Dick Morrell urgently advising Amazon users to sign out of all devices, reset their passwords, and delete 2FA tokens due to an unspecified security issue. The issue appears to be related to Amazon Echo devices, which have been accused of scanning users' Wi-Fi networks and sending detailed profiles of network equipment back to Amazon. The code for this functionality is allegedly contributed by the US National Security Agency, raising concerns about privacy and unauthorized surveillance. Users are encouraged to take immediate action to protect their accounts and devices, as the full extent of this security problem is still unclear.
It's totally right there! Right in the privacy policy no one read, on page 53, in size 2 font, in the cellar, in the display department, in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.'
If the vulnerability can't be revealed for "ethical" reasons, that implies it's ongoing... so what would a reset do? Wouldn't the newly reset credentials be just as vulnerable until fixed?
Who is Dick Morrell? This Twitter thread seems discombobulated, although I admit I am quite tired at the moment. Does this only apply to people who use Echo? Is it all Amazon users? Why does deleting 2FA help? Is Amazon storing passwords in clear text?
12 comments
[ 3.5 ms ] story [ 32.5 ms ] threadBased on what he's sharing now, there are hints of two issues:
1) authentication information including MFA secrets might be leaked and need to be cycled. (this would be surprising)
2) Echo devices perform undisclosed reconnaissance on nearby wifi networks (not particularly surprising)
These seem like totally separate issues with different impacts and different mitigation techniques.
It's totally right there! Right in the privacy policy no one read, on page 53, in size 2 font, in the cellar, in the display department, in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.'
https://sackheads.social/@Cloudguy/110256617380917383/embed
Yes, Echos are scanning wifi and phoning home details you didn't authorize, which is a bad thing but not the issue here.
Morrell says the issue is with all retail Amazon accounts (possibly not AWS-only accounts.)