What is Amazon Sidewalk and What Risks Does it Pose to Your Home Network?
Amazon Sidewalk went live June 8, 2021. What is the product about? Does it pose any dangers to your home network? How can you go about disabling Sidewalk on your devices if it leaves your network more vulnerable to attacks or hurts your home internet's bandwidth?
Read on to discover more before sharing your home's bandwidth.
What is Amazon Sidewalk?
Let's start by understanding Amazon Sidewalk.
Amazon launched Sidewalk on June 8, 2021. From the definition published on the product's official site, "Amazon Sidewalk is a shared network that helps devices like Amazon Echo Devices, Ring Security Cams, outdoor lights, motion sensors, and Tile trackers work better at home and beyond the front door. When enabled, Sidewalk can unlock unique benefits for your device, support other Sidewalk devices in your community, and even locate pets or lost items."
From my understanding and research, it is apparent that all compatible Amazon smart devices were automatically added to Amazon Sidewalk. That way, your devices will act as a kind of bridge to a shared network that helps devices work better. The new feature keeps home devices better connected, especially around the edges of your property.
Why Amazon Introduced Sidewalk
Select Amazon Echo smart speakers and Ring gadgets will serve as bridges capable of connecting with other Sidewalk-enabled devices at long range using wireless Bluetooth LE or 900MHz LoRa signals, plus a small fraction of your home network's bandwidth. By doing so, these products become part of a mesh network, with your Echo and Ring device acting as middlemen between your router and other smart devices.
The Amazon Sidewalk's page states the new feature's benefits. In particular, Sidewalk creates a low-bandwidth network with the help of Sidewalk Bridge devices, including select Echo and Ring Devices. Sidewalk Bridges are devices that provide connections to Amazon Sidewalk, such as Echo devices, select Ring Floodlight, and Spotlight Cams. These Bridge devices share a small portion of your internet bandwidth, which is pooled together to provide these services to you and your neighbors. With more neighbors participating, the network becomes stronger.
Amazon states that the free service gives customers peace of mind. In this case, a Sidewalk-enabled device that is outdoor can be located easily. What's more, Sidewalk simplifies device setup, extends the low-bandwidth working range of devices to help find pets and valuables with Tile trackers, and allows devices to stay online even if they are outside the range of their home Wi-Fi. Gradually, Amazon Sidewalk will support a range of experiences using Sidewalk-enabled devices, such as smart security, lighting, and diagnostics for appliances and tools in the future.
Existing Security Features on Amazon Sidewalk
Regarding security, Amazon Sidewalk is supposedly designed with multiple layers of encryption. According to the vendor, preserving customer privacy and security is foundational to how they build Amazon Sidewalk. Therefore, the product features multiple layers of privacy and security to secure data traveling on the network and keep customers safe and in control.
Specifically, "the company uses three layers of encryption for all Sidewalk transmissions, and the network is designed so that even Amazon can't see any of that data," writes Ry Crist on Cnet.com. In addition, Sidewalk Bridge owners do not receive any information about devices owned by others connected to Sidewalk. Moreover, Amazon divulges that it deletes the data used to route Sidewalk transmissions every 24 hours. Finally, it uses rolling IDs to prevent those transmissions from being tied to any specific user.
Amazon Sidewalk comes with two separate privacy permissions – the main toggle for switching Sidewalk on and off and a second one that controls the "Community Finding." The main Sidewalk permission is on by default, while the Community Finding permission is off by default. Enabling the second toggle shares your Bridge's approximate location to help neighbors with network connections. With this feature in place, Amazon clarifies that neighbors in Community Finding will not see your Sidewalk Bridge's exact street address, but an approximate location. Typically, the company anonymizes location data.
Besides, Sidewalk bridge owners should note that other people's Sidewalk devices will not actually be able to access, join, or see their home's Wi-Fi network. So, conversely, the owners will not have access to information about those devices or their users. Instead, external Sidewalk devices will connect anonymously with the bridge owner's Echo or Ring device over Bluetooth LE or LoRa. Subsequently, the Ring or Echo device will pass the signal to the cloud using a tiny amount of the home network's bandwidth.
