Dick Morrell: Amazon Users Advised to Reset Passwords Amid Echo Privacy Concerns
sackheads.socialIf the vulnerability can't be revealed for "ethical" reasons, that implies it's ongoing... so what would a reset do? Wouldn't the newly reset credentials be just as vulnerable until fixed?
Keep changing it until he says it's OK to stop. /sarcasm
Dick Morrell urgently advising Amazon users to sign out of all devices, reset their passwords, and delete 2FA tokens due to an unspecified security issue. The issue appears to be related to Amazon Echo devices, which have been accused of scanning users' Wi-Fi networks and sending detailed profiles of network equipment back to Amazon. The code for this functionality is allegedly contributed by the US National Security Agency, raising concerns about privacy and unauthorized surveillance. Users are encouraged to take immediate action to protect their accounts and devices, as the full extent of this security problem is still unclear.
It's unclear if he's also recommending to leave echo devices disconnected, or just cycling the auth info.
Based on what he's sharing now, there are hints of two issues:
1) authentication information including MFA secrets might be leaked and need to be cycled. (this would be surprising)
2) Echo devices perform undisclosed reconnaissance on nearby wifi networks (not particularly surprising)
These seem like totally separate issues with different impacts and different mitigation techniques.
What do you mean undisclosed?
It's totally right there! Right in the privacy policy no one read, on page 53, in size 2 font, in the cellar, in the display department, in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.'
Is there any evidence of this policy existing? What sources do you have that there is indeed a door with a sign that says as such?
This user appears to be generating comments with GPT.
To view this and other Mastodon toots without Javascript add "/embed" to the left side of URL.
Who is Dick Morrell? This Twitter thread seems discombobulated, although I admit I am quite tired at the moment. Does this only apply to people who use Echo? Is it all Amazon users? Why does deleting 2FA help? Is Amazon storing passwords in clear text?
He doesn't say the issue is limited to Echo devices.
Yes, Echos are scanning wifi and phoning home details you didn't authorize, which is a bad thing but not the issue here.
Morrell says the issue is with all retail Amazon accounts (possibly not AWS-only accounts.)