Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Businesses Communications Wireless Networking

Alexa/Echo Owners Become Part of Amazon's Massive 'Sidewalk' Mesh Network By Default (inc.com) 168

A tech columnist for Inc. noticed that on June 8th Amazon will finally power up its massive "Sidewalk" mesh network (which uses Bluetooth and 900MHz radio signals to communicate between devices). And millions and millions of Amazon customers are all already "opted in" by default: The idea behind it is actually really smart — make it possible for smart home devices to serve as a sort of bridge between your WiFi connection and one another. That way, if your Ring doorbell, for example, isn't located close to your WiFi router, but it happens to be near an Echo Dot, it can use Sidewalk to stay connected.

The same is true if your internet connection is down. Your smart devices can connect to other smart devices, even if they aren't in your home. The big news on this front is that Tile is joining the Sidewalk network on June 14. That means that if you lose a Tile tracker, it can connect to any of the millions of Echo or Ring devices in your neighborhood and send its location back to you.

That's definitely a nice benefit, but it's also where things get a little murky from a privacy standpoint. That's because other people's devices, like your neighbor's, can also connect to your network. Amazon is pretty clear that Sidewalk uses three layers of encryption so that no data is shared between say, someone's Tile tracker and your network. The signal from the Tile is encrypted all the way back to the Tile app on your iPhone or Android smartphone... [But] whether or not you want your device connecting to other devices, or want your neighbors connecting to your WiFi, Amazon went ahead and made Sidewalk opt-out.

Opt out (for all your devices) using Alexa app's More tab (at the bottom): Settings > Account Settings > Amazon Sidewalk > Enabled.
This discussion has been archived. No new comments can be posted.

Alexa/Echo Owners Become Part of Amazon's Massive 'Sidewalk' Mesh Network By Default

Comments Filter:
  • Thread [threadgroup.org] is the future of home automation.

  • by Space ( 13455 ) on Monday May 17, 2021 @06:52AM (#61392558) Homepage

    Does this give everyone plausible deniability when some nefarious traffic is tracked back to their assigned IP?

    • Wasn't this whole "an I.P. can be associated with a person" thing ruled out in courts?

      • That's the way the slash-court ruled. Anyway 900 Mhz and BT sounds like something pretty slow for being bad with.

      • by bill_mcgonigle ( 4333 ) * on Monday May 17, 2021 @07:03AM (#61392596) Homepage Journal

        It's a defense your criminal defense attorney can raise after you get hauled off to jail in a 4am flash-bang-grenade no-knock raid.

        #landofthefree #cgnat

        • #landofthefree #cgnat

          Most CGNAT implementations assign port ranges to subscribers. All anyone has to know is time and IP+port to uniquely identify a subscriber. The loss of the ability to be a peer rather than merely a spectator is more detrimental to freedom than the illusion of increased deniability.

          • Yes, this. Can you actually host your own web server? Only with permission - either f\a hosting service that takes your money and provides service as long as they care to, maybe a 'free' service that likewise does what they will, or you beg your ISP to let you send and receive the traffic to and from your little web server.

            Oh, your ISP blocks those ports? And they claim it is for security? Huh.

            Oh, your hosting service has found you doing, providing, or supporting, even obliquely, in a manner they do not app

            • Yes, this. Can you actually host your own web server? Only with permission - either f\a hosting service that takes your money and provides service as long as they care to, maybe a 'free' service that likewise does what they will, or you beg your ISP to let you send and receive the traffic to and from your little web server.

              Oh, your ISP blocks those ports? And they claim it is for security? Huh.

              It's really no problem..

              I have a static IP address, and no blocked ports, and I have run web servers and email

      • by tlhIngan ( 30335 )

        Wasn't this whole "an I.P. can be associated with a person" thing ruled out in courts?

        You'd think that would encourage the adoption of IPv6, after all. Giving a unique address to every device in the world would make it harder to claim an IP address can be associated by more than one person - especially if the IP address leads to a specific smartphone or tablet.

    • Presumably, whatever mesh network they build only "routes" (quotes used, because I assume it's really an L7 AG) things that know how to talk using that interface, and presumably, one can't route whatever the fuck they want over it.

      Shrug. Who knows, though. Maybe you've thought of something they haven't.
      • This triple encryption mentioned is probably WPA equivalent over the air, Amazon VPN on that, and then a VPN of whatever third party device maker the traffic is for. That layer is probably going to include cheap junk with no security so the remote end could very well become an open exit relay to the full Internet.

