Remember BlueBorne, the vulnerability that allowed hackers to infiltrate an estimated 5 billion gadgets using only a Bluetooth connection?
Today, Armis Security announced that an estimated 20 million Amazon Echo and Google Home devices were vulnerable to attacks via the BlueBorne exploit. The disclosure was coordinated with Google and Amazon, and both companies have already released patches to fix the issue on their respective devices.
The report highlights a growing concern over the security of smart home devices, whose operating systems are often updated less frequently than desktop computers and cell phones, and can be left vulnerable to hackers.
For the uninitiated, BlueBorne is the name used to describe eight vulnerabilities that allow hackers to seize control of a device using just a Bluetooth connection. Attacks can be executed remotely, and without any signal to the user. The scariest part is that once a hacker gains control of one Bluetooth-enabled device, it can be spread to any device on the same network.
The exploit is terrifying for several reasons: For starters, hackers can essentially reprogram your devices to feed you incorrect information, from false traffic reports to an inaccurate schedules.
More malicious hackers can also use BlueBorne to spy on you. The vulnerability allows exploiters to record and transmit recordings to anywhere in the world without the device owner’s knowledge. This means individuals can have personal details compromised, and businesses can lose confidential information.
What’s perhaps most shocking is that exploited devices can be used in a massive denial-of-service (DDoS) attack. Last year’s infamous assault of Dyn’s servers, which brought down such websites as Twitter, Netflix, and Reddit for most of the day, was accomplished with the help of over 100,000 hijacked Internet of Things devices.
“This is the tip of the iceberg,” Armis Security cofounder and CTO, Nadir Izrael, told Mashable. “The fact that we’re picking up on all these things leads us to believe that these smart devices are vulnerable in many, many other ways.”
Smart home devices tend to be especially vulnerable to breaches, Nadir added, because of the infrequency with which their software are updated. Compared to your phone or computer, most Google Homes and Amazon Echos run very old operating systems that aren’t adapted to address new security concerns.
When you operate an Internet of Things device, be it a Google Home or a smart refrigerator, it’s important to treat it like you would a phone or computer. Keep it updated, turn off Bluetooth when you’re not using it, and pay attention to which functions are enabled.
And when purchasing smart home devices, make sure to consider security. “The first thing people should do when they’re buying devices is say, ‘How is this device secured?'” said Armis vice president of marketing Michael Parker. “Second, ask ‘How does it connect? Bluetooth or Wi-Fi?’ And finally, ‘Can I turn this connectivity off?'”
“We need to start having people asking these questions,” he said, “and the market will start answering.” If you’re worried about being vulnerable to a BlueBorne hack and want check your own network’s security, you can download the BlueBorne Vulnerability Scanner from the Google Play Store.