that right that there is funny, i don't care where you are from...
"CIFT isn't intended as a tool for hacking accounts."
do i hear the sound of a thousand hackers twirling the ends of their moustache ? ? ?
bwa ha ha ha haaaaaaa
Last year, police in Bentonville, Arkansas, investigating the death of Victor Collins, demanded that Amazon turn over audio recordings that may have been made by an Amazon Echo device in his home. Amazon initially resisted the warrant, but in March, James Bates, charged with Collins' murder, consented [PDF] to the release of …
There will be a story where a hacker does something like this to listen in to people's conversations in their home and use it for nefarious purposes, and it will make the mainstream non-tech press the way the Apple vs FBI battle news. Once the average person realizes that these things are always listening and Amazon's servers are listening and police/hackers have access, sales are going to crater, and many of those installed will be unplugged and put on a shelf.
I have a nasty suspicion that the public (those who use these cursed things) are probably pretty aware that they're always listening. But they just don't care if Alexa or whatever will save them the effort of actually having to press a button to play music or order goods.
Your reasoning is perfect. Perfect for me to never,ever have one of these things in my house.
THese are nothing more than a spy in the room. Big Brother is Listening.
Do you honestly want that?
Go read 1984 again.
We are at war with Eurasia or should I say Amazon.
PS, this also applies to any Siri or Cortana device. I do not and will not have a spy listening in on my life even if I was paid £10,000 a month.
"... even if I was paid £10,000 a month."
I call BS. I'd happily have a constantly listening dot in my front room for something that meant I could give up my job. Heck - I'd just buy a new house and give it it's own room and just stay out of there if I were that paranoid. What the hell conversations do you have that you care so much? I get the whole privacy for privacy sake but we all have our price. Would you have one for a million pounds a month? ten million? If you say no then you are either rich, stupid, a criminal or a liar.
Close -- yes, the echo is always listening -- but not Amazon's servers. The Echo doesn't start recording until it picks up on the hardcoded keyword (the only two available are "Amazon" and "Alexa") and until then no voice traffic is sent up to the servers for processing. If you don't believe me you can dig out Wireshark and see for yourself -- just like I did after I bought my first echo.
Apple devices listen for "Siri", Google devices listen for "Google", Microsoft devices listen for "Cortana", and Amazon devices listen for "Alexa". If sales are going to crater for the reason you give, then sales for all of them would crater at the same time -- and for better or worse I'm pretty confident that the demographic of the population that uses these devices aren't going to give them up.
By the way, you CAN mute the microphone. In fact, on the Echo Tap displayed in the article photo the default behavior forces you to "tap" the button instead of using a wakeword - so that you can have a voice controlled device that ISN'T listening all of the time if that is what you want.
"But not the hacked version ....."
If they are going to that much trouble then they would just bug your house properly. Our dot can only just make us out in the next room if we talk very loudly. It'd be pointless on the next floor or more than a room away.
Inadmissible in court. In order to have a recording device in a room to use in court, you must have someone in the room who knows about it actively recording. At least that is what I have heard, no personal experience. Tried to find something to link to but I am sure you will find the same online.
What is to prevent Amazon (or Google) from updating the terms-of-service and bury in it legalese language that lets them listen all the time? And like many TOS updates, either you agree or you cannot use your paid for product anymore. What is to prevent Amazon from making the microphone mute button become a button that only stops listening to commands but listens for everything else?
"What is to prevent Amazon (or Google) from updating the terms-of-service and bury in it legalese language that lets them listen all the time?"
Because of the huge load on them for doing something that's pointless... that's what. If there was a commercial use in it then it would do it already. After all - as others have said - most people wouldn't care.
> What is to prevent Amazon from making the microphone mute button become a button that only stops listening to commands but listens for everything else?
On Amazon devices at least (no idea about Google) the microphone mute button is hardware-wired to disable the microphone. It's not a software controllable thing. And while I guess they could in theory choose to get the audio to stream all the time while the mic is on that would hugely increase their cloud costs for no benefit.
I do agree wholeheartedly that Wireshark really is the definitive way to know what is being sent down the line.
Two points though:-
The current vogue for encryption of data, even in circumstances where you really do need to know what is being sent out with your name on it, make it difficult to work out what data is actually being sent. Is it just the "wake-up" call, or is it that plus one juicy tid-bit per message, such as a user-name/password combination stored in a "to send under the radar" buffer using Steganography techniques, which can easily be disguised as handshaking?
The other way is that if a designer of the system, wanting to get data out of it surreptitiously, could be done as an "encrypted digest" at midnight - to which the official response would be "oh yes it needs to sync with time servers at midnight." Which means your Wireshark session needs to be active for days at a time to rule out such a possibility.
" ... the demographic of the population that uses these devices aren't going to give them up."
I'm afraid you may well be right.
It is the same demographic of the population that makes up the hordes of assholes walking the streets of hundreds/thousands of cities these days, looking not at their surroundings or the sidewalk but idiotically staring at their new, shiny and very expensive fondleslab they just spent eight hours of their life in a queue for because they 'had' to be connected.
In very much the same way they cannot take another step without reading the last whatever that popped up on the screen, they also find it absolutely wonderful to have a microphone set up in their house 24/7.
"[W]e can acquire forensically meaningful native artifacts from the Alexa, such as registered user accounts, Alexa-enabled devices, saved Wi-Fi settings (including unencrypted passwords), linked Google calendars, and installed skill lists that may be used to interact with other cloud services," the paper says.
Does this mean that Amazon is exposing all of the above to the public internet from their servers or are the researchers saying that if they hack a particular unit they can obtain the data stored on that device? One is very scary the other less so.
My colleague Jessica and I did a presentation on the Amazon "Echosystem" in June at the SANS DFIR Summit in Austin (you can see our slides here https://www.sans.org/summit-archives/file/summit-archive-1498230402.pdf) . The individuals in this article only looked at the device itself, and not how it relates to a series of devices that were actually used and generated data in a typical user environment, for a very short period of time (late 2016 through early 2017). A lot changed in the early part of 2017, and even more changed with the release of Calling & Messaging, and yet even more has changed since the release of the Echo Show. Some of the information is still valid, but it is just a small portion of what is available now through the API method. Which, if you really step back and think about it, you have to be able to get this information somehow, since almost nothing gets stored on the devices itself. So if you have credentials, of course you can query for all of this information if you know the proper URL and formatting
Biting the hand that feeds IT © 1998–2019