        • Sure, in the same way that a SIP softswitch can become an open relay to the internet.

          In that, it can't.

          This is a layer 7 AG.
          Sure, you could setup your own AG somewhere on the internet, use it as a tunnel router, encapsulating traffic back through sidewalk to some device...
          This is assuming Amazon allows unregistered endpoints, which I doubt they will.

          But ultimately, why?
          May as well go find a starbucks if you're that hard up for internet with an untraceable source.
          • They're opening it up to third party devices. Those devices' firmware are likely not going to be held to any security standard. You use the device itself as your way onto the Internet. No need for anything remote.

            • They're opening it up to third party devices.

              That doesn't matter.
              What the service does is specific. It's isn't a layer 3 router.

              Those devices' firmware are likely not going to be held to any security standard.

              Still doesn't matter.
              If I plug some random device into my Zigbee ZLL network, it can't route arbitrary traffic through my Hue hub.

              You use the device itself as your way onto the Internet. No need for anything remote.

              Again, why?
              Tunneling through a layer-7 AG is going to end up being overwhelmingly easier to track than just sitting at the curb next to a starbucks.
              Your concern is a silly one.

            • Comment removed (Score:5, Insightful)

              by account_deleted ( 4530225 ) on Monday May 17, 2021 @10:55AM (#61393324)
              Comment removed based on user account deletion
              • Without any citation - There's nothing on the article and no reason to assume that they are correct. I think it's more likely that it will be an encapsulated "open pipe" and out of laziness, TCP/IP will get tacked on by the device maker. That way they can use poorly secured JSON-based APIs they've already created for other products. And out of laziness, the internal network the encapsulated traffic is joined to will probably have an unprotected Internet connection.

                I don't know why you would assume that a

                • I'll be honest. I haven't read the article.
                  I am however familiar with Sidewalk.
                  The bridge only handles MQTT and HTTP/S (and I think a couple other protocols that I can't remember) proxying to registered endpoints in AWS.
                  Whether or not they're going to open it up for non-AWS third-party endpoints is an open question, but it still doesn't change things.

                  This makes sense, because the entire IoT industry runs off of JSONRPC and/or XMLRPC/SOAP over HTTP/S.

                  Nobody is making a fucking IoT unsecured wireless n
        • This triple encryption mentioned is probably WPA equivalent over the air, Amazon VPN on that, and then a VPN of whatever third party device maker the traffic is for.

          No, the triple encryption is simply ROT-39.

      • one can't route whatever the fuck they want over it yet

        There, FTFY

        • by DamnOregonian ( 963763 ) on Monday May 17, 2021 @09:52AM (#61393136)
          eyeroll.
          Ya, I see hax0rs routing layer-3 traffic over RPC/AG endpoints all the time.
          No, really.
          That's why when our SOC2 auditor wanted us to transition everything to AG endpoints, I said "No! people may use them to arbitrarily route internet traffic!"

          Wait no, I didn't do that.
          You need to sit in on some of my industry security meetings. I feel like you could teach us some shit.
    • by AmiMoJo ( 196126 )

      Many ISPs have been doing this for years. For example in the UK, BT had a system where you could enable a public wifi spot on your home router and in exchange have free use of everyone else's. Very handy for plausible deniability if you are accused of piracy or breaking the law.

    • After 10 years of fighting off prosecutors that drives you into bankruptcy.
  • One simple solution is guest networks. Most routers can have guest networks enabled and set up separate from the main WiFi network. Just have Alexa and Echo devices add additional configuration to tell them which SSID to use for Sidewalk and let them use the guest network instead of the main one. Sidewalk can access the Internet connection but not the LAN and main WiFi network. The routers should also be able to apply bandwidth limitations to the guest network and give it a lower priority for access so it d

    • Many years a go, a company called FON did exactly this in the UK. You got a special wifi router, it setup a private network for you, and a FON network for any FON subscribers to use. I assume the password was universal, but I don't know for sure.

      BT bought FON, and kept it as BT-FON for a while, but now it's just part of BT. They used it to provide Internet backup for the BT Mobile network, which (being BT) was a bit patchy anywhere more than about 10 feet from a telephone exchange. Now that BT bought EE, th

      • UPC (a cable TV and internet connection/traffic company) offered a similar service in Romania.
        Your UPC-provided (rental or free-for-use) cable-TV to WiFi router had "your" WiFi network and a "UPC" WiFi hotspot/network.
        Using a customer-specific username and password, you could connect to these hotspots.

