This Week In Security: Ransomware, WeLock, And Amazon Arbitration

Another week of ransomware, and this time it’s the beef market that’s been shut down, due to a crippling infrastructure attack out of Russia — but hold up, it’s not that simple. Let’s cover the facts. Some time on Sunday, May 30, JBS USA discovered a ransomware attack against their systems. It seems that their response team did exceptionally well, pulling the plug on affected machines, and starting recovery right away. By Wednesday, it was reported that most of their operations were back in action.
Continue reading “This Week In Security: Ransomware, WeLock, And Amazon Arbitration”

PSA: Amazon Sidewalk Rolls Out June 8th

Whether you own any Amazon surveillance devices or not, we know how much you value your privacy. So consider this your friendly reminder that Amazon Sidewalk is going live in a few weeks, on June 8th. A rather long list of devices have this setting enabled by default, so if you haven’t done so already, here’s how to turn it off.

Don’t know what we’re talking about? Our own Jenny List covered the topic quite concretely a few months back. The idea behind it seems innocent enough on the surface — extend notoriously spotty Wi-Fi connectivity to devices on the outer bounds of the router’s reach, using Bluetooth and LoRa to talk between devices and share bandwidth. Essentially, when Amazon flips the switch in a few weeks, their entire fleet of opt-in-by-default devices will assume a kind of Borg hive-mind in that they’ll be able to share connectivity.

A comprehensive list of Sidewalk devices includes: Ring Floodlight Cam (2019), Ring Spotlight Cam Wired (2019), Ring Spotlight Cam Mount (2019), Echo (3rd Gen), Echo (4th Gen), Echo Dot (3rd Gen), Echo Dot (4th Gen), Echo Dot (3rd Gen) for Kids, Echo Dot (4th Gen) for Kids, Echo Dot with Clock (3rd Gen), Echo Dot with Clock (4th Gen), Echo Plus (1st Gen), Echo Plus (2nd Gen), Echo Show (1st Gen), Echo Show (2nd Gen), Echo Show 5, Echo Show 8, Echo Show 10, Echo Spot, Echo Studio, Echo Input, Echo Flex. — Amazon Sidewalk FAQ

Now this isn’t a private mesh network in your castle, it’s every device in the kingdom. So don’t hesitate, don’t wait, or it will be too late. Grab all your Things and opt-out if you don’t want your doorbell cam or Alexa machine on the party line. If you have the Alexa app, you can allegedly opt out on all your devices at once.

Worried that Alexa is listening to you more often than she lets on? You’re probably right.

Taking A Peek Inside The Newest Echo Show 10

When Amazon released the original Echo, it was a pretty simple affair. Cylinder, some LEDs on top, done. Then they came out with the Echo Dot, which was basically the same thing, but shorter. It seemed like there was a pretty clear theme for awhile, but then at some point Amazon decided it would be a good idea to start producing Echo devices in every form factor imaginable, from wall plugs to literal sunglasses, and things got a lot more complicated. As a perfect example, take a look at this teardown of the third generation Echo Show 10 by [txyzinfo].

Granted the base still looks a bit like the Echos of old, but the family resemblance stops there. As you can probably gather from the name, the Show features a high resolution 10.1 inch LCD panel, greatly improving the number and type of advertisements Amazon is able to force on the user. In true Black Mirror fashion, there’s even a brushless motor in the base that allows the machine to rotate the display towards the user no matter how hard they try to escape.

A salvageable part if there ever was one.

The teardown is presented with no commentary; in both the video below and on the Hackaday.IO page, all you’ll find are clear and well-lit images of the device’s internals. But for those who are just interested in what the inside of one of these $250 USD gadgets looks like, that’s all you really need.

At this point, it doesn’t seem like [txyzinfo] is trying to reverse engineer the Show or figure out how it all works, and looking at the complexity of that main board, we’re not surprised. Still, it’s a marvel to look at all the hardware they packed into such a relatively small device.

If you’re looking for a more technical examination at the newer Echo devices, [Brian Dorey] did some impressive poking around on the third generation Dot in 2019 and [electronupdate] went as far as decapping a few of the chips inside the Flex. On the software side of things, check out the recent efforts to craft an open source firmware for the original Echo.