What Dangers Does Amazon Sidewalk Pose to Your Network?
Designedly, Sidewalk is for everybody's gadgets. As Ry Crist writes on Cnet.com, "if your neighbor uses a Sidewalk-enabled mailbox sensor that's in range of the Sidewalk bridges in your home, that sensor may very well use your network to connect to the cloud.
Does this feature leave your network vulnerable to attacks? What about Amazon Sidewalk hurting your home internet's bandwidth?
1. Amazon Sidewalk Security Concerns
Despite Amazon's assurance on user privacy and security, the very idea that Sidewalk is enabled by default raises lots of eyebrows. Moreover, despite the company's efforts towards encrypting data transferred over the network, privacy experts express concerns about Sidewalk's technology parameters.
"Amazon assures us that it protects the content of the data. But that might not be the most important thing," states Eugene Vasserman, an associate professor of computer science at Kansas State University. "For smart home devices, it's not the most important thing. The metadata, the timing of the signal, the size of the data, all of this, is more information about the content and the more sensitive information."
Vasserman also illustrated a smart light that sends information through Amazon Sidewalk when it detects motion. Simply knowing that information was sent would be enough to know that a motion was detected, even without having access to the specific information sent.
Massachusetts Attorney General William Tong’s office also released a statement to warn people about Amazon Sidewalk. An excerpt from the AG office reads,
“Our smart home devices already have access to our most personal spaces and information, and now Amazon wants to use them to form a shared neighborhood network. This is uncharted territory for the privacy and security of devices like Alexa, Echo, and Ring.”
The statement continues, “Wireless networks are already notoriously vulnerable to hacks and breaches, and families need better information and more time before giving away a portion of their bandwidth to this new system. I urge families to consider the pros and cons of joining Amazon Sidewalk and to opt-out, unless fully confident their privacy and security will be protected.”
A blog post written by Nick Young on the Wichita Eagle also raised concerns on Amazon Sidewalk's future and why Amazon did not ask users to opt-in to the technology. It is essential to note that even though Amazon provides data encryption, the vendor's Sidewalk does not offer adequate metadata protection per se. "This is because they are low power devices, so the amount of protection they can apply to the data and metadata is limited," Vasserman said.
Also, being a new technology, experts warn that the worst is yet to come, as is the case in cybersecurity. "Eventually, there will be some sort of hole or gap in the system that will be discovered, hopefully by Amazon. It happens in the world of Internet of Things software," wrote Joe Jabara, Director of the Hub for Cybersecurity Education and Awareness at Wichita State University. "Within a year or so of becoming popular, both Ring and Zoom were sued for various problems in security. Both, because of those events, have become more secure as a result."
A related Amazon issue is that people will not immediately know of any flaws with the new feature that could put them at risk. Of course, all software and services are completely secure until they are not. Meanwhile, reports of eavesdropping, hacking, and security and privacy mishaps continue plaguing the smart IoT market. It is obvious that hackers will soon use Sidewalk vulnerabilities to breach entire home networks and potentially everting connected to them.
2. Amazon Sidewalk May Hurt Your WiFi Network's Bandwidth
We refer to a question on the Amazon Sidewalk page FAQ's section to address the network bandwidth issue. Specifically, we look at this question, "How will Amazon Sidewalk impact my personal wireless bandwidth and data usage?"
The company gives this explanation: "The maximum bandwidth of a Sidewalk Bridge to the Sidewalk server is 80 Kbps, which is about 1/40th of the bandwidth used to stream a typical high definition video." The statement continues, "Today, when you share your Bridge's connection with Sidewalk, total monthly data used by Sidewalk, per account, is capped at 500MB, which is equivalent to streaming about 10 minutes of high definition video."
