Archive for Amazon

Check Point Security Report Says That Amazon Alexa Were Subject To Extensive Levels Of Pwnage

Posted in Commentary with tags , on August 17, 2020 by itnerd

A report from Check Point Security researchers paints a pretty scary picture of how secure smart home devices are. Specifically Amazon Alexa products:

Our findings show that certain Amazon/Alexa subdomains were vulnerable to Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting. Using the XSS we were able to get the CSRF token and perform actions on the victim’s behalf.

These vulnerabilities would have allowed an attacker to:

  • Silently install skills (apps) on a user’s Alexa account
  • Get a list of all installed skills on the user’s Alexa account
  • Silently remove an installed skill
  • Get the victim’s voice history with their Alexa
  • Get the victim’s personal information

In effect, these exploits could have allowed an attacker to remove/install skills on the targeted victim’s Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill.

Successful exploitation would have required just one click on an Amazon link that has been specially crafted by the attacker.

Now all of those issues have been fixed. But it really makes one think twice about having these devices in their homes as it seems really wrong that a third party company is doing the sort of due diligence that the makers of this gear should be doing. The thing is that companies who create these devices have to have security as the top priority if these companies want consumers to buy their gear. Thus the best way for you to get the most secure smart home gear is to demand and expect better from these companies.

Tech CEOs To Get Grilled By Congress Today…. Here’s How To Watch

Posted in Commentary with tags , , , on July 29, 2020 by itnerd

Apple, Amazon, Google, and Facebook are set to be grilled by Congress today. Specifically the Judiciary Committee. The hearing is to find out if tech companies are using their dominant market positions to stifle competition which would be harmful to consumers. It will be interesting to see how this plays out as this is an election year which means that you might see some things might happen for no other reason than to increase the chances of re-election for some politician. If you’re interested in watching the “fun”, here’s a link to watch it live starting at noon ET:

Expect some feedback from yours truly once this is over.

Amazon Pauses Police Use Of Facial Recognition…. Why This Is Meaningless

Posted in Commentary with tags on June 11, 2020 by itnerd

Amazon has announced that they are going to be pausing police use of facial recognition by police forces. Here’s why via a blog post put out by Amazon:

We’re implementing a one-year moratorium on police use of Amazon’s facial recognition technology. We will continue to allow organizations like Thorn, the International Center for Missing and Exploited Children, and Marinus Analytics to use Amazon Rekognition to help rescue human trafficking victims and reunite missing children with their families.

We’ve advocated that governments should put in place stronger regulations to govern the ethical use of facial recognition technology, and in recent days, Congress appears ready to take on this challenge. We hope this one-year moratorium might give Congress enough time to implement appropriate rules, and we stand ready to help if requested.

This is a first step, but it’s really not one that goes far enough. IBM who quit the facial recognition business earlier this week took a very definitive stand on this. This move by Amazon isn’t even close to that. It seems to me that Amazon wants to say that it is doing something to address the issues that have come out of the George Floyd protests, but at the same time still make money from this tech at a later date. Thus it seems to me that this is more of a PR stunt than anything else, and as a result is meaningless. If Amazon really wants to show some leadership on this issue, then they would do something that is closer to the IBM end of the spectrum. But I suspect they won’t and thus you should not take them seriously on this issue.

Amazon VP Quits “In Dismay” And Calls Company “Chickenshit” Over Firing Of Whistleblowers

Posted in Commentary with tags on May 4, 2020 by itnerd

It seems that there’s blowback from Amazon’s apparent firing of employees due to their concerns over their working conditions during the COVID-19 pandemic including some whistleblowers. Tim Bray who is well known for his part in creating the XML specification has quit the company “in dismay” and went public about his departure:

Tim Bray, a well known senior engineer and Vice President at Amazon has “quit in dismay” because Amazon has been “firing whistleblowers who were making noise about warehouse employees frightened of Covid-19.” In an open letter on his website, Bray, who has worked at the company for nearly six years, called Amazon “chickenshit” for firing and disparaging employees who have organized protests. He also said the firings are “designed to create a climate of fear.”

