In September, Armis Labs disclosed a new attack vector called BlueBorne that affects Bluetooth devices. Every desktop, IoT, and mobile platform, including Android, iOS, Linux, and Windows, was affected by the bug. The only exception was macOS.

In its report, Armis said, “BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware laterally to adjacent devices. Armis reported these vulnerabilities to the responsible actors, and is working with them as patches are being identified and released.”

Armis is now reporting that two major AI-powered virtual assistants, Amazon Echo and Google Home, are also affected by BlueBorne.

“These new IoT voice-activated Personal Assistants join the extensive list of affected devices. Personal Assistants are rapidly expanding throughout the home and workplace, with an estimated 15 million Amazon Echo and 5 million Google Home devices sold,” Armis wrote in its report.

Amazon Echo is affected by two vulnerabilities: remote code execution vulnerability in the Linux Kernel (CVE-2017-1000251) and information leak vulnerability in the SDP Server (CVE-2017-1000250).

Google Home is affected by information leak vulnerability in Android’s Bluetooth stack (CVE-2017-0785).

Both Google and Amazon have pushed automatic updates to these devices.