Alan Grau at Sectigo explores the pros and cons of Amazon’s new Sidewalk initiative.
Last month, Amazon implemented its controversial ‘Sidewalk‘ initiative – an experimental service that will automatically turn every Echo speaker, Ring camera and other Amazon device into a shared wireless network.
The Sidewalk project works by enabling Amazon IoT devices to share a small slice of internet bandwidth with nearby devices, such as those in neighbouring houses, which don’t have a connection. In practice, this will result in city-wide ‘mesh networks’ that help keep Amazon devices connected at all times even when home wi-fi is unavailable.
Naturally, this raises a whole host of cybersecurity concerns around personal privacy, data sharing and device security. Despite Amazon claiming that security is at the heart of the Sidewalk offering, many are calling for it to be scrapped altogether.
Sidewalk: the benefits
Amazon describes Sidewalk as a ‘shared network that helps devices work better’. It is ‘operated by Amazon at no charge to customers.’
In reality, the main benefits that Sidewalk offers customers are: simplifying new device setup; extending low bandwidth working range of smart devices to ‘help find pets or valuables’; and helping devices stay online even if they are outside the range of their home wi-fi.
For example, if your Echo device loses its wi-fi connection, Sidewalk can simply reconnect from another device in the vicinity. No doubt all these additions may prove convenient in the day-to-day, but at what cost?
Amazon has provided a statement on the privacy protocol of Sidewalk, in which it reassures users that ‘preserving customer privacy and security is foundational to how we’ve built Amazon Sidewalk. Sidewalk is designed with multiple layers of privacy and security to secure data traveling on the network and to keep customers safe and in control.’
Despite Amazon’s strong stance on security, the prospect of an open network with thousands of IoT devices sharing personal data with each other presents a huge potential risk.
According to the company, Sidewalk was designed with various precautions such as PKI for authentication, multiple levels of encryption, randomised IDs, and data minimisation to avoid impacting network performance. While this theoretically provides a solid foundation for security, anytime data travels across a foreign network risk is introduced. With Sidewalk, data will travel freely across neighbours’ networks.
While most individuals wouldn’t dream of inspecting, never mind using, this data, it opens the door for abuse. In the end, it takes just one malicious actor to put very sensitive personal information in danger – potentially affecting real people’s lives, such as the case of the Amazon Ring hack in which a young child was severely traumatised by an unauthorised intrusion into the home’s network.
Sidewalk claims to utilise PKI technology to enable device authentication and secure network communication. However, there is little information on how the PKI is implemented. One concerning excerpt from the official Sidewalk whitepaper says that ‘a Sidewalk CA issues the Sidewalk Network Server certificate, while the Application Server can be a self-signed certificate, or a certificate signed by Sidewalk CA.’
Amazon does not provide full details on when a self-signed certificate can be used or how that is integrated into the overall architecture of the solution. Worryingly, its usage of self-signed certificates fails to meet PKI best practices and raises concerns about the integrity of the overall system.
Without a detailed security audit, it is impossible to determine what risks this raises, but it does spark concern over the potential for abuse. If a bad actor creates a self-signed certificate for an application server, this could lead to a plethora of security risks.
Opt in or opt out?
The challenge that IoT security presents is the sheer multitude and diversity of devices, networks, and protocols that, left unchecked, could pose severe threats to companies and people. Cutting-edge security technology is needed in order to ensure the information remains under control.
The key issue for IoT security remains one that is often overlooked: security certificates built in from the start, and properly maintained throughout the device lifecycle. Without this, initiatives such as Sidewalk are bound to encounter problems.
Certificate-based authentication using PKI is the gold standard, providing a proven framework for security. As with most technologies, however, the devil is in the detail. Implementations can take a number of forms, using a variety of crypto and hash algorithms, and selection of the appropriate algorithms is critical to achieving robust security. It remains to be seen whether the approach Amazon has taken will offer consumers sufficient protection.
Ultimately, it’s up to consumers whether they decide to opt in or opt out of Amazon’s new scheme. However, regardless of whether customers wish to become part of the Sidewalk initiative, in such complex ecosystems where potentially millions of devices are sharing data, there should be no ambiguity over security.
Alan Grau is VP of IoT and Embedded Solutions at Sectigo
Main image courtesy of iStockPhoto.com