While this is going to create an optics issue for Amazon, this guy likely isn’t going to be poor, and he’s just one guy. If hundreds or thousands of people lower down on the food chain start to quit Amazon for the same reason, then Amazon may have to worry. If people at Bray’s level start to quit en-mass, then Amazon will have to worry. So while this will get the attention of many, it isn’t a watershed moment. Yet.

More Details On The Jeff Bezos Phone Hack Emerge…. Starting With The Fact That It Was An iPhone X That Was Hacked

Posted in Commentary with tags , on January 23, 2020 by itnerd

Yesterday, I wrote about the fact that Jeff Bezos had his phone hacked by the Saudis. Though they deny that it was responsible for the hack. And that massive amounts of data was downloaded. Today more details have come out regarding this hack.

  • Yesterday it wasn’t clear what phone he was using. We now know via the New York Times that it was an iPhone X.
  • This hack apparently led to a blackmail attempt of sorts from America Media Inc who also owns the National Enquirer as what was taken was apparently “embarrasing” texts and photos. That in turn led to the famous “No thank you, Mr Pecker” Medium post.

Now when I started writing this story, I thought all of this sounded familiar. And I was right when I started to look back through the blog. The attack vector, and the type of the attack is very similar to an attack on a human rights activist back in 2016. The source of the attack was malware provided by a shadowy company called NSO who is known to sell their malware to governments who don’t exactly have the best human rights records. And at the time Apple released an emergency patch to iOS 9 to close the holes that were used in that incident. Fast forward to today where the UN Report that led to me writing yesterday’s story also points to NSO:

The forensic analysis assessed that the intrusion likely was undertaken through the use of a prominent spyware product identified in other Saudi surveillance cases, such as the NSO Group’s Pegasus-3 malware, a product widely reported to have been purchased and deployed by Saudi officials. This would be consistent with other information. For instance, the use of WhatsApp as a platform to enable installation of Pegasus onto devices has been well-documented and is the subject of a lawsuit by Facebook/WhatsApp against NSO Group.

And to add to this, Facebook who owns WhatsApp fixed an issue that fits this attack vector almost a year ago. And the thought was the NSO group was behind that attack.

Now the question is how did we get to where we are now? Well, this is the theory that is floating around if you accept that the Saudis are behind this is a follows:

  • Just before the hack, The Washington Post, which Jeff Bezos owns, was investigating American Media, Inc and it’s role in helping President Donald Trump silence women he had affairs with.
  • The Washington Post also had writing for them a person named Jamal Khashoggi. He was a vocal critic of the Saudi government and was murdered because of that. And a lot of the negative things that he had to say about the Saudi government ended up in the Washington Post
  • The Saudis were likely not happy about the Washington Post reporting. And they have a bit of a reputation of going after people that they perceive as threats in a variety of ways. Thus they hatched this scheme to use the NSO malware to get something on Bezos. And hit the jackpot with whatever “embarrassing texts and photos” that they got off the phone. Whatever “embarrassing” items they got was then turned over to American Media, Inc to try and punish Bezos for the coverage that they didn’t like. American Media in turn tried to use this “embarrassing” info to shut down the investigation into them helping President Trump. Except that it backfired on them when Bezos went public on Medium.

Interesting theory. But what are needed are facts. Only a broader investigation can not only separate fact from fiction, but it should be able to follow the facts to nail down the parties responsible and hold them accountable in any and every way possible. Clearly this was a very targeted and sophisticated attack. And because of that it is one that cannot go unpunished.

A Smartphone Belonging To Jeff Bezos Was Pwned By Saudi Hackers Who Extracted Massive Amounts Of Data

Posted in Commentary with tags on January 22, 2020 by itnerd

News is surfacing today that Amazon founder Jeff Bezos had his smartphone pwned by hackers working for the Saudi Crown Prince. Said hackers then pulled a ton of data off of it. And this was done because of the coverage that the Washington Post, which Bezos owns, has done on the Saudis. None of which was flattering given that one of the reporters was killed by Saudi agents recently. Here are the details via the Washington Post:

United Nations human rights investigators have concluded that an account belonging to Saudi Crown Prince Mohammed bin Salman sent an infected video to Amazon founder Jeff Bezos, triggering a massive extraction of data from the billionaire’s cell phone.

