Amazon turning Alexa devices into an opt-out public WiFi mesh network

[bcredeur97]

imagine the MiTM attacks

[bcredeur97]

7 hours ago, Oshino Shinobu said:

I can't see this being a security issue at all. 

 

This is from the same company that once had an idea to give their delivery drivers access to people's locked doors to leave parcels in a "safe place".

it's all good until you get that one evil person that ruins everything

[Fasterthannothing]

Wow this is a terrible thing to implement! The security and privacy implications are terrible!

[Jet_ski]

This is going to be news to some of the Comcast/Xfinity customers. But Xfinity started doing this years ago. Your Xfinity router which you pay $20-50 per month to rent is actually letting others use your network. That aside Xfinity also charges money for non-Xfinity users to use that network on a per hour basis, I think it was $5 per hour.

 

Don't buy these things, this is horrible trend.

[StDragon]

49 minutes ago, Jet_ski said:

This is going to be news to some of the Comcast/Xfinity customers. But Xfinity started doing this years ago. Your Xfinity router which you pay $20-50 per month to rent is actually letting others use your network. That aside Xfinity also charges money for non-Xfinity users to use that network on a per hour basis, I think it was $5 per hour.

 

Don't buy these things, this is horrible trend.

From Xfinity's WiFi FAQ:

 

Quote

 

Q: Does the Home Hotspot impact my network security?

A: The Home Hotspot is designed to work on a separate network so that your home network remains entirely secure. By enabling guests to use Xfinity WiFi, you increase your network security because you won’t need to provide your private home WiFi network password to guests.

 

Q: Does the new Home Hotspot impact my Internet speeds or data usage?

A: The broadband connection to your home will be unaffected by the new feature. For your in-home WiFi network, we have provisioned the Xfinity WiFi feature to support robust usage, and therefore anticipate minimal impact to the in-home WiFi network. WiFi uses shared wireless spectrum, and as with any shared medium, there can be some impact as more devices share the network.

Also, the usage and activities of visiting users are associated with the visitors’ accounts and therefore do not impact the homeowner.

 

Q: Is there a limit to the number of devices that can connect to the Xfinity WiFi Home Hotspot at one time?

A: Up to five devices can connect to the “xfinitywifi” signal simultaneously.

 

And yes, you can disable the hotspot network/feature. Though personally I prefer buying my own approved modem with my own AP. It negates the whole issue.

 

What amazon is doing is presumably tunneling mesh traffic over port 443 via SSL via something like a VPN. But again as I've stated, it's a parasitic load on your own ISP connection and will go against your bandwidth quota. How much remains to be seen, but just FYI. 

[Jito463]

You know, I've never liked these home assistant devices, and this just gives me more of a reason to despise them.  Hard pass for me (again).

5 hours ago, Senzelian said:

Not to mention personal attacks are incredibly counterproductive.

5 hours ago, Elisis said:

- "You're ignorant. That's not a personal attack, that's stating a thing"

 

Hilarious piece of logic there

Ignorance isn't inherently a bad thing, we're all ignorant about something.  Ignorance is merely a lack of knowledge.  That's not an attack, it's barely even an insult.

 

Saying someone is ignorant is not the same as saying someone is stupid.

5 hours ago, RejZoR said:

Your wilful ignorance is what's wrong with them.

I swear, it's like people don't even understand language anymore.

[Letgomyleghoe]

5 minutes ago, huilun02 said:

So I can go around in a car and do network penetration from all the free WiFi? Sounds good to me

no because that's not how it works, it's alexas connecting together, weather or not it's exploitable is another story that i'm starting to have the urge to explore

 

9 hours ago, StDragon said:

I'm sure this is a major violation of Xfinity's ToS. You can't be offering WiFi to others outside of your home with the exception of guest access; but not perpetually.

Xfinity literally has a built in feature for that, if you're in range of an xfinity router, and you have an xfinity plan, you can connect to it.

[Gaires]

6 hours ago, Senzelian said:

I can only care about the data that I am aware of. If you can make me aware of an issue that I might not know about, then you got my interest. But not by telling me I'm ignorant.

Ok, I'll tell you why the data harvesting is problematic, assuming you're even willing to listen. First keep in mind that these devices listen to you 24/7 and the recordings can be used to identify people. "it doesn’t take a rocket scientist to recover someone’s identity; you simply have to listen carefully to what is being said." So now think if criminals manage to get hold of these.

Let's go to tinder which collects huge amounts of your personal data, while being  less intrusive than the home assistants.

The Cambridge Analytica controversy, where data was harvested from Facebook and was used for political gains.

Let's end with a big one. China used phones to track down uyghur muslims.

[trag1c]

Waiting for the knock on the door from police looking trying to figure which neighbor was downloading child porn...