Continue reading “Taking A Peek Inside The Newest Echo Show 10”

On-Air Sign Helps Keep Your Broadcasts G-Rated

Like many of us, [Michael] needed a way to let the family know whether pants are required to enter the room — in other words, whenever a videoconference is in progress. Sure he could hang a do not disturb sign, but those are easy to forget. There’s no need to worry about forgetting to change status because this beautiful wall-mounted sign can be controlled with Alexa.

Inside the gorgeous box made from walnut, curly maple, and oak is an ESP32, some RGB LEDs, and three MOSFETs. [Michael] is using the fauxmoESP library to interface the ESP32 with Alexa, which emulates a Phillips Hue bulb for the sake of using a protocol she already knows. [Michael] can change the color and brightness percentage with voice commands.

The sign is set up as four different devices — one default, and one for each color. Since talking to Alexa isn’t always appropriate, [Michael] can also change the color of the LEDs using sliders on a website that’s served up by the ESP. Check out the full build video after the break.

Need something quick and dirty that works just as well? Our own [Bob Baddeley] made a status indicator that’s simple and effective.

Continue reading “On-Air Sign Helps Keep Your Broadcasts G-Rated”

Is Your Echo Flex Listening?

We are always surprised that Amazon or Google doesn’t employ Kelsey Grammer — TV’s Frasier — as a spokesman for their smart home devices. After all, his catchphrase was, “I’m listening…” Maybe they don’t want to remind you that the device could, theoretically, be sending everything you say to them or a nefarious hacker or government agency. Sure, there’s a mute button and it lights up a red LED.

But if you are truly paranoid, that’s not enough. After all, the same people want to eavesdrop on you would be happy to fake a red light. [Electronupdate] had the same thought and decided to answer the question: does the mute button really mute your microphone? The answer required not only some case opening and analysis, but there was even some IC decapsulation.

We were impressed with the depth of the analysis. The tiny SMD parts are marked confusingly, and if you are really paranoid you don’t believe them anyway. But looking at the actual circuit die is pretty unambiguous. The  parts in question turned out to be a Schmitt trigger, a flip flop, and a NAND gate.

Continue reading “Is Your Echo Flex Listening?”

Amazon Sidewalk: Should You Be Co-Opted Into A Private Neighbourhood LoRa Network?

WiFi just isn’t very good at going through buildings. It’s fine for the main living areas of an average home, but once we venture towards the periphery of our domains it starts to become less reliable.  For connected devices outside the core of a home, this presents a problem, and it’s one Amazon hope to solve with their Sidewalk product.

It’s a low-bandwidth networking system that uses capability already built into some Echo and Ring devices, plus a portion of the owner’s broadband connection to the Internet.  The idea is to provide basic connectivity over longer distances to compatible devices even when the WiFi network is not available, but of most interest and concern is that it will also expose itself to devices owned by other people. If your Internet connection goes down, then your Ring devices will still provide a basic version of their functionality via a local low-bandwidth wide-area wireless network provided by the Amazon devices owned by your neighbours. Continue reading “Amazon Sidewalk: Should You Be Co-Opted Into A Private Neighbourhood LoRa Network?”

Stay Smarter Than Your Smart Speaker

Smart speakers have always posed a risk to privacy and security — that’s just the price we pay for getting instant answers to life’s urgent and not-so-urgent questions the moment they arise. But it seems that many owners of the 76 million or so smart speakers on the active install list have yet to wake up to the reality that this particular trick of technology requires a microphone that’s always listening. Always. Listening.

With so much of the world’s workforce now working from home due to the global SARS-CoV-2 pandemic, smart speakers have suddenly become a big risk for business, too — especially those where confidential conversations are as common and crucial as coffee.

Imagine the legions of lawyers out there, suddenly thrust from behind their solid-wood doors and forced to set up ramshackle sub rosa sanctuaries in their homes to discuss private matters with their equally out-of-sorts clients. How many of them don’t realize that their smart speaker bristles with invisible thorns, and is even vulnerable to threats outside the house? Given the recent study showing that smart speakers can and do activate accidentally up to 19 times per day, the prevalence of the consumer-constructed surveillance state looms like a huge crisis of confidentiality.

So what are the best practices of confidential work in earshot of these audio-triggered gadgets?

Continue reading “Stay Smarter Than Your Smart Speaker”