        Unfortunately, my phone at the time was unable to offer an acceptable connection (i.e. decent speed and free of interruptions), so I didn't use it.
        I think the distance between my mobile phone and the WiFi hots

    • by larwe ( 858929 )

      One simple solution is guest networks. Most routers can have guest networks enabled and set up separate from the main WiFi network

      Some Internet providers (US) do this by default in their modem/router firmware - they have it set up so that if you and your friend both have, say, Fios - your friend walks into your house and can connect to the open guest Fios SSID (which is the same on all Fios routers). I believe he's then taken to a captive portal where he enters credentials to prove he's a Fios subscriber. His usage doesn't count towards your data caps.

      This isn't a function I want enabled on my home network, but it's a HELL of a lot be

      • No need for an open network. The guest network can be configured with the same security options as the main network, and since you only have to worry about your own devices having access to it they can allow you to configure credentials just like they do for the main network. That would allow the Alexa/Echo devices to act as a bridge for other devices without needing to grant random devices access to the guest network directly.

        Looking at DD-WRT, it looks like you can configure multiple guest networks since

        • by larwe ( 858929 )
          If the device could reach your router at all, then it could reach it on the regular SSID and the guest SSID would be irrelevant. The entire point of this Sidewalk thing is that devices that cannot reach your network, can hop to it via other people's networks - it seems that if they can reach any other Amazon device via some proprietary 900MHz ISM communications path, they can reach the Internet over that bridge and thereby stay part of your connected home. In fact, the whole system looks very much like thos
    • by Monoman ( 8745 )

      Didn't Xfinity/Comcast start doing this for you automagically some years back?

      • Re:Simple solution (Score:5, Insightful)

        by ranton ( 36917 ) on Monday May 17, 2021 @09:13AM (#61392992)

        Didn't Xfinity/Comcast start doing this for you automagically some years back?

        Comcast doing this makes far more sense than Amazon though. At least Comcast would be able to differentiate where the bandwidth is being used so I am not being charged extra for my neighbor's Internet usage.

      • If you rent a router/gateway from them, yes. You can disable it, and if you use your own equipment then you don't have it.

  • I'm no expert, (Score:5, Interesting)

    by jenningsthecat ( 1525947 ) on Monday May 17, 2021 @07:13AM (#61392626)

    but doesn't this increase the attack surface by a pretty large factor? How many closed-source data paths with undisclosed vulnerabilities does this add to the network?

    As for all that expanded Tile-tracking capability - well, I'm not sure I'd want it to be that easy for other people to track my Tile-connected stuff. Not that I'd ever allow one of these Big Brother devices into my own home. Even if I wasn't fairly tech-savvy I think I'd just be creeped out by it all.

    For me this is just the final, irrevocable confirmation that such systems are designed to make us serve them, rather than t'other way around.

    • If compromised, it makes a nice Tor-like network for attackers to use to hide their origin.

    • I wouldn't mind owning and sharing out a dedicated "mesh network hub" of some sort as a way to provide better connectivity across my community, but I would not give that hub the kind of privileged access to my home network that a device I interact with often gets. I don't own an Echo, but this seems like functionality that ought to be kept well separate. But I know most people wouldn't buy such a hub on its own, which means the mesh is too thin. Given that, I might be ok if there were two separate devices t

    • by AmiMoJo ( 196126 )

      That's literally how Tile works. Your phone being able to find it is only useful if it's near you. When you lose one you are relying on other people's phones to locate it for you.

      Same with Apple AirTags. Of course they are incompatible so you have competing networks and multiple apps wasting battery power.

  • I remember reading about this, and I disabled it when I read about it.

    Checked again, and it is still disabled.

    • "disabled"

      Is the Sidewalk traffic distinguishable from all the other noise these devices make on the network?
      • by GlennC ( 96879 )

        I only have one device, and communications are disabled. The only thing I use it for is to stream music while I'm working in my home office, and it is powered off otherwise.

      • by cusco ( 717999 )

        You should be able to tell with a quick Wireshark session. All the Ring and Alexa devices have the MAC printed on them.

  • by bloodhawk ( 813939 ) on Monday May 17, 2021 @07:41AM (#61392688)

    Opt out (for all your devices) using Alexa app's More tab (at the bottom): Settings > Account Settings > Amazon Sidewalk > Enabled.

    thanks, that is the only useful part of this story. will ensure my parents devices are opted out and my wifes.

