It's now six or seven weeks since we went pubic following Steven J Vaughn Nicholls, the world famous trusted and lauded US technology editor in his story about my having been hacked and stalked using Amazon Fire devices.
Now nearly 100k people have downloaded and listened to Episodes 1-4 we have further disclosure that has been made available by folk within Amazon and also software engineers in the community regarding Amazon having been aware of issues with SLO / SSO and security issues with FireOS 5.x - 7.x during the period 2017 to 9th June 2023 when it was finally patched.
And a county police force in the UK, Wiltshire Police now look extremely lax, naive, inexperienced and they should be very very embarrassed.
I am meeting with them and their Digital Forensic Team (finally) in the next few weeks. They should be humble embarrassed and ashamed of what a shower of shit they are. I look foward to the Chief Constable of Wiltshire releasing a public facing apology before Christmas and I look foward to and fully expect interim damages from Wiltshire Police for their failures.
Episode 6 out soon.
Episode 4: Ethical People do exist at Amazon
08/10/2025 | 39 mins.
There are good people in the world. Ethical folk who are engineers and programmers, programme leads and operational staff. Often they are managed by those who play the angles. Who would rather the bad news never saw the light of day.
But when you're an SEC listed company, fined days prior by the US Department of Justice and the FTC for a smaller breach than the one you've just had walked in the door that now affects the legacy privacy of tens of millions of devices in the field then you have an absolute responsibility to communicate to your users.
In fact the DoJ ruling stated that Amazon was orded "notify users of its retention and deletion practices and controls;". Immediately two major vulnerabilities which impacted that ruling were on the desk of the Head of Security regarding retention of data and privacy and cached credentials allowing a device to become a trusted hardware token.
With the fourth major bug being the fact that software flaws in Cloudview and logging meant you were unable to deregister Kids Fire devices at all from the Web UI.
So what happens when someone blows the whistle when Amazon tried to cover all this up ???
Decent people do exist. Shame Amazon can't keep hold of them. Maybe they should send him a stock award and an apology.
Episode 3: Setting Fire to Security Basics
08/10/2025 | 24 mins.
So knowing for absolute fact that I am the subject of industrial scale stalking and hacking, the devices left with my ex wife being subject to the flaws and bugs relating to cached credentials and the Amazon Photo and Amazon Alexa lack of forced authentication (alongside an aged device logging bug) I was determined to engage with Amazon properly. Engaging with the Head of Security at Amazon and Ring in Seattle one on one. With live data supplied from Cloudwatch the immutable tamperproof platform that Amazon use to log all retail and operational activity.
I had no idea the storm that was about to break. But it's enough to put a Devizes girl in prison.
Episode 2: Don't Play With Fire
06/10/2025 | 33 mins.
Amazon FireOS is a fork of stock Android. And what must be remembered it is it has to support a lot of software repo's and a lot of older libraries. However Amazon not licencing Android from Google and not partaking in the Play ecosystem is one matter. Amazon have only got to support a limited range of graphics chipsets and a limited range of hardware mainboards so it's NOT a lot of work. There are mainstream open source Linux distributions supporting PPC Intel ARM who have to do a lot more work than Amazon.
Amazon FireOS tablets have always been two to three distributions behind Google. Have always failed to have security standards aligned with Google. No file encryption or SD card encryption. No Knox equivalent etc. So you'd expect if you have older stable dev trees that you would take security and privacy seriously.
I proved categorically that Amazon did no such thing
Episode 1: Into The Fire
05/10/2025 | 42 mins.
In 2022/23 I discovered major discrepancies in the data I had been sent by Amazon regarding two tablets bought for my children in 2017. This followed a contentious toxic divorce and my suspicion that the tablets had been used by my ex-wife to stalk, monitor, eavesdrop and to gain unlawful access to documents, photos, audio, contact information and location information during 2018 to 2020.
But I couldn't work out how as I'd changed passwords religiously. I had two factor authentication.
It surely wasn't possible that an attack vector could be the two tablets, the cheapest plastic technology we owned.
Imagine my horror when I discovered four major bugs in FireOS and in the design and architecture of Fire operations.
