I just received a new Fire TV cube gen 3, because my old one is malfunctioning. I know, I hate these devices myself, but it’s the only option right now, since a new version of the Nvidia shield isn’t coming in the foreseeable future.

So, I plugged in the power chord and the HDMI cable into the cube.

When it booted up it showed a screen that it’s downloading the newest update. At first I thought this must be some typo-bug on the initial boot steps, because I haven’t even connected it to the internet yet, neither via cable nor did I go through the wifi setup.

After the update has finished, I was greeted with my real name and the cube indeed had the actual WiFi settings!

WTF?! How’s that even possible?

  • Darkassassin07@lemmy.caEnglish
    2·
    1 year ago

    First of all, they have to already know you have that device.

    Ie: any amazon smart device; which are becoming increasingly popular and found in many homes globally.

    Also, I’m not taking about someone targeting me, you, or anyone specifically. I’m talking about someone wandering around looking for homes that happen to have a vulnerable device and seeing where they can get from there.

    Really not hard to find.

    THEN they have to hang around long enough for any sort of updates and shit to happen.

    Trivial when you consider not everyone lives in a single-family home with significant yardspace around it. Apartments exist, so do smaller multi-family dwellings.

    THEN THEN they have to try and figure out how to get any useful data from this connection

    The useful info here being your WIFI password (the info this connection is intended to spread) allowing an attacker to piviot to the rest of your network.

    THEN THEN THEN they have to find a way to remove said useful information to a device that can actually store it.

    This would be where I’ve repeatedly talked about an attacker being able to purchase an amazon device, jailbreak it, and use it to connect to your network

    They can buy a device from Amazon then have all the time in the world to figure out a method of retrieving data from it. Once a method is worked out, they then deploy it against unsuspecting victims. (ie any random home they can get near and find an amazon device thats broadcasting looking for new devices)

    if someone is able to just walk up to your house with a random device and hang out long enough to establish a wifi connection and pull out any sort of useful data you have WAY BIGGER PROBLEMS

    I completely agree which is why I’m not happy with Amazon providing a hole to achieve exactly that.

    • Lojcs@lemm.ee
      1·
      1 year ago

      Can’t this all be prevented by the already connected devices checking if the new device matches a newly purchased, not yet set up device in your purchase history? Really slim chance someone eavesdrops on its id and retransmits fast enough to hijack the setup

      • Darkassassin07@lemmy.caEnglish
        1·
        1 year ago

        Possibly.

        A) has amazon actually implemented such a system?

        B) do you trust it’s functioning correctly? Both now and for the foreseeable future.(would/could you even know if it wasn’t?)

        Side note: does this feature work with factory reset and/or re-sold devices?

        • Lojcs@lemm.ee
          1·
          1 year ago

          I don’t see why they wouldn’t. No way to verify I guess but it’s really hard to think Amazon wouldn’t come up with a system equivalent or better than what I did while reading this thread.

          I imagine it’d be a one time convenience thing, or maybe you could open amazon and click ‘set up this device again’ or something and it reactivates