[Senzelian]

8 hours ago, Gaires said:

Ok, I'll tell you why the data harvesting is problematic, assuming you're even willing to listen. First keep in mind that these devices listen to you 24/7 and the recordings can be used to identify people. "it doesn’t take a rocket scientist to recover someone’s identity; you simply have to listen carefully to what is being said." So now think if criminals manage to get hold of these.

Let's go to tinder which collects huge amounts of your personal data, while being  less intrusive than the home assistants.

The Cambridge Analytica controversy, where data was harvested from Facebook and was used for political gains.

Let's end with a big one. China used phones to track down uyghur muslims.

 

I never argued that data harvesting isn't problematic. You need to read the entire conversation. This is specifically about Google Home devices!

So with that in mind, here we go again...

 

I don't have any issues with Google knowing me and my habits and what I say. I am very well aware of that when I bought the Google Home Max. And let's be honest, I own an Android phone that I carry around with me all day long. If I was really worried about data harvesting, I'd need to get rid of that aswell. The smart speaker is at this point really just the icing on the cake. 

 

I've read the article about the cambridge analytica thing and Facebook. Yup, they used data for political advertisement. Of course that sucks, no denying that, especially when Trump's campaign is the one paying for it, but I don't believe that boycotting hardware / software companies that don't have anything to do with that makes any sense. Specifically Google in this case, because I was specifically talking about Google Home devices originally. 

 

But if I actually had a Facebook account and I read about this, then I'd consider deleting that account. Personally I don't even have one and never signed up. Btw: This cambridge analytica thing is one of the reasons I never bought a Oculus Quest, since you need a Facebook account to use it.

 

And the China thing... Yeah, what do you want me to do? Throw my phone away?

 

 

11 hours ago, Jito463 said:

Saying someone is ignorant is not the same as saying someone is stupid.

I played that card because it worked, not because it made any sense linguistically.

 

But on the other hand it doesn't really matter what the word means, if the society agrees on it beeing impolite. You even said "I swear, it's like people don't even understand language anymore.", so I assume you agree, that the society mostly thinks of something else, when they read the word ignorance.

[abc_123]

Glad I never bought into the smart device botnet. My smartphone and PC spying on me is already enough.

[Gaires]

21 minutes ago, Senzelian said:

I never argued that data harvesting isn't problematic. You need to read the entire conversation. This is specifically about Google Home devices!

So with that in mind, here we go again...

I did read it all and was making general points for what can be done with your data.

 

21 minutes ago, Senzelian said:

I don't have any issues with Google knowing me and my habits and what I say. I am very well aware of that when I bought the Google Home Max.

Sure, you might trust Google and not care if they know everything you say at home. That doesn't mean your data cannot be used by other more problematic entities.

 

23 minutes ago, Senzelian said:

And let's be honest, I own an Android phone that I carry around with me all day long. If I was really worried about data harvesting, I'd need to get rid of that aswell. The smart speaker is at this point really just the icing on the cake. 

I own an android phone too, it's even Chinese brand. The thing is where you draw the line about how much and what data is collected about you. These devices can collect more personal data that makes identifying you easier. Again while you might trust Google, that doesn't mean entities you don't trust cannot get hold of the data.

 

31 minutes ago, Senzelian said:

ut I don't believe that boycotting hardware / software companies that don't have anything to do with that makes any sense. Specifically Google in this case, because I was specifically talking about Google Home devices originally. 

Again, these devices listen to you when you're talking politics with someone. So that's why it relates to these devices also.

 

34 minutes ago, Senzelian said:

And the China thing... Yeah, what do you want me to do? Throw my phone away?

No, but it's the worst case scenario how your data can be used.

 

 

As for the topic at hand, I don't even see the point of this. Who benefits from making Echoes public wifi spots, since most routers aren't powerful enough that people outside can use the wifi network.

This just means that in apartments your neighbours can use your wifi to do illegal stuff if you don't turn off the new "feature".

[Senzelian]

23 minutes ago, Gaires said:

As for the topic at hand, I don't even see the point of this. Who benefits from making Echoes public wifi spots, since most routers aren't powerful enough that people outside can use the wifi network.

 

Amazon of course benefits from that.

Anyone can become a potential source of information for Amazon, without even actively using any of their services.

There is of course no benefit for the customer that bought the echo. Amazon probably hopes for people to forget about this in the coming months, so that it just becomes the norm.

[Gaires]

5 minutes ago, Senzelian said:

Amazon of course benefits from that.

Anyone can become a potential source of information for Amazon, without even actively using any of their services.

But that's the problem, they don't get all that much data out of it since most consumer routers have really short range.

