Amazon Sidewalk will share your data, unless you opt-out

June 3, 2021

EXECUTIVE SUMMARY:

On June 8th, Amazon says that all of its devices will be connected within a device-to-device wireless mix. All gadgets will turn into micro cellular towers, enabling them to share bandwidth. This newly created Wi-Fi protocol could present severe security and privacy problems. It also hasn’t seen beta testing.

Amazon Sidewalk, the name of this new initiative, was first announced in September of 2019. Amazon described the project as a “new, long-term effort to greatly extend the working range of low-bandwidth, low-power, smart lights, sensors and other low-cost devices”.

Although Sidewalk has existed as a low-profile project for several years, news of its June 8th debut caught many off-guard. Consumers have only a week to learn about the initiative. Due to the configuration, users may want to opt out.

According to Amazon, Sidewalk will enable motion alerts from security cameras to continue functioning, even when Wi-Fi falters. It will stretch Wi-Fi to the smart lights that might surround a person’s lawn or driveway. Capabilities even include Tile tag-like functions, enabling customers to find valuables quickly (or lost pets).

This comes as no surprise, as Tile will be joining Amazon’s Sidewalk initiative. CareBrand, manufacturer for wearable technology, will also collaborate.

Security Experts on Sidewalk

The unexpected announcement pertaining to the launch of Sidewalk has led to fear, uncertainty and doubt. Why?

1) The program’s success depends on the use of untested wi-fi protocols. No beta testing has taken place.

2) The program will be turned on by default. Consumers can only opt-out if they are aware of the program, it’s implications, and the steps involved in turning it off.

“They dropped this on us,” stated John Callas, director of technology projects for the Electronic Frontier Foundation (EFF). “They gave us seven days to opt out. I hadn’t even seen the privacy and security [information]…” he continued.

Some security experts who have familiarized themselves with Amazon’s whitepaper on the topic do appreciate what they see. However, problems are expected due to routine flaws in new protocols.

Untested protocols

Amazon intends to run Sidewalk with its own, new Wi-Fi protocol. This relies on the 900 MHz spectrum. The expected range for connections may increase by more than half a mile.

With the Sidewalk protocol, Amazon’s consumers can potentially thread Amazon gadgets through their apartments, houses or property as a whole, even in Wi-Fi dead zones. At least one expert is concerned about the encryption of the data transmitted across a person’s home.

The Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) both contained encryption/decryption flaws. Eavesdroppers could easily access older Wi-Fi networks. Insecure protocols led to man-in-the-middle (MiTM) and malware injection attacks.

“If industry-standard wireless technologies have such a poor track record, why are we to believe a proprietary wireless scheme will have one that’s any better?”, says Dan Goodin, with Ars Technica.

Human stalking

Last, but not least, Amazon’s whitepaper on Sidewalks does not mention the issue of predatory, human stalking. This surfaces as an issue due to the fact that Tile tags can be tucked into handbags, totes or taped onto vehicles in order to track a person.

Opting out of Amazon Sidewalk

Some people are excited about Sidewalk. Others, less so. If you’re in the latter category, this info might be useful…

The following list of devices will automatically be pulled into Sidewalk. If interested in opting out, Amazon Echo and Ring owners can follow these steps:

Alexa app: Open More > select Settings > Account Settings > Amazon Sidewalk, and toggle it on/off
Ring app: Tap “three-lined” menu > Control Center > Sidewalk, and tap the slider button

Double-check to ensure that any opt-out is correctly registered, if relevant.

For more on Amazon Sidewalk, visit ThreatPost.com.

Article update, 6 months later:

In Seattle, Amazon faces a federal class action lawsuit over its Sidewalk network. Consumers claim that the company engaged in “unfair, deceptive” and “fraudulent” business practices at consumers’ expense.

The complaint states that Amazon is using the bandwidth of consumers to build a cheap wireless network of its own, meaning that the company is allegedly, according to the filing, engaging in unjust enrichment practices.

Further, the complaint notes that usage of consumers’ bandwidth could lead to overage charges on their internet bills, and that knowledge around opting out is not readily available.

“Owners and users of Sidewalk Devices who do not opt out and have Sidewalk enabled are not compensated by Amazon for use of their bandwidth,” says the complaint.

The lawsuit goes on to allege that Amazon deliberately misrepresents the notion that its consumers are voluntarily sharing and donating their internet bandwidth and that this represents a deceptive act and practice.

In this court case, plaintiffs seek punitive damages, and both declaratory and injunctive relief. Amazon.com Services LLC and Amazon Digital Services LLC have asked the court to dismiss the claims, expressing that they are legally baseless.