Kindle and malicious hot spots

[Yourcat]

I also think that one is quite save even if the hotspot is hacked. We don't have keys to sign firmware images - an evil hacker could have them. There are enough job offers at lab126 so they may have already hired a hacker.

[geekmaster]

Quote:

Originally Posted by Yourcat

I also think that one is quite save even if the hotspot is hacked. We don't have keys to sign firmware images - an evil hacker could have them. There are enough job offers at lab126 so they may have already hired a hacker.

Again, just like you are more vulnerable to hacked computers on your own network, you are also vulnerable to hackers at the vendor's company. Both ends of the encrypted "pipe" are open. It is only intermediate computers on the TCP/IP route where encryption fully protects you (other than weak PRNG problems and 0-days the NSA knows about) from Man-In-The-Middle (MITM) attacks. The endpoints are not encrypted. These are risks we take with companies and products and networks and services that we choose to trust, hopefully with an informed decision. The price of convenience. Technology is a double-edged sword.

But hacking and spying can go both ways. Kindle hackers (of lesser ethics) can tunnel traffic of all kinds through the kindle proxy by pretending to be normal kindle web browser traffic, exploiting corkscrew and "clicks to google". We do not support nor condone such things at this website. I only mentioned it to demonstrate that trust must go both ways. The service provider is also vulnerable as well.

[knc1]

Quote:

Originally Posted by Yourcat

Actually Kindle creates outgoing connections (to Amazon servers) which one could terminate on a local server and send custom replies. No need to penetrate the firewall. As we have seen one could delete developer keys. Locking the device could also be possible.

Outgoing HTTPS (TLS-1.2) connections.
Lots of luck faking that.

Where have you seen that one could delete developer keys?
(Other than by changing your registration status with Amazon)
Link please.

Now what do you mean by "Locking the device"?

- - - -

At the very bottom line -
What do you have on a Kindle worth protecting?
Translation:
So what.

[geekmaster]

Quote:

Originally Posted by knc1

Outgoing HTTPS (TLS-1.2) connections.
Lots of luck faking that.

Where have you seen that one could delete developer keys?
(Other than by changing your registration status with Amazon)
Link please.

Now what do you mean by "Locking the device"?

- - - -

At the very bottom line -
What do you have on a Kindle worth protecting?
Translation:
So what.

Agreed. What use would it be to steal or delete our public dev key? We could just install it again with another jailbreak, so what would be the point? A lot easier to download a jailbreak here (no account needed) and extract the dev key directly.

The digital sky is not falling.

[knc1]

We Publish our developer's key-pair!
Been that way forever, and have never heard of it being misused.

Agreed -
The digital sky is not falling on the Kindle users.

[Yourcat]

The digital sky is not falling on the Kindle users.
If one asks what could be done one may give a proper answer even if it is very unlikely that it will ever happen.
Kaspersky may release a virus scanner for KUAL