Amazon turning Alexa devices into an opt-out public WiFi mesh network

[Lurick]

1 hour ago, Blade of Grass said:

Some pretty terrible reporting on this--the devices aren't making WIFI networks, but a 900MHz mesh-network to pass around IoT device messages. Depending on how the networking is implemented, this could not be the biggest vulnerability? Only time will tell. 

 

I suspect that this would be an extremely minute amount of data being transferred over your network, seeing as IoT devices are generally low power/low bandwidth. 

Not really though? I've yet to see any evidence that any of the major smart-home devices are recording your conversations 24/7 (or doing anything beyond processing them locally on-device to see if they match a trigger phrase). In fact, I've seen lots of network analysis of the devices which show the chance that this is happening is near 0% (unless somehow they can somehow transfer data over a network without being detected).

I know Amazon even gives you the option to see every voice recording it's seen or time it was activated and even listen to them yourself if you want to and while at first it was triggering a lot on false positives and whatnot it's gotten a ton better and I almost never see anything outside of when I say the wake word now.

[EpiCheeseTime]

Are the going to be the ones paying for my data overages or my cost to rebuild if my network gets taken down from someone hacking through it?

[jagdtigger]

2 hours ago, Blade of Grass said:

Depending on how the networking is implemented,

It wont matter, IOT is pretty much a swiss cheese security wise....

[Blade of Grass]

46 minutes ago, jagdtigger said:

It wont matter, IOT is pretty much a swiss cheese security wise....

If all it's doing is passing around encrypted blobs, I can't imagine there's that large of an attack surface for this specific feature. But yes in general IoT devices are a very mixed bag security wise.

[jagdtigger]

15 hours ago, Blade of Grass said:

If all it's doing is passing around encrypted blobs

Most of these devices made to be as cheap as possible, including the CPU. Guess if a piss weak cpu could handle any encryption when its already have its hands full running the device's main functions......

[nic_]

As @Blade of Grass mentioned, there's a lot of incorrect information being passed around about this topic, including what was mentioned on the WAN show recently. Amazon's consumer page for Sidewalk certainly doesn't help, but their published whitepaper goes into great technical detail.

 

Sidewalk is a mesh network, but it's not WiFi, and it does not carry IP packets. This is much more like a Phillips Hue bridge as a service, it enables low-power devices to talk to each other and relay select (encrypted) messages back to Amazon to be relayed to vendors.

 

If you're interested in the security side of it, the whitepaper is pretty good.

[CorruptedTech]

Lol funny, I ordered Echo Dot for black friday. welp

[Scheer]

Amazon sidewalk is basically this: https://www.thethingsnetwork.org/

 

And to be honest, I wouldn't be surprised if they literally just use a private TTN network... Its been around for years and works extremely well. There is very likely a public TTN hotspot near you, if not there is almost certainly a private TTN network near you.

 

The concept of LoraWAN is amazing IMO, and TTN's makes it even better. You willingly host the hotspot, essentially for the greater good of the technology, and get access to every public hotspot to send data across without any monthly charges, really I don't think you even need to host a hotspot... You could build a small transmitter that sends GPS coords every 30 minutes for under $50 with a battery life of several years, so if you bike is ever stolen you can track it down, and its going to work as long as it is within 5ish miles outdoors or halfish of a mile inside of any public hotspot. The only downside is the fairly slow adoption rate of hotspots, but if Amazon was to tie Sidewalk in it would instantly become the greatest IOT network.

 

As for Amazon's implementation, this isn't going to be for sending a video stream of your Ring camera across the internet to you at work, its simply going to be a tiny payload that will send a notification saying your internet is out. Lets say your house starts on fire while your internet is out, or a door gets opened while the system is armed... rather than needing to pay $10+/month for cellular backup it will just send the tiny payload with a warning to you.

 

In a nutshell, think of it like a free miniature version of a very slow network of cellular towers. Plus you get the excitement of another new "deadly cancer causing network" for the media to flip out about and watch people start burning down other people's houses to get rid of the Echo's.

 

 

11 hours ago, gabrielcarvfer said:

Correct.

You don't know that and should not blindly trust what they say.

Encrypted messages that could be tunneling all sorts of payloads (e.g. WiFi traffic). It still uses your network to provide access to 3rd-parties.

It is so low bandwidth I really don't think it could realistically carry IP traffic as it sends payloads of a few bits, a single IP packet is several bytes. Most implementations will send something like 8 bits every 15 minutes or so for status monitoring or even as small as 2 bits for state change if you were to press a button (plus the overhead of end to end 128bit encryption which is most of the bandwidth), we will just have to wait and see how they end up setting it all up. I'm sure there is someway to hack the system and get some sort of encrypted data out of it, but why waste the time, if you already have internet there are a thousand much easier ways to steal information from you.