Expert Insight On Amazon Sidewalk Connects Every Smart Device In The World – But Is It Safe?

BACKGROUND:

Amazon has now implemented its controversial ‘Sidewalk’ initiative, an experimental service that will automatically turn every Echo speaker, Ring camera and other Amazon device into a shared wireless network.   It works by sharing a small slice of internet bandwidth with nearby neighbours who don’t have a connection (and vice versa) so as to create city-wide ‘mesh networks’ that help keep Amazon devices connected at all times even when home wifi is unavailable.   Naturally, this raises a number of stark cybersecurity concerns. 

Experts Comments

June 09, 2021
Alan Grau
VP of IoT
Sectigo

According to Amazon, Sidewalk was designed with various precautions to prevent abuse. The system design includes data protection and privacy measures such as PKI for authentication, multiple levels of encryption, randomised ID’s, and data minimisation to avoid impacting network performance.



While this theoretically provides a solid foundation for security, anytime data travels across a foreign network, risk is introduced. With Sidewalk, data will be travelling freely across neighbour’s

.....Read More

According to Amazon, Sidewalk was designed with various precautions to prevent abuse. The system design includes data protection and privacy measures such as PKI for authentication, multiple levels of encryption, randomised ID’s, and data minimisation to avoid impacting network performance.



While this theoretically provides a solid foundation for security, anytime data travels across a foreign network, risk is introduced. With Sidewalk, data will be travelling freely across neighbour’s networks. While most individuals won’t inspect this data, it opens the door for abuse.



Sidewalk claims to utilise PKI to enable device authentication and secure network communication. However, they are using multiple Certificate Authorities (CA’s), and provide little information on how the PKI is implemented. One concerning excerpt from the Sidewalk whitepaper says "a Sidewalk CA issues the Sidewalk Network Server certificate, while the Application Server can be a self-signed certificate or a certificate signed by Sidewalk CA.



Amazon does not provide full details on when a self-signed certificate can be used or how that is integrated into the overall architecture of the solution. Usage of self-signed certificates fails to meet PKI best practices and raises concerns about the integrity of the overall system.



Without a detailed security audit, it is impossible to determine what risks this raises, but it raises concern over the potential for abuse. If a bad actor creates a self-signed certificate for an application server, this could lead to a plethora of security risks.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.