Locked Down - The Security Podcast

In 2022/3 I discovered that I had been the victim of complex repeat pattern digital offending by partie(s) using Amazon Kindle Fire tablets to access my personal privileged data, application data, images, contact data, Prime video and shopping data, Alexa logs and voice data. On discovering the depth of the hack I immediately contacted Amazon in the US as would be the norm as an ethical hacker to give full disclosure. I spoke to Amazon's Principal Engineer who arranged meetings with the Head of Amazon Security for devices and a three hour meeting ensued. Logged access to the hack data was provided and from that a workflow followed to patch major huge vulnerabilities in the Amazon Fire Kindle ecosystem. These had come from poor design planning of the Kindle's authentication model, device provisioning and API model and the lack of communication between device management folk and the user experience team.

Amazon had time and grace to get these fixed, alongside two other issues which remain unfixed (including a huge privacy breach in the Amazon Echo range of products that is still unpatched as of June 12th 2025). I am giving Amazon 90 days from today to fix that or I will go public with that matter and the fallout from that could be even bigger than the issues with the bugs and holes I came to Amazon with in summer 2023. I am aware from an internal whisteblower at the highest level in Amazon whose messages and recorded audio I retain, of procedures and practices that do not paint Amazon in a good light took place in the weeks after I gave full disclosure to Amazon's Head of Security. I am also very aware of pressure placed on a major US news publishing company to not run the story (see the link https://practical-tech.com/2023/06/13/how-an-amazon-fire-kids-tablet-was-allegedly-used-to-stalk-a-security-pro/ where part of the story in sanitised format was published). However, this is a major vulnerability that Amazon chose not to communicate to end users, end users where the devices were in the hands of children and vulnerable adults globally. Where Amazon did not release changelogs or security errata or any CVE data. Which just looks like you're trying to make sure as few people as possible know.

Additionally Amazon did not publish the risks of this and also the wider definition of the huge problem and the consequences of that issue to the Security Exchange Commission (the SEC) in their 10Q and 8Q filings. And have never sought to do so. Amazon have failed to answer emails and messages since Steven J Vaughn Nicholls, one of the world's foremost respected technology journalists ran the story.

I've asked the Head of Amazon Security repeatedly to jump in. He's chosen not to do so. I've reached out to Amazon's Investor Relations and they have a responsibility, at the earliest opportunity to now engage with the SEC to explain the conduct of Amazon in misleading the markets and also not taking the opportunity to engage with end users especially those where these bugs and vulnerabilities that were used to attack myself, my children and my family and people in my homes, vehicles, and my office (by virtue of Alexa being my default assistant on my phone).

And Amazon having failed to live up to the expectations of the community and their customers whose privacy and safety they failed to take seriously. Yet when a globally respected security author, friend of Amazon, journalist and podcaster comes to you with actual evidence of domestic abuse perpetuated using your technology you circle the wagons and hope it goes away.

Listen in, I think we can establish that was not the best course of action.

This is content created and hosted by Voxiferi Studios - for more information visit https://voxiferi.com