Amazon Sidewalk Raises Privacy and Security ConcernsLow-Bandwidth Network Can Share Internet Connections Among Amazon Devices
Internet of things security professionals are expressing concern over Amazon's new Sidewalk - a low-bandwidth network program that will allow some of the company's connected and internet of things devices to share Wi-Fi access even outside an owner's home.
Amazon's ability to properly secure Sidewalk and what the company might do with the data collected by this new program have raised a few eyebrows in the security industry even as the company says it has worked through the security aspect and will not have access to the information gathered and transmitted.
Amazon touts Sidewalk, which will go online on Tuesday, as "a shared network that helps devices like Amazon Echo devices, Ring security cams, outdoor lights, motion sensors, and Tile trackers work better at home and beyond the front door. When enabled, Sidewalk can unlock unique benefits for your device, support other Sidewalk devices in your community, and even locate pets or lost items."
While it's innovative, some see security and privacy shortcomings with the company's latest offering.
"Amazon Sidewalk has been designed to make Amazon consumer devices work well with one another and does feature a level of security designed into the system, however, as these devices make their way into the enterprise and onto the network, this level of security is likely insufficient," says Christopher Dobrec, vice president of IoT threat firm Armis.
Other experts expressed concern that Amazon is automatically opting its customers into Sidewalk and that Sidewalk moves data between people who do not know each other, opening it up for capture and possible compromise.
"There are enough of these devices that are active and likely managed by people who are unwittingly opting in due to Amazon's intent to use this as a default setting, providing a large chunk of network traffic that will use this new encryption method," says Charles Ragland, security engineer at the threat intelligence firm Digital Shadows.
The Sidewalk program utilizes a small amount of internet bandwidth from a home network connected to certain Amazon devices called Sidewalk Gateways. This bandwidth is then pooled together with others in a community, creating a new, larger network that can be accessed by any nearby Sidewalk-equipped device, Amazon says.
The gateway devices include the:
- Ring Floodlight Cam (2019)
- Ring Spotlight Cam Wired (2019)
- Ring Spotlight Cam Mount (2019)
- Echo (3rd gen and newer)
- Echo Dot (3rd gen and newer)
- Echo Dot for Kids (3rd gen and newer)
- Echo Dot with Clock (3rd gen and newer)
- Echo Plus (all generations)
- Echo Show (all models and generations)
- Echo Spot
- Echo Studio
- Echo Input
- Echo Flex
- Tile trackers
Amazon device owners who do not wish to participate when the program starts on June 8 can opt out of the program through the device's settings.
"We also recognize customers appreciate choice and control, which is why they can enable or disable their Amazon Sidewalk settings at any time. By default, the location setting is disabled, but customers can choose to enable it anytime in the Ring Control Center or in the Alexa settings," an Amazon spokesperson told Information Security Media Group.
How Sidewalk Works
The Sidewalk Gateways communicate with Sidewalk Endpoints, which are low-bandwidth mobile devices such as Amazon Tile trackers, water leak sensors, door locks, lights or soon-to-be developed third-party devices that can be attached to valuables or a pet for location purposes, the company says.
The network is created when the gateways communicate to the endpoints using either the 900 MHz long-range or Bluetooth Low Energy technology to connect to the Sidewalk network. The typical range of a Sidewalk Gateway is about 1 kilometer, depending upon where in a home it is located and the local terrain, Amazon says.
Amazon caps the amount of data used by the Sidewalk network at 500MB from any single internet connection.
The entire process is conducted on the Sidewalk Network Server, which, Amazon says, verifies the packets being exchanged come from authorized Sidewalk devices and then routes them to the proper device.
Also involved in the process are application servers that host the Sidewalk Endpoints and implement the business logic for the user experience and the desired product functionality. Application servers are managed by the Sidewalk Endpoint manufacturer, which can be Amazon or a third-party developer, Amazon says.
Amazon says there are privacy and security protocols built into Sidewalk to protect users, but cybersecurity professionals have doubts, even though some agree that at first blush Amazon has done a good job locking down Sidewalk.
Roy Horev, co-founder and CTO at Vulcan Cyber, says the level of sharing that will take place on Sidewalk is cause for concern, as not only does Amazon and any third-party participant have to secure the system, but so does a user's neighbors.
"Even if you trust Amazon to disclose and fix vulnerabilities fast enough to avoid damage - you probably shouldn't - do you trust your neighbor to patch their devices fast enough to avoid risk? You shouldn't. They are a part of your network when using Sidewalk. Do you trust third-party developers creating plug-ins to be secure enough? Again, you shouldn't," he says.
Concerning privacy, Amazon says it cannot view any of the data being transmitted "without permission."
Amazon's security includes multiple layers of encryption that it says it cannot decrypt and limit the metadata tracked by the network to bandwidth usage and the Sidewalk Endpoint's identifying number.
"Information customers would deem sensitive, like the contents of a packet sent over the Sidewalk network, is not seen by Sidewalk; only the intended destinations (the endpoint and application server) possess the keys required to access this information," Amazon says.
Not all cybersecurity experts are impressed with Amazon's precautions.
"Getting encryption right is hard, and the security community advocates using existing standards instead of rolling your own. Even existing standards have had significant vulnerabilities disclosed, and it's likely that Amazon's version will be no different. It isn't a matter of if, it's a matter of when and how fast Amazon will respond to fix it," Ragland says.