The report by human rights investigators Agnes Callamard and David Kaye says the forensic evidence found in Bezos’s phone “suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post’s reporting on Saudi Arabia.”

In a report released Wednesday, Callamard and Kaye called for the United States and other nations to investigate the alleged hacking of Bezos’s phone as part of a larger look at what they called “the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents.”

The UN officials’ report was based on a forensic investigation of Bezos’s phone commissioned by the Amazon founder, who also owns The Washington Post. Callamard and Kaye said the crown prince’s involvement in the alleged hack was part of “a pattern of targeted surveillance of perceived opponents” by Saudi authorities and was “relevant to… ongoing evaluation of claims about the Crown Prince’s involvement in the 2018 murder of Saudi and Washington Post journalist Jamal Khashoggi.”

The 2018 hack of Bezos’s phone took place five months before Khashoggi, a Saudi dissident who was under contract with The Post’s editorial department to write opinion columns, was murdered at the Saudi consulate in Istanbul. Five Saudi nationals were sentenced to death last month in connection with the Khashoggi killing after a secret trial in Saudi Arabia.

It isn’t mentioned if Bezos is on Team Android or on Team iPhone, but this whole episode does illustrate the risks of attachments that you receive. In any case, the Saudi’s deny this, which I would expect any nation state accused of hacking to do. But unfortunately for the Saudis this isn’t going to go away as the UN is calling for an investigation and one suspects that more details will come out about this hack that they will not like.

If You Have A Ring Doorbell, Law Enforcement Can Get Video From It Simply By Asking For It

Posted in Commentary with tags on August 6, 2019 by itnerd

A report in GovTech caught my eye this morning as it had news that Amazon is working with police to provide access to video from the popular Ring doorbells simply by having the cops ask for it:

What has raised eyebrows, however, is the company’s push for partnerships with law enforcement agencies across the country, a fact that some feel has allowed police to create informal surveillance networks in hundreds of neighborhoods. 

Under Ring partnerships, police are provided with a special portal that allows them to communicate with and request video from community residents.  

Amazon offers these partnerships for free, in exchange for the signing of a memo of understanding that has also caused controversy. Critics allege these memos allow Amazon the unprecedented ability to ghostwrite a majority of law enforcement’s press releases about the product, leading to accusations that “Ring is using local police as a de facto advertising firm.”

“What we’re talking about is a private company trying to disrupt the public safety infrastructure of this country in the same way that companies have gone into other parts of our society,” said Dave Maass, senior investigative researcher with the Electronic Frontier Foundation. 

Among other things, Maass sees the product as problematic for both consumer privacy and cybersecurity. 

“Information is being collected on people who are just going about their lives. Not necessarily doing anything nefarious, yet they’re having information collected on them anyway,” he said. “By deploying tens of thousands of these cameras in any given community, you’re also creating a very wide surface area for attack [for hackers],” he went on. “We’ve seen over the years that IoT devices — specifically web cameras and CCTV cameras — have proven very rich targets for malicious actors.” 

However, here’s the other side of this:

However, he [Tony Botti, public information officer for the Fresno County Sheriff’s Office] noted, there is a workaround if a resident happens to reject a police request. If the community member doesn’t want to supply a Ring video that seems vital to a local law enforcement investigation, police can contact Amazon, which will then essentially “subpoena” the video. 

