Skip Navigation

Amazon FireTv Cube scares the shit out of me

I just received a new Fire TV cube gen 3, because my old one is malfunctioning. I know, I hate these devices myself, but it's the only option right now, since a new version of the Nvidia shield isn't coming in the foreseeable future.

So, I plugged in the power chord and the HDMI cable into the cube.

When it booted up it showed a screen that it's downloading the newest update. At first I thought this must be some typo-bug on the initial boot steps, because I haven't even connected it to the internet yet, neither via cable nor did I go through the wifi setup.

After the update has finished, I was greeted with my real name and the cube indeed had the actual WiFi settings!

WTF?! How's that even possible?

34

You're viewing part of a thread.

Show Context
34 comments
  • "Freely" if you enable the setting as the user posted above.

    with 0 auth or verification

    The verification still needs one of the devices listed in my post to be active on your wifi to allow the setup and communication.

    The auth is likely done by device to device handshake. Its just that there isn't a human involved.

    Don't get me wrong I hate Amazon as much as anyone and would never have one of their devices in my home.

    But most of the other posts in this thread are missing the technical aspect of the question.

    • Depending on a setting being disabled thats more than likely on by default isn't much comfort. Most people won't know about or look for those kinds of settings, especially with the deceptive descriptions often used for features like these.

      To be clear, I don't use these devices either; I'm just concerned for those that don't know any better.

      The verification still needs one of the devices listed in my post to be active on your wifi to allow the setup and communication.

      Yes, that's what I said; your amazon devices are giving away your wifi info to new devices. As in once you've allowed an amazon device onto your network, any new device can add itself to that network via your existing device without your input.

      This happens before the new device has authenticated into your amazon account as it doesn't yet have an internet connection (ie before its proven to be your device and not say a neighbours) and before you manually provide authentication for your wifi. Hence the 'with 0 auth'.

      The auth is likely done by device to device handshake. Its just that there isn't a human involved.

      A handshake between a device you own but have little control over and a device you've never seen before, may not have physical access too, and that could have been compromised before requesting your info. Great.

      I'm not saying they're beaming it out in plain text for all to read; just that they'll give your info to a device you may not even be aware of let alone own or have any control over. That device may be a stock Amazon device, or it could be something more malicious.

      • Yes, that’s what I said; your amazon devices are giving away your wifi info to new devices.

        No, they are not. You make it sound like any asshole can walk by and just turn something on and get your wifi info.

        If you're worried about a device somehow being compromised between being shipped by Amazon and making it to your front door, please dispose of all electronics and go live in the woods. That level of paranoia is not reasonable.

        • Yes, that is exactly what I'm saying as that's what it sounds like.

          If you can buy a new amazon device and have it connect to all your stuff without your input; what stops someone else buying an amazon device and connecting to your network with it?

          Obviously I'm not worried about the device I actually receive; I'm concerned that someone can buy their own device and use it to connect to other people's networks via existing amazon devices.

          • My dude, if someone is able to just walk up to your house with a random device and hang out long enough to establish a wifi connection and pull out any sort of useful data you have WAY BIGGER PROBLEMS than someone potentially using your Amazon account to order dildos.

            First of all, they have to already know you have that device.
            Then they have to physically get close enough to it for a connection to be made.
            THEN they have to hang around long enough for any sort of updates and shit to happen.
            THEN THEN they have to try and figure out how to get any useful data from this connection, which is likely an extremely limited one unless they've already established how to pivot out of the device and into something else in which case they probably would have just done that through your original device anyway.
            THEN THEN THEN they have to find a way to remove said useful information to a device that can actually store it.

            All while standing next to your front door holding their dick.

            It would be FAR easier to just leave a random USB stick on your porch and wait for your dumb ass to forget it isn't yours.

            Or, even easier than that, just goddamn buy your information on the open market. They already have your address. It's not like you can't be found.

            Have I illustrated quite yet why these low percentage attacks are the realm of movies?

            • First of all, they have to already know you have that device.

              Ie: any amazon smart device; which are becoming increasingly popular and found in many homes globally.

              Also, I'm not taking about someone targeting me, you, or anyone specifically. I'm talking about someone wandering around looking for homes that happen to have a vulnerable device and seeing where they can get from there.

              Really not hard to find.

              THEN they have to hang around long enough for any sort of updates and shit to happen.

              Trivial when you consider not everyone lives in a single-family home with significant yardspace around it. Apartments exist, so do smaller multi-family dwellings.

              THEN THEN they have to try and figure out how to get any useful data from this connection

              The useful info here being your WIFI password (the info this connection is intended to spread) allowing an attacker to piviot to the rest of your network.

              THEN THEN THEN they have to find a way to remove said useful information to a device that can actually store it.

              This would be where I've repeatedly talked about an attacker being able to purchase an amazon device, jailbreak it, and use it to connect to your network

              They can buy a device from Amazon then have all the time in the world to figure out a method of retrieving data from it. Once a method is worked out, they then deploy it against unsuspecting victims. (ie any random home they can get near and find an amazon device thats broadcasting looking for new devices)

              if someone is able to just walk up to your house with a random device and hang out long enough to establish a wifi connection and pull out any sort of useful data you have WAY BIGGER PROBLEMS

              I completely agree which is why I'm not happy with Amazon providing a hole to achieve exactly that.

You've viewed 34 comments.