Select date
This Is Ridiculous
by Karl Denninger, Market Ticker:
This is the most-obscene thing I’ve seen in…. forever.
If you use Alexa, Echo, or any other Amazon device, you have only 10 days to opt out of an experiment that leaves your personal privacy and security hanging in the balance.
On June 8, the merchant, Web host, and entertainment behemoth will automatically enroll the devices in Amazon Sidewalk. The new wireless mesh service will share a small slice of your Internet bandwidth with nearby neighbors who don’t have connectivity and help you to their bandwidth when you don’t have a connection.
So let me explain how that works from a technical point of view.
TRUTH LIVES on at https://sgtreport.tv/
A WiFi “access point” has an SSID. To “give” access to someone else you’d have to NAT through your connection and “expose” some sort of SSID to other devices. Then it has to authenticate and effectively spoof the connection back as if it was from the authorized device. That’s because the “roaming” device has no idea what the password is to your router and thus can’t authenticate against it.
So, for example, you have a WiFi network called “Satan”, and it’s running WPS2 security. This means you need the key to be able to authenticate against it, and once you do key exchange the data itself is encrypted with AES. You connect a new device, it gets a (dynamic, usually) IP address from your router and all is well. The presence of the network is visible and (unless you shut off SSID broadcasting) the name of it is known.
However, the identity of the device that is in a car that drives past your house and has WiFi enabled, unless you’ve done some unusual things (yes, you CAN detect that) is not watched for and logged.
Sidewalk potentially changes that and, at least ephemerally (because it must in order to work), delivers the data to Amazon.
Now Joe’s Amazon device, for whatever reason (say, it’s in his car or on his dog) is out of range of his WiFi network. It’s looking for that network, but now, not just that network. Nope, now it’s looking for something that it can talk to through this “back door” connection. Best guess, without reading their paper on it in detail: It’s looking for a MAC prefix on a broadcast SSID that says it’s an Amazon-vended device, and if it sees it then it pings at it which results in a “fake” network association it can talk to and does, with a seed key from and generated by Amazon itself.
Except…. wait a second; the existing device has an IP address. So now that existing device (your doorbell) has to run NAT or, in the case of IPv6, go get a second assignment from the gateway (because there are lots in that instance available.)
This sounds reasonably secure but there is a problem: The “roaming” device just got pinned to you because your location is likely known and fixed. In other words now Amazon knows exactly where that thing is that just used “Sidewalk”, whatever it may be.
Yes, I know Amazon says in their white paper they don’t keep that data beyond the ephemeral requirement to do so while the device is in range, and they roll it every 15 minutes. Uh huh. When was the last time anything on the Internet was intentionally discarded if it had value and what are you going to do to Amazon if they’re either lying or that data gets logged and cataloged somewhere, either by them or by someone else’s (e.g. a government’s) request?
I can see some other problems with this too that could lead to serious security trouble if Amazon screwed up. But even assuming they didn’t and won’t in the future (and that data would be a high-value target, by the way) the biggest issue isn’t necessarily your device, it’s the one that gets near it and may not be able to have shut off it’s desire to “ping” other things. Yes, it appears you can turn off your offering of bandwidth but that is by no means the only issue from my point of view.
This has to be forced to be “opt in” on both the service offered and the client side on a per-device basis with the default being OFF.
Might I be ok with it on my Ring doorbell? Maybe. But do I want it on a “smart tag”? That’s a tougher decision and depends on what the tag is attached to. On my dog, maybe. How about on my suitcase?
This is basically the inverse of Google’s “Streetview” cars doing the equivalent of “wardriving” where they logged every SSID they saw as their cars took the pictures. What Amazon is doing is marking the location of every device that happens to be in the field and can see some other Amazon device’s WiFi connection, no matter where it is in the world.
They claim it’s all for your good. Uh huh, sure it is. I believe you Mr. Smiley.