About Firestalked - The Amazon Fire Tablet Security CoverUp
About Firestalked - The Amazon Fire Tablet Security CoverUp
About Firestalked - The Amazon Fire Tablet Security CoverUp
This is the true story of how Chloe Grist, a resident of Wiltshire in the UK, an NHS staffer (also know as part of an entity known as Cracking Pair / Bird Is The Word) between July 2018 and June 2020 harnessed two Amazon Fire tablets bought for her children prior to a toxic divorce. To stalk and to surveil her children and her former husband who had divorced her for infidelity and breaches of trust. How she exploited them to gain access to Amazon Photos, and privileged access to information during the life of two Court Cases where she was respondent. And how that surveillance of her ex husband aligned to her stalking him in the years prior to their eventual relationship.Chloe Grist having twice broken into his home in Swindon in 2008, once at 6am in the morning having driven nearly an hour from her home gaining unlawful illegal access witnessed in the process and a second time breaking into his home office. Her later stealing and sending intimate images to a third party and then in 2008 at the culmination of her stalking launching a stalking campaign rarely bettered.In Summer 2008 Chloe Grist created a false account on LinkedIn to pose as a head hunter. Approaching her now former husband. For weeks she attempted to gain his confidence as that head hunter and then when he wasn't interested in the role, knowing he was single, approached him using the same false name (having caused a computer to create those false credentials) to befriend him on MSN where for months she chatted to him pretending to be "this person".Add on between him serving divorce on her and her appearing in Court in December 2018 her making constant false allegations to defeat proceedings and then her committing fraud in October 2018 attempting to get Legal Aid, and then her being recorded stating that she had researched committing perjury, before committing fraud in June 2019 in Bath Law Courts. What is equally worrying is that Chloe Grist is now on the hook for on six occasions gaining entry to the United States of America using falsified ESTA information failing to admit that she was a former serious cocaine user which had been detailed in court cases her doing so most recently in Summer 2024. The ESTA forms clearly stating that if you had ever used narcotics or been involved in narcotics that you had to declare it, and additionally that had you ever misled US Immigration Authorities with information provided to gain entry. Telling the truth to the US Immigration Authorities is not important to Chloe Grist. After all she's Teflon coated. Although now, not so much. She's outed as a stalker, a domestic abuser and someone who uses electronic devices, computer accounts and computer technology (whether that's a LinkedIn account or the Amazon devices) to stalk and control. A fraud and a sham, an empty vessel who lived in shared houses and rented rooms and is now supported by benefits and handouts because she was cut off and kicked to touch. So next time you see someone with a headphone on one ear DJ'ing just remember who she is. An abuser who decided to harness technology to cause fear and distress because as a spoilt child growing up the word no didn't count for much and she could get away with murder.The door to the US is now firmly closed and the US Immigration Authorities aware now of Ms Grist and this podcast. If she does set foot in the US now the Amazon stalking rears it's head in US jurisdiction.But the Amazon Fire Tablet matter that came to light in 2022/23 is the icing on the cake.In 2023 Amazon were made aware at the highest levels of a massive security exploit made against its Amazon Fire tablets because of amazingly stupid flaws that had existed for many years in FireOS. Specifically security vulnerabilities in the privilege escalation and authentication libraries which allowed childs play simple exploits against upstream Amazon cloud architecture. Whilst the vulnerabilities were confirmed and subsequently patched, Amazon failed to publish security errata, CVE information of any description or to make public the extent of the huge vulnerabilities affecting millions of devices used in homes globally.Fire tablets are fantastic devices that extend Amazon capabilities importantly into the home and have often been the first touch device for millions of children outside of the more expensive iPad world or more expensive Android tablets.So why did Amazon, when they were aware of such massive vulnerabilities affecting tens of millions of users never publish a single solitary release of information for users in households across the world ? Conversely why didn't they inform any of their partners in any of the educational institutions globally that they support by way of donation or have sold Fire tablets to. Knowing those massive privacy impacting holes that were simply exploited had been discovered and now thanks to a UK security engineer detailing them to Amazon - patched.A breach of confidence in the world's biggest consumer technology provider and online cloud retailer ?But more worryingly, fully aware that the engineer reporting the vulnerability, one of the worlds most widely known Open Source engineers, was the victim of long term domestic abuse using the devices, went quiet.A victim of actual domestic violence perpetuated using two of their devices. And Amazon knew that the abuse potentially extended to millions of other households where the potential was there for those tablets with cached credentials to have allowed privileged access to accounts.They tried to cover up the story. This is the podcast that shines a light on what happened and ends with a full and unabridged explanation from the Principal Engineer involved in the security dilemma that explained how an Amazon senior staffer was able in very clear audio broadcast here in episode 4 of Amazon PR and Legal instruting a cover up. Evidenced by the non reporting in errata and changelogs of the security holes.Yet an SEC listed company freshly fined by the FTC deciding to do this is a shocker. So now is it appropriate that the FBI and the SEC now find themselves involved and Amazon forced to cooperate ?
Listen to Firestalked - The Amazon Fire Tablet Security CoverUp, Lush! with Joanna Page and many other podcasts from around the world with the radio.net app
UK