[Senzelian]

48 minutes ago, Gaires said:

But that's the problem, they don't get all that much data out of it since most consumer routers have really short range.

The Alexa devices are the ones that create the network, not the routers.

I don't think you need that much range anyway. Most consumer routers and APs can reach through a couple of walls and if you live in a small apartement with lots of people, then that's probably good enough. 

[Gaires]

2 minutes ago, Senzelian said:

and if you live in a small apartement with lots of people, then that's probably good enough. 

Well sure, maybe some studen apartment can have usage for it. Then again, most of those students would be using their own wifi anyway.

The signal won't be strong enough to reach the street and I doubt a lot of people in apartment building would use their neighbours wifi anyway, unless they want to do something illegal.

[GDRRiley]

On 11/27/2020 at 9:26 AM, Oshino Shinobu said:

This is from the same company that once had an idea to give their delivery drivers access to people's locked doors to leave parcels in a "safe place".

now you get a garage door that amazon can open. clearly the low res camera on it will help

[Senzelian]

5 minutes ago, Gaires said:

Well sure, maybe some studen apartment can have usage for it. Then again, most of those students would be using their own wifi anyway.

The signal won't be strong enough to reach the street and I doubt a lot of people in apartment building would use their neighbours wifi anyway, unless they want to do something illegal.

Not only student apartments. There are plenty of people living in apartments that aren't students. It's basically the standard for a lot of european countries.

 

I also don't think a lot of people would use their neighbours wifi hotspot on purpose, but instead on accident.
There's a lot of people out there, that don't care about tech. They just let their phone decide what to connect to and if there's an open hotspot, then why not? Also I think that there will also be people, that will connect to their own Amazon Alexa device unintentionally.

[Gaires]

2 minutes ago, Senzelian said:

It's basically the standard for a lot of european countries.

I know, I live in one.

2 minutes ago, Senzelian said:

There's a lot of people out there, that don't care about tech. They just let their phone decide what to connect to and if there's an open hotspot, then why not?

Yeah, I forgot about that, even though I'm the only in my family who's into tech. But still I would guess that's pretty small number in grand scale of things.

[Mark Kaine]

As for being "common" my whole street with about 200+homes (most of these are single family homes so it's kind of hard to guess exactly) theres only one open wifi spot, and that's weirdly some "Telekom fone"... I guess the owner just doesn't know it has wifi or whatever... however this isn't common at all in GERMANY, and the open wifi spots you find in bigger cities are all from some public entities like libraries, McDonald's or hotels... and of course are usually secured with a password despite being "open", private wifi hotspots tho? nah, not really common at all... 

[Oshino Shinobu]

3 hours ago, GDRRiley said:

now you get a garage door that amazon can open. clearly the low res camera on it will help

Nothing to worry about, they're all trustworthy strangers. It's not like a bunch of them would get caught stealing the new Playstat.... Oh.

[rcmaehl]

19 hours ago, StDragon said:

From Xfinity's WiFi FAQ:

You still only have one connection from your modem to the ISP, so they can, potentially, use a significant amount of bandwidth. I'm not an expert though as I'm not an Xfinity customer and can't test it myself.

[CarlBar]

On 11/27/2020 at 5:24 PM, Senzelian said:

 

From the linked article:

 

It's certainly not common in Germany for your router to be a public WiFi hotspot. 
What is common, is that we do not use dedicated modems and instead combine modem and routers. 

 

Not the case in the UK i can confirm that, both my old TalkTalk router and my new Virgin one come with built in wifi passwords.

[Elvara]

In France an ISP/mobile network company is doing something similar, it's free.fr  there's a dedicated wifi network than you can turn off to let other customer use your connection well sort of because it's only 1 or 2 Mbps. So it's not really wifi hotspot to connect from your phone it's using eap-sim instead of wpa and apparently it's never been a problem but having no quota on your connection does help.

I guess in that case it's the ISP itself doing it so it feels a little better than a third party like amazon sharing your connection even if it's only between alexa devices.

[Blade of Grass]

Some pretty terrible reporting on this--the devices aren't making WIFI networks, but a 900MHz mesh-network to pass around IoT device messages. Depending on how the networking is implemented, this could not be the biggest vulnerability? Only time will tell. 

 

I suspect that this would be an extremely minute amount of data being transferred over your network, seeing as IoT devices are generally low power/low bandwidth. 

On 11/28/2020 at 2:37 AM, Gaires said:

these devices listen to you 24/7 

Not really though? I've yet to see any evidence that any of the major smart-home devices are recording your conversations 24/7 (or doing anything beyond processing them locally on-device to see if they match a trigger phrase). In fact, I've seen lots of network analysis of the devices which show the chance that this is happening is near 0% (unless somehow they can somehow transfer data over a network without being detected).