While Amazon has approached Sidewalk, an endeavor in connecting smart devices to a neighborhood mesh Wi-Fi, in a "sophisticated way" with privacy in mind, experts are still wary of how effective this project will be from a security standpoint.
Amazon announced last week that the program will start June 8 and customers will automatically be opted in to the program. They can at any point opt-out of its latest project to keep smart devices connected at all times by using a mesh Wi-Fi system. If you don't want to participate here's how to opt-out on Echo devices and Ring devices.
The program, which was initially announced in September 2019, uses a low-bandwidth shared network that will use part of your home Wi-Fi to connect to Amazon Echo devices, Ring security camera and lights, and Tile Bluetooth trackers. The mesh Wi-Fi is helpful when your device loses connection, at which point it will automatically connect to the neighborhood Wi-Fi over the 900Mhz channel.
According to the company's privacy and security whitepaper, the project was "carefully designed" with privacy protections in mind, specifically on how it collects, stores, and uses metadata.
For example, each user device at registration to the program will have a "unique session key" with the Sidewalk Network Server (SNS) and Application server. Once the device has been identified and is part of the system, the SNS won't be able to identify a user, and makes it "difficult for anyone, including Amazon, to piece together activity history over time."
Information is wrapped in layers of protection, but nothing is 'zero-risk'
Amazon also notes that information for devices to work on the network will travel in, what it calls, a "packet" that will have three layers of encryption protection. The encryption is done to "ensure data is visible only to the intended party."
John Verdi, vice-president of the Future of Privacy Forum, an industry-backed nonprofit based in Washington, D.C., said in an interview what makes this program strong from a privacy front is that only Amazon devices can participate as well as trusted partners. He added that users can't just add a trusted device to the program like an iPhone or a user's personal laptop.
"What that means is that Amazon can limit the physical hardware devices that connect to Amazon manufacturer devices and trusted partners. Not just any device can connect. There's the validation of the device itself," he said.
Verdi also added that the program wouldn't use a lot of data that is typically used for streaming video. Sidewalk would only use up to 500MB of bandwidth a month, a relatively small amount — though not insignificant for people on a fixed-bandwidth connection.
"The Sidewalk mesh network [likely] doesn't use bandwidth that will materially impact the owner's online experience," he said.
Verdi added that there is no "obvious or straightforward way" in which a third party could manipulate the system.
Whitepaper is full of complicated jargon
Sumit Bhatia, director of communications and knowledge mobilization with the Cybersecure Catalyst at Toronto's Ryerson University, said in an interview that Amazon's whitepaper details security and privacy in a detailed manner, but uses sophisticated language that makes it difficult for a regular person to understand how the system works.
Bhatia said that while this is a step towards building a smart neighborhood or city, there needs to be a proper framework with systems that have been tested before implementing a large-scale project like Amazon is trying to do.
And while Amazon has laid out clear privacy guidelines, Bhatia suggests that this is another way for Amazon to create a user profile this time by creating a connected-service program.
"Amazon is being very strategic about how they're doing this because they're doing this without being somewhat of an internet service provider, but still being able to claim ownership of a network where they can aggregate data of a larger pool of people," he said. "That to me is problematic."
Without beta testing the program, how does Amazon know it's effective?
Rebecca Herold, CEO of the Privacy Professor Consultancy and a privacy expert, agreed with Bhatia in an interview, adding that the white paper includes "copious amounts of text and jargon."
She notes that despite Amazon explicitly detailing its encryption method, which is "very protective," there are still issues.
"We've already seen how you can actually use the mesh network to basically decrypt rather easily using simple tools like configuring IP tables that will tell devices to forward traffic from all Echo devices or all other types of IoT devices to a certain proxy. And by sending it to a certain proxy it can replace the Amazon Server Certificates.
"The way it works is basically those IoT devices are going to accept the certificate of whoever answers them first. I just want to sit around in my network in my neighborhood here and figure out a way to incorporate my devices into the network and I could probably fool a lot of those devices into trusting me," she said.
Herold applauded that Amazon is also trying to help you find your pet, lost keys, or in some cases patients suffering from dementia or Alzheimer's in a more efficient way. But it also concerning if you have a stalker, she said.
Like Bhatia, Herold said she was worried there wasn't a proven beta for the program.
The program is a win for consumers: Higginbotham
Despite, Bhatia's and Herold's reservations, Stacey Higginbotham, a technology journalist who focuses on IoT devices, explains in her latest newsletter that overall Amazon's program is a win for consumers.
She does add that if you're a "control freak," or someone who is well-versed in the security protocols but is still wary, they might opt out.
"Most came to the conclusion that they simply don't want their home network to be used as a bridge for unknown packets. What if those packets were illegal? What if the ISP didn't permit that type of use? I can't argue with control freaks, but I can point out that Apple's AirTag and FindMy network run on a similar principle of using your home or cellular data to share Bluetooth location data across an ad-hoc mesh network," she wrote.
Have you listened to this week's Android Central Podcast?
Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.
Shruti Shekar is Android Central's managing editor. She was born in India, brought up in Singapore, but now lives in Toronto and couldn't be happier. She started her journalism career as a political reporter in Ottawa, Canada's capital, and then made her foray into tech journalism at MobileSyrup and most recently at Yahoo Finance Canada. When work isn't on her mind, she loves working out, reading thrillers, watching the Raptors, and planning what she's going to eat the next day.
Amazon alone is the reason this won't work. If they hadnt been such dirt bags with things like invading your privacy, treating their employees like ****, and to being involved in the social censorship maybe people would trust them enough with this feature. So if most people opt out of this feature (and they should for good reasons) then they need to look in the mirror.
This is FUD. There's no legitimate reason a "security expert" who's actually read the white paper would have a problem with Sidewalk as it stands. There are good reasons to distrust Amazon, but this isn't among them. Yet.
Already hard opted out. Echos disconnected, skills deactivated, and Alexa apps removed. Have a feeling you would still be in the mesh regardless of your opt-out status. Amazon taking privacy invasion and terms of service tips from Facebook.
I have opted out. I work in the privacy field. I have zero problems with if Amazon wants to create Sidewalk and let users opt in. I have MAJOR issues with forcing everyone in who have not agreed to be part of Sidewalk. My WiFi is my mine, and no one should be able to change the usage without my explicit approval. I see a major class action suite coming soon.
Hard no. Amazon is up there with Facebook in terms of not trusting them to be honest and upfront with anything. Also, I do not want to share my internet (albeit a small slice) with some mooch with no monetary incentive on my end. Also super shady that you cannot opt-out on the web and have to install the alexa app.
"...customers will automatically be opted in to the program. " We need a constitutional amendment outlawing "opted in to the program" software.
I think Amazon is crazy forcing people to Opt out. I have zero doubt we will see a class action lawsuit very soon over Sidewalk. Amazon will regret this choice.
It is not here in the U.K and to be honest I can not see it coming here for a while if at all, most houses in the U.K are built from brick and most Wi-fi signals only just reach outside, so I doubt Sidewalk signals would do much, saying that I think sidewalk should be opted in and not opt out, also, Amazon should send notices about this to people.
if it did come here, I would opt out right away, I have no need for it and I doubt most people would either.
What's the difference between this and Apple's tracking software. All iPhones have open location services available for all other Apple devices like tags. So that they can track tags as they move throughout a city. You don't hear anyone ranting about this. Why couldn't a hacker tap into those services and steal data or bandwidth from phones?
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.