20 million Amazon Echos and Google Homes threatened by widespread Bluetooth hack
"My name is Alexa, I have been hacked. Take me to your leader."
No, this is not another weird Amazon skill or Easter egg for the Echo smart speaker - it is the evidence of a hack which saw vulnerable Echos taken control of, letting attackers make the speakers say whatever they want.
Known as BlueBourne, the hack was first made public in September, after security firm Armis, which discovered the Bluetooth-based hack, had alerted Apple, Microsoft, Google and other manufacturers about their findings. Devices were quickly patched after it was claimed some five billion products using Bluetooth were at risk.
But now Armis has published a new video showing how the same hack left both the Amazon Echo and Google Home vulnerable to attack. As before, the two companies were told in advance and have already patched their speakers - amounting to five million Homes and some 15 million Echos.
However, despite BlueBourne no longer posing a threat, it serves as a good example of how damaging a smart speaker hack could be.
Armis states on its website: "With BlueBourne, hackers can take complete control over a vulnerable devices, and use it for a wide range of malicious purposes; including spreading malware, stealing sensitive information and more."
Or how about commanding Amazon Alexa or Google Assistant to start talking for no reason, appearing sentient, and threatening their owner? All perfectly possible with a hack like this. Such devices also have access to all kinds of personal information, such as contact names, phone numbers and addresses, calendar information, and the customer's Amazon purchase history.
It doesn't take much imagination to think about what damage could be done via a compromised smart home controller like the Amazon Echo. Beyond creepy spoken messages, it could potentially be used to control any number of smart home gadgets, utilities and security systems.
According to a recent Armis survey, the company claims 82 percent of companies it questioned have an Amazon Echo device on their corporate Wi-Fi network. Armis added: ""In many cases, corporate IT may not be aware that these IoT [internet of things] devices are even on the network."
A virtually invisible attack
Armis continued: "Given that airborne attacks are virtually invisible to traditional security solutions, a hacker only needs to exploit one device to penetrate further into a network or spread to other devices."
The company's hack raises significant concerns over the security of Internet of Things devices, such as smart home gadgets like speakers, lights, locks, air conditioning units, window blinds and much more. All are connected to the internet via a hub, or controller like the Amazon Echo, yet they do not all use one common operating system - like Windows, Mac or iOS. This fragmentation problem is worse, Armis claims, than that suffered by Android, where there are dozen of different screen sizes and resolutions for app developers to cater for - only fragmented security can be a much more serious problem.
"A individual or company using an IoT device has no way of knowing whether a newly discovered vulnerability will affect them. If there is a patch, there may be a significant delay in getting the patch or it may be very complicated to apply. Too often, no patch is provided," Armis said.
Looking forward, the security company warns that IoT devices "are no longer a negligible threat...They are becoming a cornerstone in every corporate environment and network
Google and Amazon have both issued statements on the vulnerability.
Google said: "Users do not need to take any action. We automatically patched Google Home several weeks ago, and neither Google nor Armis found evidence of this attack in the wild. As always, we appreciate researchers' efforts to help keep all users safe."
Amazon said: "A fix has already started rolling out for this. Customer trust is important to us and we take security seriously. Customers do not need to take any action as their devices will be automatically updated with the security fixes."