Deadline draws near to avoid auto-joining Amazon's mesh network Sidewalk
'A stalker can abuse it to stalk people better. There are no mitigations mentioned'
Owners of Amazon Echo assistants and Ring doorbells have until June 8 to avoid automatically opting into Sidewalk, the internet giant's mesh network that taps into people's broadband and may prove to be a privacy nightmare.
The idea is that if, for instance, your internet connection goes down or is interrupted, your Amazon smart home devices will still be able to communicate with the outside world, and send out alerts or take instructions, by wirelessly connecting to neighbors' Sidewalk-compatible gadgets and using their internet connection instead.
These Sidewalk gizmos communicate with one another using Bluetooth Low Energy over short distances and 900MHz LoRa over longer ranges, and use Wi-Fi to reach the public internet and Amazon's backend servers.
By joining this mesh, you can expect to hand over as much as 80Kbps of your broadband bandwidth to other devices; the data used up by Amazon Sidewalk will be capped at 500MB a month.
There are other gadgets that can access this network. One being Tile trackers – those little devices you attach to your stuff so they can be found again via Bluetooth. Amazon hopes Sidewalk will create a large ad-hoc network that covers swathes of the US to help people easily locate lost pets and belongings, improve connectivity for Ring home security devices and Echo-powered applications, and so on.
Clearly Amazon wants its mesh to be cast as wide as possible, and so from June 8, its Sidewalk-capable devices will be opted into the network by default, and Tile compatibility will follow on June 14. After June 8, you can opt out at any time by disabling Sidewalk features in your device.
Prior to that date, if you wish to avoid this automatic enrollment, you should open your account settings in your Alexa app and switch off Sidewalk, or from the Control Center of your Ring app.
Here’s a list of all the Amazon devices that can connect to Sidewalk when it’s launched next week: Ring Floodlight Cam (2019), Ring Spotlight Cam Wired (2019), Ring Spotlight Cam Mount (2019), Echo (3rd gen and newer), Echo Dot (3rd gen and newer), Echo Dot for Kids (3rd gen and newer), Echo Dot with Clock (3rd gen and newer), Echo Plus (all generations), Echo Show (all generations), Echo Spot, Echo Studio, Echo Input, and Echo Flex.
Amazon and data – what could go wrong?
The project has been in the works for a while, and now it’s just about to kick in, it's a good time to think about the privacy and security risks. There's the issue of giving an already incredibly large and powerful corporation more access to home equipment and internet connections.
The new mesh network raises a wide array of concerns about how users’ data is potentially exposed to other device owners
“Amazon Sidewalk only exacerbates the privacy risks that Echo and Ring devices pose to the public," Albert Fox Cahn, executive director of the non-profit Surveillance Technology Oversight Project, told The Register.
"The new mesh network raises a wide array of concerns about how users’ data is potentially exposed to other device owners. Also, if Amazon is successful in expanding this mesh network, it could raise huge antitrust concerns, creating a parallel internet from countless Internet-of-Things devices. This risks giving one of the world’s worst monopolists control over not just our devices, but the internet itself.”
- Amazon's ad-hoc Ring, Echo mesh network can mooch off your neighbors' Wi-Fi if needed – and it's opt-out
- Apple's Find My network can be abused to leak secrets to the outside world via passing devices
- Amazon tells ISPs: I can be your Eero, baby. I can ease your Wi-Fi pain. I will block bad sites forever...
- Ring glitch results in global ding dong ditch: Doorbell bling flings out random pings but they're not the real thing
Amazon promises data transferred via Sidewalk will be encrypted, and that it has put in place defenses, described in this whitepaper, to safeguard people's information and devices. For instance, the network is designed to prevent one gadget from hijacking another in the mesh or snooping on their activity.
The EFF's Director of Technology Projects Jon Callas told El Reg that although the security whitepaper “looks pretty good,” there is bound to be at least one bug or overlooked shortcoming that will affect someone somewhere.
For instance, he said a widespread mesh will make it a lot easier to secretly track someone with something like a hidden Tile.
Rather than wait for the Tile to go in and out of range of someone with the Tile app on their phone, during which it can report its whereabouts, with Amazon's Sidewalk in full effect, the Tile can be tracked anywhere and anytime it goes near a participating Echo or Ring device, at the very least. That makes it a lot easier to stalk people, from friends to spouses.
The risk of Sidewalk is not in its network use or privacy, but in the way that it creates opportunities for people to use it to track and stalk others
“A Tile tracker can tell you where your keys are," said Callas. "A pet collar could tell you where your dog is should they get away from you. It also permits someone to track someone else. Drop a Tile into your partner’s handbag, or your neighbor’s car, and you get to track them around.
"As Amazon Sidewalk becomes more widespread, a stalker can abuse it to stalk people better. There are no mitigations mentioned in any of Amazon’s papers, so we assume there are no restrictions on using it for stalking.
"Amazon needs to address it, and this is where you can call them out this lack. The risk of Sidewalk is not in its network use or privacy, but in the way that it creates opportunities for people to use it to track and stalk others.” ®