Amazon’s Sidewalk, a neighborhood device network, is ‘uncharted territory’ for data privacy, watchdogs say
A new Amazon feature aimed at keeping users’ home devices connected to the internet by using a friendly slice of neighborhood broadband is already raising concerns about unintended privacy consequences.
Amazon’s Sidewalk network pulls slivers of broadband from its users to create a larger network to extend the range for devices further from a users’ home, such as the tracking device Tile or smart lighting at the edge of a users’ property. Benefits of such technology include helping a user find a lost dog or car keys, Amazon touts. It could also keep devices online if the internet of an individual user goes out.
Concerns about the expansion of existing home devices’ reach draws on lingering anxieties about internet-connected home devices. Amazon, Google, and other major home security devices have all suffered significant hacks in recent years, while some have collected an alarming amount of users’ private data. Ring’s doorbell camera in particular has become a powerful tool for law enforcement to gather video from a specific area.
Sixty-three percent of respondents to a 2019 Internet Society study said they consider internet-connected devices “creepy” in the way they collect data. That discomfort isn’t enough to deter the tens of millions of buyers who have purchased an Amazon Echo or Ring device, not to mention countless other home device offerings. Lawmakers have raised concerns about the privacy implications of these devices on numerous occasions, but have not passed any meaningful regulation of devices used by the public.
“This is uncharted territory for the privacy and security of devices like Alexa, Echo and Ring,” Connecticut Attorney General William Tong said in a statement, urging users to be cautious of the new technology. “Wireless networks are already notoriously vulnerable to hacks and breaches, and families need better information and more time before giving away a portion of their bandwidth to this new system.”
Experts didn’t raise any immediate, major concerns about the network’s security. However, some have taken issues with how these wider networks could be used to track device users.
Sidewalk technology could allow a stalker to track a user at a wider range, either by physically depositing the device or potentially triangulating the signals issued by the device, for instance.
“Our privacy concerns are with the ways that people could use it to track other people,” said Jon Callas, director of technology projects at the Electronic Frontier Foundation. Overall, Callas said, the technology is relatively secure — as far as an Amazon smart home device could be.
Apple recently encountered a similar problem around tracking with the launch of AirTag trackers, and has since created a way for users to detect an unwanted device. Tile, which will join Amazon Sidewalk later this month, says it’s working on a fix that would allow users to detect unwanted tracking devices.
While Sidewalk traffic is encrypted, a hacker could potentially figure out what activity is coming from a device — such as the opening of a door — based on the size of the transmission, says TJ O’Connor, a computer science professor at Florida Institute of Technology who researches internet of things devices.
“They’re fairly trivial things but not when you put them in the context of someone being stalked,” said O’Connor. “I don’t think it’s that much of a substantial threat to the average user.”
Hopping into a users’ network can often be a powerful tool for hackers. It’s a problem that Amazon devices have previously faced. In 2019 Amazon Ring faces a series of hacks in which outsiders abused the service to allowed harass victims. Also in 2019, thousands of Ring video doorbells contained a vulnerability that exposed users’ WiFi passwords. Amazon has since fixed the vulnerability.
The company has taken some preventative steps to thwart hackers from infiltrating the Sidewalk network. For instance, devices are required to be registered with the company, according to a white paper about the network’s security. That helps to prevent a completely rogue device from access the Sidewalk network.
“We leverage the same DoS protections afforded any user of AWS,” an Amazon spokesperson wrote in an email. “We also provide a bandwidth-limited encrypted channel for devices’ communication, meaning a very large number of compromised devices working across multiple gateways, across multiple regions would be required to generate a significant attack.”
Amazon also requires third parties to undergo a security evaluation process before they can join the network.
“Given that many low-cost and low-power devices and chipsets are unable to meet our security bar, we are also working with leading silicon vendors to raise the security bar for these devices,” the spokesperson said.