“If we ask within 60 days of the recording and as long as it’s been uploaded to the cloud, then Ring can take it out of the cloud and send it to us legally so that we can use it as part of our investigation,” he said

There’s a whole number of ways that this isn’t good. Privacy for example is at the top of the list. Unauthorized access is second on that list as I would be concerned at someone trolling through videos that a Ring Doorbell records for giggles. But on the other hand, you could make an arrangement that this shouldn’t be an issue because if you have video that could help the cops, any good citizen should want to hand it over. Thus eliminating the need for the cops to troll through your video. In other words, this is a complex issue that likely needs debating in public and Amazon answering some pointed questions before this goes away.

 

 

Amazon Will Now Allow You To Disable Human Listening Of Alexa Recordings

Posted in Commentary with tags on August 4, 2019 by itnerd

According to a new report from Bloomberg, Amazon has joined Apple in it will now let customers disable human review of their Alexa recordings. Clearly Amazon felt it had to do something to match Apple in terms of addressing this issue before someone else does it for them. As is the case with Google and the Germans who didn’t like this at all.

My question is, does this end this issue? Or is it going to continue?

Amazon Employees Not Only Listen To What You Say To Alexa, They Know Where you Live Too

Posted in Commentary with tags on April 24, 2019 by itnerd

You might remember this story about Amazon employees having access to what you say to your Amazon Alexa. Well, this story has just taken a bit of a creepy turn. Bloomberg is now reporting the following:

An Amazon.com Inc. team auditing Alexa users’ commands has access to location data and can, in some cases, easily find a customer’s home address, according to five employees familiar with the program.

The team, spread across three continents, transcribes, annotates and analyzes a portion of the voice recordings picked up by Alexa. 

And:

Team members with access to Alexa users’ geographic coordinates can easily type them into third-party mapping software and find home residences, according to the employees, who signed nondisclosure agreements barring them from speaking publicly about the program.

Well that’s delightful. Actually it’s not. And even though this information doesn’t appear to have been used for anything nefarious, the fact that this team has access to this data is problematic if you’re the privacy minded sort.

Now if you’re the least bit bothered by this…. And you should be bothered by this… Amazon has this handy page that will allow you to tweak your privacy settings so that you only allow Amazon to hear and see the information that you want them to see. I would suggest that all Alexa owners give this page a read and act accordingly.

Amazon Employees Listen To What You Have To Say To Alexa

Posted in Commentary with tags on April 12, 2019 by itnerd

A report from Bloomberg has revealed that whatever you say to your Amazon Alexa have potentially been heard by thousands of Amazon employees. The report explains that the company has staff around the world, both full time and contract, whose job it is to listen to people’s interactions with the Echo devices and use that to improve how Alexa responds in future.

Now this shouldn’t come as a shock seeing as Amazon keeps what you say to Alexa on file so that they can hand it over to the cops if they show up with a warrant for example. But at the same time it is a bit of a problem seeing as I really don’t want any of these smart speakers to be collecting my conversations and having the companies behind them listen to what I say.

Now if any of this sounds familiar, it should. You might remember the story I wrote on Amazon owned Ring employees watching customer camera feeds. At the time Amazon had this to say:

We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring videos. These videos are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes

And in the present day in terms of this fiasco, Amazon had this to say:

“We take the security and privacy of our customers’ personal information seriously,” an Amazon spokesman said in an emailed statement. “We only annotate an extremely small sample of Alexa voice recordings in order [to] improve the customer experience. For example, this information helps us train our speech recognition and natural language understanding systems, so Alexa can better understand your requests, and ensure the service works well for everyone.

“We have strict technical and operational safeguards, and have a zero tolerance policy for the abuse of our system. Employees do not have direct access to information that can identify the person or account as part of this workflow. All information is treated with high confidentiality and we use multi-factor authentication to restrict access, service encryption and audits of our control environment to protect it.”

You’ll excuse me if that doesn’t make me feel better. Which means that an Alexa device will never see the light of day in my home. In the meantime, I’ll go back to using Siri. Sure it isn’t as smart as the other smart assistants out there. But at least Apple’s privacy policy makes it clear how your information is used, the fact that it isn’t directly tied to you, that much of it resides on your iDevices, and you can reset things so that you can cover your tracks if you need to. All of that makes me feel better.