Let's put these figures in perspective. Data collected by the Wall Street Journal from OpenVault reveals that the average monthly internet usage for a U.S. household soared to a high of over 400 gigabytes by the end of March 2020. The figure was over 100 gigabytes more than the average during 2019, which itself was notably higher than the previous year, according to Statista. Amazon Sidewalk's 500 MB cap is approximately 0.125 percent of 400 GB monthly internet usage, which sounds insignificant.
However, Amazon Sidewalk's data usage might still be a concern if your Internet plan has a data cap and charges extra for exceeding it. Even though Amazon is not charging an additional fee to use Sidewalk, internet service providers' fees still apply, and data usage counts towards existing data caps. This fact calls for your action to avoid getting surprised, especially if you are not aware that the Sidewalk feature is activated on your network.
Zak Doffman, a Forbes contributor, writes, “The idea behind Amazon Sidewalk is to take a slice of your broadband as well as from others on your street to form a communal “low bandwidth” network to extend wireless coverage.” However, Joe Jabara adds, "because this device relies on your Wi-Fi as a base for connectivity, you could possibly hit a cap on your bandwidth limitations, thus degrading your Wi-Fi connections."
How to Disable Amazon Sidewalk
Amazon lets customers know that using the services is all on their own terms. In fact, if you do not need Amazon Sidewalk, you can disable the feature anytime from the Ring or Alexa mobile apps. To do this, Ring customers with eligible devices can choose to update their Amazon Sidewalk preferences anytime from the Control Center in the Ring app or Ring website.
On the other hand, Echo customers who own an eligible device can update their Amazon Sidewalk preferences anytime from Account Settings in the Alexa App. Certainly, if you have linked your Ring and Amazon Accounts, your Sidewalk preferences on either your Alexa or Ring App will apply to all your eligible Echo and Ring devices.
ESET cybersecurity expert Jake Moore’s advice is for Amazon users “to really think about the need for such requirements and to err on the side of caution by manually turning it off. Amazon has made this a default opt-in feature, which could be a dangerous recipe for disaster not knowing what these devices are really connected to.”
Take Control of Your Home Network with Sonar
Security experts have expressed concerns about how Amazon enabled Sidewalk bridges without asking users to opt-in to the technology. With Amazon Echo being the most popular smart speaker in the U.S., with over 40 million units installed, it should worry home network owners that they are automatically connected to Amazon Sidewalk by default.
All that said, when innovations like Amazon Sidewalk come, users should always take time to make informed decisions to ensure they balance benefits with risks. On top of that, with the frequent and sophisticated attacks happening today, it would be best if users are given the option to opt-in rather than out of emerging solutions.
Over and above disabling the main Sidewalk toggle, users can install the Sonar service that identifies and alerts you to threats on your wireless network. Sonar offers continuous 24/7/365 monitoring that presents an aggregated, unified view of your wireless network. The subscription service detects malicious threats to your Wi-Fi network, including rogue and fake access points, device spoofing, and denial of service attacks.
Most importantly, Sonar enables you to detect all devices and users within range of your wireless network and tracks the type of the device and the MAC address to provide a device fingerprint for correlating a device to an IP address. This capability is important, especially in monitoring information that might be detected from your Amazon Sidewalk-enabled devices connecting to your network through Sidewalk bridges.
Corey Belanger
Corey is a Security Consultant and leads QA of product development, using his expertise in these dual roles to more effectively test and secure applications, whether while building enterprise applications or while performing penetration tests and vulnerability assessments for customers. An Army veteran with a tour of duty in Afghanistan, Corey has built a post-military career in security while earning Network+, Security+, GIAC Certified Incident Handler, GIAC Python Coder, GIAC Web App Penetration Testing, and GIAC Penetration Tester certifications. Corey is also a BsidesNH organizer and founding member of TechRamp, avenues which he uses to help others build their skills for careers in security and technology. Fun Fact: When not manning a terminal or watching the Bruins, Corey can often be found snowboarding or riding his motorcycle.