This is a security bug.
It concerns Amazon Music Unlimited from Play repository on lg phoenix 4 LM-X210APM.
The attacker is able to alter the stream. Inserted speech is in Russian.
I will crossfrerence this bug for FBI case I have opened earlier.
Because I mix tracks I keep the copies on the phone and on a tablet hard drives. The attacker is able to manipulate these files. I did not authorize the attacker to alter the music track files I have purchased from known music reseller sites including Amazon Music. I have been able to localise these intusions to two locations in small geographical area. Each time the phone was accessed via Bluetooth.
The attacker is able to alter files via 4g LTE network.
All track mixes I have recorded and backed up to mixcloud and soundcloud have been vandalized with Russian speech inserts as well. The attacker is able to access the mixing sessions.
What made me open case with FBI was that inserted speech mentioned the name of my managers manager from Microsoft. I never used or spoke out this name for references. Instead of personal or professional references I ask prospect employer to verify the employment via employment verification.
Now the attacker is able to attack music tracks i stream from Amazon Music Unlimited.
This needs to end once and for all. The real solution to this problem over in the long run is using X509 certificates to sign music files and implement PGP support as one of extensions. Thus, if the integrity of music file has been compromised. ,Amazon Music filesystem must be able to detect the file was altered (gone smaller, larger or bit order changed) and roll it back to original state from hash sum tbat has been signed by certificate either by recording studio on behalf of musician or personally by musician.
Please escalate to Quality Assurance or Dev and let me know if you have any questions. You can reach me at
dimitrygv@gmail.com
+1 713-325-1447
Please provide bug number for reference.
Comments