Bluetooth Hack Affects 20 Million Amazon Echo, Google Home Devices

In September, security researchers discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. We have now learned that an estimated 20 million Amazon Echo and Google Home devices are also vulnerable to attacks leveraging the BlueBorne vulnerabilities. The Hacker News reports: Amazon Echo is affected by the following two vulnerabilities: a remote code execution vulnerability in the Linux kernel (CVE-2017-1000251); and an information disclosure flaw in the SDP server (CVE-2017-1000250). Since different Echo's variants use different operating systems, other Echo devices are affected by either the vulnerabilities found in Linux or Android. Whereas, Google Home devices are affected by one vulnerability: information disclosure vulnerability in Android's Bluetooth stack (CVE-2017-0785). This Android flaw can also be exploited to cause a denial-of-service (DoS) condition. Since Bluetooth cannot be disabled on either of the voice-activated personal assistants, attackers within the range of the affected device can easily launch an attack. The security firm [Armis, who disclosed the issue] notified both Amazon and Google about its findings, and both companies have released patches and issued automatic updates for the Amazon Echo and Google Home that fixes the BlueBorne attacks.

Re:Problem Already Solved

I wish I was a registered user capable of modding you up, registration and login feels like too much of a hassle though.

Bluetooth is quite possibly the worst commercial technology I have ever seen widely implemented. It's inability to stay connected, weird issues cropping up all the time, battery usage, distance problems etc. I have a logitec wireless keyboard/mouse with a very tiny usb dongle, works perfectly, works across the room, takes a year to wear down a AA battery, always is connected and requires no setup to do so.

When I compare the two it feels as though bluetooth was going for what the logictec has, but never really got there and didn't bother to go back and fix the issues before rushing it into production. Now years later it still has not been properly fixed and it seems that the companies who create bluetooth devices are completely fine with having the architecture behind it all remain a complete user experience mess with no end in sight.

I used to do technical support for Dell, one of my most common and least favorite calls was about bluetooth devices because even if you follow the tree of steps the same each time, the outcome was different and it seemed like you might as well just cut the head off a chicken and dance around naked as it would have about the same effect on the damned things.

Bluetooth should in my opinion be disabled as a non functional incomplete architecture/standard/hardware, I don't know wtf is wrong with it, but it NEVER works correctly. It seems to come pre-enabled on most operating systems, however I'd much rather it was something you downloaded and added on vs having it just detect the chip is there and immediately proceed to install the drivers and wake the stupid chip up.

I have an uneasy suspicion that if it's basic operation is so flawed and random, the security is more than likely a total cluster F just waiting to happen. This article begins to confirm that fear for me, though more examples must arrive before I am entirely convinced that the security of this standard is also fatally flawed like the rest of it.

Re:Problem Already Solved

I can't help but picture one of the most spastic nerd rage people screaming you post.

Regardless, you obviously have no clue about anything tech related. Stop making any guesses or conjectures. Your end result may be the same as others, but everything else is shit from your own brain.

FWIW, what logitech does for keyboards and mice has a very specific data pattern.
If you don't know how a scroll wheel works, you should star there. It's basically sending a button press a whole lot of times every time you rotate the wheel. Mouse button presses are the same as a keyboard press. All of them send a signal and a state (possibly a bunch of them). It's a VERY simple data pattern, and very compact.

Bluetooth, on the other hand, can create a true layer 2 transport. There is a huge amount of overhead in being flexible. The logitech controllers, while great for their purpose, are absolutely shitty at doing much of anything else (AFAIK). Can they send high def stereo audio out to wireless headphones? Transfer files? Route TCP/IP traffic over it? etc etc etc?

Bluetooth is just as ok as any other tech. You're just an idiot.