  • because after reading this i would be taking a hammer to it and smashing it to smithereens
    • because after reading this i would be taking a hammer to it and smashing it to smithereens

      Yup. And my wife wonders why I refuse to allow any of her (numerous) Echo Dots in my home office.

  • by Ecuador ( 740021 ) on Monday May 17, 2021 @08:02AM (#61392756) Homepage

    The summary should mention this is a US-only feature. I had to look it up as I could not find such a feature on the Alexa app.
    I do have an echo dot - I caved when it went for a silly price, but I do find it useful as it is quite a decent little speaker and can give you some answers to simple questions (notice "simple" as Alexa is quite stupid overall) & set up timers/alarms etc. I don't mind my voice being recorded and sent to Amazon - I mean I have a smartphone so any major actor has access to it anyway, but I would not appreciate auto opt-ins on mesh networks.

    • by ledow ( 319597 )

      Because other countries would go ape-shit at the use of your private facilities or transmission of your data without opt-in based permission.

      My objection would be more along the lines of "Fuck off, I'm not letting random strangers use my wifi bandwidth in any capacity" because my Wifi is 4G-backed and I'm not having some video doorbell that's nothing to do with me silently piggy-back on the back of that connection while I'm paying for it.

      It's not a coincidence that I work in IT and yet have none of these de

  • Regardless of the security implications, what about my bandwidth? Is XFinity going to know what traffic was mine and what was my neighbors? I already have enough problems with their data caps now that my wife and I work from home.

  • Opt-out option (Score:5, Insightful)

    by ubergeek65536 ( 862868 ) on Monday May 17, 2021 @09:32AM (#61393062)

    The only sure way to opt-out is not buy the device. Microsoft has a checkbox for opting-out of "features" that don't do anything so why should I trust Amazon?

    • by Subm ( 79417 )

      The only sure way to opt-out is not buy the device.

      Correction: the only way to be sure is to nuke it from space.

  • Ideally, ideas like this should be killed with fire. There are just so many things that should die. If the US consumer based refused stuff like this as they did with DIVX (not the codec... the Circuit City DVD competitor), things wouldn't be as grim in daily computing.

    Of course, there is the sure way to "disable" this functionality. Get rid of the devices that use it, or don't buy them in the first place.

    Sometimes I wonder if this is going to allow certain people or companies the ability to mine HNT.

  • "The idea behind it is actually really smart — make it possible for smart home devices to serve as a sort of bridge between your WiFi connection and one another. That way, if your Ring doorbell, for example, isn't located close to your WiFi router, but it happens to be near an Echo Dot, it can use Sidewalk to stay connected."

    Thank goodness that this capability will never be abused or used maliciously in any way. Whew.

    • by King_TJ ( 85913 )

      What bothers me about this, even IF you make the assumption this isn't going to get hacked and abused in some way, is the realization this is a proprietary thing from Amazon. Yeah, Tile might be agreeing to serve as a partner. But all in all, this seems to primarily just serve the purpose of trying to make Ring doorbells more useful? After all, if people buy Ring for security purposes but Internet outages mean they didn't capture any video of the guy stealing their package off the porch or ?? They're not g

      • I just don't want to have my gear used to further Amazon's or Ring's profits. Pay me to be part of your mesh network otherwise it looks like loser proposition for me.

        My Eufy video doorbell isn't going to benefit from this in any way. (And considering it saves to an SD card internally, saving me monthly cloud subscription fees? That's the way I like it.)

        Same here. I have an RCA doorbell that captures to internal memory as well as dumping 24/7 video to a NAS in my home.

  • by JustAnotherOldGuy ( 4145623 ) on Monday May 17, 2021 @11:20AM (#61393416) Journal

    Just another reason why I don't (and won't ever) have Alexa or any other always-on, always-listening voice-gadget in my home.

  • Talk about privacy overreach. Why do companies think they have the right to assume everyone wants them to know everywhere they go. This is a serious privacy infringement. And to short circuit the trolls, I don't own any Amazon devices nor will I. But then again, that's because I'm smart enough not to. There isn't anything that important that I can't get off my ass to turn on or off rather than give info of all my daily activities to corporations.
  • Use a 5 pound sledge, not the "opt-out" button.
  • We've been making this, as an alternative. It makes sure you are in control. https://www.f3.to/cellsol/ [f3.to]
  • by TomGreenhaw ( 929233 ) on Monday May 17, 2021 @01:30PM (#61393896)
    Alexa responds, "I don't know how to do that".
  • In my home, except for my smartphone. Hell, these companies already know enough.

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...