[driverdan]

This has interesting security implications for both sides. Is the device 100% offline or does it phone home when you connect it to your network or transmit any other data? What if someone gets the device and hacks it to scan Amazon's networks when sent back?

[MichaelGG]

I'm gonna guess they have all sorts of physical tamper detection capabilities to prevent this. And perhaps a software load that gets wiped every time, so in case you find a bug in their software (iSCSI? NFS? whatever) it might be hard to escalate.

[Swannie]

Tamper detection won't prevent anything. It would just be an indicator that something appears to have happened.

The software load that is wiped every time is a first, and extremely basic, line of defence.

Realistically I'd hope the OS is on a SD card that they can literally take out and throw away after they have the data off (you can pwn the micro-controller on an SD card) - and replace with a freshly baked card.

[MichaelGG]

Presumably if their sensors say the system has been cracked open, they don't just ship it out to another user. (And they could have many layers of sensors, telling them if it was just via damage (hitting it with a forklift) or someone really getting in.) Considering the potential downside, I'm sure they've done some work here.

[icebraining]

Most likely, they'll get the same results as if they were scanning from an EC2 machine. I doubt Amazon would put it in a trusted (V)LAN.

[Tinyyy]

But the end user probably trusts the machine 99%, so what if you load it with something malicious, send it back to Amazon and wait for it to be sent to another customer and thus hack their network? That is if Amazon does not completely wipe their drives (Hide it somehow?).

[Swannie]

This is 100% the scenario I was just imagining.

Obviously this device has been designed to be a multi-time use device.

Amazon definitely do NOT have physical control over this box. They would need to do a complete low level reflash of every single bit of firmware on there, every time it came back. That's not actually that inconceivable in a enterprise grade server, and I hope to see some interesting details about that.

But still... just imagine some of the fun HDD firmware hacks making their way onto this. Or NIC firmware. Or even just the embedded Kindle being rooted, and used to sniff out Wifi networks, report its location via 3G, etc.

Not to mention the obvious data recovery attacks if the disks have not been wiped to the highest levels.

I agree with parent comments, and assume Amazon would put this on its own untrusted VLAN when it comes back. But would they weight it first to see if any pwnies have been inserted into the box? Visually inspect inside to see if physical components have been removed to ensure the weight is actually the same, despite a pwnie inside?

I really hope Amazon put out advice to their customers on how to connect this - ideally it should just be on a point to point link to a sacrificial server containing the data.

[eru]

Nobody needs to trust the device, actually.

Assume Amazon only loads it up with encrypted data over network untrusted, and the customer only takes off the encrypted data over untrusted network.

[Swannie]

Depends on your definition of trust.

But yes, if you assume this device is treated as malicious at both ends - just like an unfiltered internet connection, but 10x worse - and that the client software that is doing the load/verification, or unload/verification is doing decent input validation, and your assumption that the user is doing their own encryption prior to transfering it to the device, I agree.