Friday, March 4, 2016

Amazon removes encryption stored on devices like the Kindle Fire or Fire Stick

Locally stored data on Amazon Fire devices is no longer encrypted. Anyone who upgrades their Kindle Fire, Fire Phone, Amazon Fire HD, or Amazon Fire TV Stick to Fire OS 5 will have local information left vulnerable to cyber attacks and stored in plain text. Amazon forum members first flagged the encryption removal.

Making devices remove encryption goes against basic cybersecurity principles. An attacker or thief gets nothing but scrambled data if they gain access to an encrypted device, but when they get their hands on an unencrypted one, most anything is up for grabs. They can see all local data, including app data, like logins and credit card credentials, as well as photos, videos, texts, and emails.

It's unclear why the company would choose to deprecate its encryption standards. An Amazon spokesperson did try to clarify. "When we released Fire OS 5, we removed some enterprise features that we found customers weren’t using," the spokesperson said. The spokesperson also noted that this decision was made in the fall of 2015, prior to the over-the-air update that was released this past month.

Users have a few options to preserve the encryption. They can refuse to update (but that presents its own security patching issues and could later become mandatory); they can upgrade and hope for the best; or they can stop using their Fire devices — none of which seem ideal.

Android devices have often faced trouble implementing device encryption. Android Lollipop was planned to be released last year with encryption enabled by default, but Google later backpedaled on its promise, citing "performance issues" on cheaper devices. Although encryption wasn't enabled by default, users can turn it on manually. Users have no choice in FireOS.

Some observers have drawn a connection between Amazon's OS decision and Apple’s fight against the FBI. Apple is specifically going up against law enforcement because they want access to valuable local data kept on the iPhone 5C of a suspected terrorist. The company says there's nothing it can do to retrieve the data because it intentionally encrypts local data to keeps users safe from all sorts of cyberthreats. Amazon hasn't yet filed an amicus brief in support of the company, though it said in February it planned to do so.

No comments:

Post a Comment