Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

Amazon turning Alexa devices into an opt-out public WiFi mesh network

On 11/27/2020 at 5:24 PM, Senzelian said:

 

From the linked article:

image.png.45b7f0a51a7a0dc864c7664b702e7207.png

 

It's certainly not common in Germany for your router to be a public WiFi hotspot. 
What is common, is that we do not use dedicated modems and instead combine modem and routers. 

 

Not the case in the UK i can confirm that, both my old TalkTalk router and my new Virgin one come with built in wifi passwords.

Link to post
Share on other sites

In France an ISP/mobile network company is doing something similar, it's free.fr  there's a dedicated wifi network than you can turn off to let other customer use your connection well sort of because it's only 1 or 2 Mbps. So it's not really wifi hotspot to connect from your phone it's using eap-sim instead of wpa and apparently it's never been a problem but having no quota on your connection does help.

I guess in that case it's the ISP itself doing it so it feels a little better than a third party like amazon sharing your connection even if it's only between alexa devices.

Link to post
Share on other sites

Some pretty terrible reporting on this--the devices aren't making WIFI networks, but a 900MHz mesh-network to pass around IoT device messages. Depending on how the networking is implemented, this could not be the biggest vulnerability? Only time will tell. 

 

I suspect that this would be an extremely minute amount of data being transferred over your network, seeing as IoT devices are generally low power/low bandwidth. 

On 11/28/2020 at 2:37 AM, Gaires said:

these devices listen to you 24/7 

Not really though? I've yet to see any evidence that any of the major smart-home devices are recording your conversations 24/7 (or doing anything beyond processing them locally on-device to see if they match a trigger phrase). In fact, I've seen lots of network analysis of the devices which show the chance that this is happening is near 0% (unless somehow they can somehow transfer data over a network without being detected).

15" MBP TB

Serenity: Intel 4960x | ASUS X79-E WS | EVGA 2060 KO Ultra | Define 7 || Blade Server: Intel 3570k | GD65 | Corsair C70 | 13TB

Link to post
Share on other sites
1 hour ago, Blade of Grass said:

Some pretty terrible reporting on this--the devices aren't making WIFI networks, but a 900MHz mesh-network to pass around IoT device messages. Depending on how the networking is implemented, this could not be the biggest vulnerability? Only time will tell. 

 

I suspect that this would be an extremely minute amount of data being transferred over your network, seeing as IoT devices are generally low power/low bandwidth. 

Not really though? I've yet to see any evidence that any of the major smart-home devices are recording your conversations 24/7 (or doing anything beyond processing them locally on-device to see if they match a trigger phrase). In fact, I've seen lots of network analysis of the devices which show the chance that this is happening is near 0% (unless somehow they can somehow transfer data over a network without being detected).

I know Amazon even gives you the option to see every voice recording it's seen or time it was activated and even listen to them yourself if you want to and while at first it was triggering a lot on false positives and whatnot it's gotten a ton better and I almost never see anything outside of when I say the wake word now.

Current Network Layout:

Current Build Log/PC:

Prior Build Log/PC:

Link to post
Share on other sites

Are the going to be the ones paying for my data overages or my cost to rebuild if my network gets taken down from someone hacking through it?

Link to post
Share on other sites
2 hours ago, Blade of Grass said:

Depending on how the networking is implemented,

It wont matter, IOT is pretty much a swiss cheese security wise....

Link to post
Share on other sites
46 minutes ago, jagdtigger said:

It wont matter, IOT is pretty much a swiss cheese security wise....

If all it's doing is passing around encrypted blobs, I can't imagine there's that large of an attack surface for this specific feature. But yes in general IoT devices are a very mixed bag security wise.

15" MBP TB

Serenity: Intel 4960x | ASUS X79-E WS | EVGA 2060 KO Ultra | Define 7 || Blade Server: Intel 3570k | GD65 | Corsair C70 | 13TB

Link to post
Share on other sites
15 hours ago, Blade of Grass said:

If all it's doing is passing around encrypted blobs

Most of these devices made to be as cheap as possible, including the CPU. Guess if a piss weak cpu could handle any encryption when its already have its hands full running the device's main functions......

Link to post
Share on other sites

As @Blade of Grass mentioned, there's a lot of incorrect information being passed around about this topic, including what was mentioned on the WAN show recently. Amazon's consumer page for Sidewalk certainly doesn't help, but their published whitepaper goes into great technical detail.

 

Sidewalk is a mesh network, but it's not WiFi, and it does not carry IP packets. This is much more like a Phillips Hue bridge as a service, it enables low-power devices to talk to each other and relay select (encrypted) messages back to Amazon to be relayed to vendors.

 

If you're interested in the security side of it, the whitepaper is pretty good.

Link to post
Share on other sites
5 hours ago, nic_ said:

Sidewalk is a mesh network, but it's not WiFi

Correct.

5 hours ago, nic_ said:

and it does not carry IP packets.

You don't know that and should not blindly trust what they say.

5 hours ago, nic_ said:

it enables low-power devices to talk to each other and relay select (encrypted) messages back to Amazon to be relayed to vendors.

Encrypted messages that could be tunneling all sorts of payloads (e.g. WiFi traffic). It still uses your network to provide access to 3rd-parties.

Link to post
Share on other sites

Amazon sidewalk is basically this: https://www.thethingsnetwork.org/

 

And to be honest, I wouldn't be surprised if they literally just use a private TTN network... Its been around for years and works extremely well. There is very likely a public TTN hotspot near you, if not there is almost certainly a private TTN network near you.

 

The concept of LoraWAN is amazing IMO, and TTN's makes it even better. You willingly host the hotspot, essentially for the greater good of the technology, and get access to every public hotspot to send data across without any monthly charges, really I don't think you even need to host a hotspot... You could build a small transmitter that sends GPS coords every 30 minutes for under $50 with a battery life of several years, so if you bike is ever stolen you can track it down, and its going to work as long as it is within 5ish miles outdoors or halfish of a mile inside of any public hotspot. The only downside is the fairly slow adoption rate of hotspots, but if Amazon was to tie Sidewalk in it would instantly become the greatest IOT network.

 

As for Amazon's implementation, this isn't going to be for sending a video stream of your Ring camera across the internet to you at work, its simply going to be a tiny payload that will send a notification saying your internet is out. Lets say your house starts on fire while your internet is out, or a door gets opened while the system is armed... rather than needing to pay $10+/month for cellular backup it will just send the tiny payload with a warning to you.

 

In a nutshell, think of it like a free miniature version of a very slow network of cellular towers. Plus you get the excitement of another new "deadly cancer causing network" for the media to flip out about and watch people start burning down other people's houses to get rid of the Echo's.

 

 

11 hours ago, gabrielcarvfer said:

Correct.

You don't know that and should not blindly trust what they say.

Encrypted messages that could be tunneling all sorts of payloads (e.g. WiFi traffic). It still uses your network to provide access to 3rd-parties.

It is so low bandwidth I really don't think it could realistically carry IP traffic as it sends payloads of a few bits, a single IP packet is several bytes. Most implementations will send something like 8 bits every 15 minutes or so for status monitoring or even as small as 2 bits for state change if you were to press a button (plus the overhead of end to end 128bit encryption which is most of the bandwidth), we will just have to wait and see how they end up setting it all up. I'm sure there is someway to hack the system and get some sort of encrypted data out of it, but why waste the time, if you already have internet there are a thousand much easier ways to steal information from you.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×