Amazon Echo
Amazon Echo devices and the Google Home speaker are vulnerabile to Blueborne attacks. HeikoAL/Pixabay

A number of serious security flaws discovered to affect Bluetooth devices earlier this year are now plaguing artificial intelligence-based, voice-activated speakers including Google Home and Amazon Echo.

Security firm Armis—the same group that first disclosed the Bluetooth vulnerabilities, dubbed Blueborne, in September—has issued new warning that as many as 15 million Amazon Echo devices and five million Google Home speakers are currently at risk.

According to researchers, the Amazon Echo is susceptible to two primary vulnerabilities related to Blueborne. The first is a remote code execution vulnerability that would allow an attacker to run arbitrary code on the device that could force it to perform malicious actions without the device owner’s knowledge.

In a demonstration video posted on YouTube Armis researchers, they show the attack in action. In a matter of one minute, they are able to gain top-level privileges to the AI speaker and change Alexa’s responses when a user interacts with it.

A second vulnerability plaguing the Echo is an information leak vulnerability related to the Service Discovery Protocol (SDP) server that is used to search for and connect with other Bluetooth enabled devices.

Google’s own AI-powered speaker, Google Home, suffers from a similar flaw. It was discovered to have an information leak vulnerability that stems from the search giant’s Android operating system.

A number of Amazon’s other devices that are powered by Alexa are plagued by some variety of these vulnerabilities depending on the operating systems that is powering the device. Armis reported that some the devices use different variants of Linux and Android.

The security researchers warned that the Blueborne vulnerabilities that affect the voice-powered speakers are serious because the devices provide users with little recourse to prevent an attacker from exploiting them. Amazon’s line of Alexa speakers and Google’s own offerings have very little by way of user interface and provide no option for a user to turn off Bluetooth connectivity entirely, meaning the devices are always at risk unless unplugged or updated.

That security risk present a problem not just for the average person who has an Echo or Home speaker sitting in their bedroom, but for organizations as well. According to a survey conducted by Armis, 82 percent of companies have an Echo device in their corporate workspace. That opens them up to a wide range of attacks, from spreading malware to devices connected to the Echo to stealing sensitive information and more.

Luckily, the reason Armis has now disclosed the security vulnerabilities is because there is a patch available for both Google Home and Amazon Echo devices. The patch was deployed as part of an automatic update, so as long as the device is plugged in and connected to the internet, it should have received the update.

“Customer trust is important to us and we take security seriously. Customers do not need to take any action as their devices will be automatically updated with the security fixes,” Amazon said of the vulnerability. The attack was the first known severe remote vulnerability to be found in the Amazon Echo.