boiling and frothing air.
No, you are mistaken. I've always had this sig.
(Score: 2) by Yog-Yogguth on Saturday November 18 2017, @11:25PM
From the end of the comment:
Gallows humor.
Maybe not now, maybe not Bluetooth, but soon enough.
IoT processors have already been used to launch some hefty network attacks, that's old hat.
Instead someone is bound to want to cycle a large amount of devices (millions, billions, large multipliers) on and off at whichever speed maximizes power draw. Compare this with the substantial usage spikes from a number of British people turning on electric kettles during football (soccer) match half time pauses or during advertising breaks of very popular television programs.
How many shuddering garage doors does it take to bring down the US power grid? How many light bulbs doing synchronized flashing? How many thermostats raising temperatures as much as possible? How many air conditioners stuck on full blast? How many fridges and freezers dropping their temperatures as low as possible? How many personal eavesdropping devices constantly fiddling with the computers they have legitimate access to?
Who doesn't want to know?
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 1, Interesting) by Anonymous Coward on Saturday November 18 2017, @02:35PM (3 children)
My new car has bluetooth to connect my phone and other things to it. I wonder if those are vulnerable, and if there will ever be a patch produced by auto manufacturers?
(Score: 0) by Anonymous Coward on Saturday November 18 2017, @02:38PM (2 children)
Commenting on my own submission - sorry, it's bad form, I know.
As an example, BMW is integrating Alexa into their cars: https://www.theverge.com/2017/9/27/16372566/bmw-alexa-integration-2018 [theverge.com]
(Score: 0) by Anonymous Coward on Saturday November 18 2017, @03:21PM
Alexa let me get in the car. - You are not the owner. Alexa sudo let me get in the car. -Ok.
(Score: 2) by Yog-Yogguth on Saturday November 18 2017, @11:30PM
It's not bad form at all so don't worry about it.
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 0) by Anonymous Coward on Saturday November 18 2017, @03:18PM (1 child)
Given the record of security glitches of this technology, its clear that the designers were a bunch of incompetents in security matters. To this point, keep on patching it is just daydreaming about it will be secure one day. It should be deprecated and replaced for something new with security as its premise. But that's not gonna happen, instead one day will be nuclear warhead bluetooth enabled.
(Score: 2) by frojack on Saturday November 18 2017, @07:24PM
How old are you, 12?
No, you are mistaken. I've always had this sig.
(Score: 3, Insightful) by LoRdTAW on Saturday November 18 2017, @05:53PM (5 children)
Oh shit.. oh fuck... oh my lord... I hope I'm safe....let me check my smart devices and see if they.... oh right. I'm not a fucking idiot. I don't have any home devices.
(Score: 1, Interesting) by Anonymous Coward on Saturday November 18 2017, @06:13PM (4 children)
Not just home devices. Home devices are the latest to be found vulnerable, along with smart phones, tablets, laptops, desktops, etc, etc.
Well, based on your reading comprehension some might draw a different conclusion.
(Score: 3, Informative) by frojack on Saturday November 18 2017, @07:28PM (1 child)
Stupid fucking AC. RTFA, and if you won't, at least RTFS.
Most smartphones have been patched.
Most tablets have been patched.
Most laptops have been patched.
Most Desktops have been patched.
Most have been patched a year ago.
No exploit is in the wild.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Saturday November 18 2017, @10:23PM
Old versions of Android have not been patched for this or any new vulnerabilities.
Old versions of Windows have not been patched.
iOS devices running iOS 9.x or earlier have not been patched
That right there are billions of devices. Stupid fucking frojack.
(Score: 2) by LoRdTAW on Saturday November 18 2017, @07:32PM (1 child)
And yours: "Bluetooth Hack Affects 20 Million Amazon Echo and Google Home Devices" I'm referring specifically to the devices in these articles. Stay within scope.
(Score: 0) by Anonymous Coward on Saturday November 18 2017, @10:25PM
Billions of devices are affected. Stay within reality.