In September this year, researchers at Armis, a company specializing in the Internet of Things security, announced that they had developed a proof of concept code that would allow potential hackers to hack Bluetooth devices. BlueBorne is the name given to a collection of eight vulnerabilities which could allow a hacker to take over devices that have Bluetooth enabled and run malicious code on the underlying OS or firmware.
In September when the news initially broke it came in the wake of Android, iOS, Microsoft, and Linux patching the flaws. This latest announcement made by Armis that could leave over 20 million Amazon Echo and Google Home devices running on Android and Linux are vulnerable to attacks via the BlueBorne vulnerability. Fortunately, both Amazon and Google have issued patches for the affected products, hence today's disclosure from Armis.
Devices that are affected by the latest announcement
IoT assistants like Amazon’s Echo and Google Home are becoming increasingly popular with an estimated 15 million Amazon Echo and 5 million Google Home devices sold globally. Vulnerabilities which allow such devices to be used by hackers could at best be frustrating at worst devastating. Since these devices are unmanaged users may be unaware of the fact their Bluetooth implementation is based on potentially vulnerable code borrowed from Linux and Android.
In the research published by Armis, researchers successfully exploited Amazon and Google voice-activated intelligent digital assistants. Amazon Echo is vulnerable to CVE-2017-1000251 and CVE-2017-1000250, while Google Home is vulnerable to CVE-2017-0785.
The risks facing these devices can be regarded as serious. Perhaps the reason why Amazon and Google were quick to patch them before Armis would disclose the information. These personal assistant devices are continually listening to Bluetooth communications between numerous other devices, yet there is no way of installing an antivirus on these devices. Added to this issue they have a simple and incredibly limited user interface that does not allow for the Bluetooth to be turned off. Given how potentially vulnerable these devices are BlueBorne when deployed can take complete control over a vulnerable device, and use it for a wide range of malicious purposes; including spreading malware, stealing sensitive information and more.
Given that, in a recent survey conducted by Armis, 82% of companies (including the F1000 and G2000) have an Amazon Echo device in their corporate environment. In many cases, Corporate IT may not be aware that these IoT devices are even on the network. Any attack which would use BlueBorne can be classified as an airborne attack as it is not dependant on a physical connection to the targeted system, as the Bluetooth device can be targeted wirelessly. Airborne attacks are virtually invisible to traditional security solutions, a hacker only needs to exploit one device to penetrate further into a network or spread to other devices.
Echo has been regarded as an impregnable wall
Echo, since its release, has been regarded as a very secure device. The vulnerabilities listed above may be the first severe remote vulnerability found. The only other known vulnerability was a physical attack. The physical attack was dependant on rooting the device which required actual physical access to the device. This can be considered a major limitation in implementing the vulnerability. Although it is a limitation such an attack could allow an attacker to install a persistent implant, gain remote root shell access, and finally, remotely snoop on the 'always listening' microphones.
Owners of such devices are advised to ensure that they have patched their device with the latest updates. Amazon Echo users can verify that their devices are using a version that is newer than v591448720, to validate they have received the patch.
IoT’s vulnerable future
The main concern facing IoT devices is that in the PC and mobile realm three main OS providers control the absolute majority of the market, for IoT (or unmanaged) devices, no such dominant players exist. This creates an environment even more fragmented than the one experienced among devices running Android. As these devices are unmanaged in the sense they cannot be installed with any antivirus or security management software, an individual or company using an IoT device has no way of knowing whether a newly discovered vulnerability will affect them. In this instance, both Google and Amazon should be commended for the speed at which they released the respective patches. This is by no means the norm as patches may be hard to install or a delay in reaching the public. More often than not, no patch is available.
IoT devices are also susceptible to attacks that would appear archaic if attempted on a PC. There are a number of reasons for this but a major contributing factor is that developers will use proprietary code and systems for protocols difficult to implement, these are not updated when new updates are available making them vulnerable. To further complicate the problem developers often refrain from implementing basic security measures such as stack protectors since they can be inconvenient, making the hacker’s job much easier.
At their inception, IoT devices posed a negligible threat. However, they are becoming more popular and prevalent in both the private home and business. As these are already vulnerable as BlueBorne has proven more consumers looking to use personal assistant devices, for example, provide hackers with multiple attack vectors that are overlooked by traditional security solutions. Aside from BlueBorne recent vulnerabilities discovered in Broadcom’s chips are another factor to be considered by experts. Broadpwn, the vulnerability found in Broadcom chips, can be triggered without any need for authentication and the stability of the exploit, which deterministically and reliably reaches code execution makes it a near perfect partner for a worm.
Although worms died out last decade due to software becoming vastly better and preventing automatic infections across a network, they are becoming popular once again. This is due, in part, to the rise in popularity of IoT devices lacking such mature software or basic security measures. While the problem facing IoT devices is well-documented manufacturers may not be taking the problem seriously enough as changes to undeniably influence their bottom line negatively.