it's going to be fun to find out how to tap into this and get a few GBs of free internet off various rings'n'things.
Owners of Amazon Echo assistants and Ring doorbells have until June 8 to avoid automatically opting into Sidewalk, the internet giant's mesh network that taps into people's broadband and may prove to be a privacy nightmare. The idea is that if, for instance, your internet connection goes down or is interrupted, your Amazon …
As an update I have already filed a complaint with my state's Attorney General over Amazon Sidewalk's [eventual, once activated] theft of services. I will be contacting Amazon directly to notify them of their infractions, the fact that I have made an official complaint, and I may consider contacting my attorney to file an injunction against Amazon.
It would be good to talk to your ISP also - I'm pretty sure I saw a clause in the Terms-of-Service with Comcast prohibiting me from sub-leasing my internet access, for example to a third party to provide internet access to parties not physically located at my premises. The exact type of "service" Amazon wants to hijack end-user internet connections for to create its own private internet access service for.
I'll bet every Amazon product user who gets their internet hijacked by Amazon will unwittingly be in violation of their ToS as soon as Amazon turns Sidewalk on...
"Owners of Amazon Echo assistants and Ring doorbells have until June 8 to avoid automatically opting into Sidewalk, the internet giant's mesh network that taps into people's broadband and may prove to be a privacy nightmare."
It will be a privacy nightmare. We need regulation for things like this.
Is it possible to make a clear plastic Faraday sheath that can be worn over one's normal attire, water & wind proof against the weather, that would allow you to essentially become a mobile EMF void. No signals in, no signals out, so if anything on your person is thusly broadcasting, the sheath stops the signal dead. Put a breast pocket with button flap on the outside large enough to fit even a largish cellphone, that way you can still leave your device able to connect to the cell/wifi networks, otherwise just drop it in your bag or trouser pocket inside the sheath to prevent it from communicating until & unless you give it the ability to do so.
Is there a non-interactive way to force a cellphone to switch to airplane mode? Slip the thing inside the sheath & it auto-switches to taking a nap until you wake it up to actually use it.
Or am I just enjoying another fantasy of thwarting Big Brother again? *Sigh*
it is very very hard at higher frequencies.
at about 1GHZ it's close to 1cm for a wave length.
the issue is that anything more than a 1CM gap allows higher frequencies in.
so air holes are out....
Generally metalised plastics do very well....
be 100% clear that unless your phone is "off" you are not off.
also "off" is not a physical state, it is a computer coded state that operates some mode inside the phone.
and as such can easily be bypasses to be "on".
the only real way is to remove the phone battery...... but strangely that's not an option any more......
It's easy to stop all these items from doing as they please.
Take all your do-dads like your phone and other OIT shit and put it in your microwave oven for 3-4 minutes.
Had anyone notice that there isn't a microwave oven that wants to phone home being sold. And I haven't heard of one being offered with a network port yet.
I got an idea, just don't buy any of this crap, problem solved.
Well, sort of but why would you do that? If you're worried about a specific device broadcasting, then you can put it into a more convenient shielded thing. If you're worried about a device you don't know about, then it's probably not on your person, but instead in something that goes around with you such as a bag or a vehicle. A bag which blocks signals is likely more useful than trying to make clothing for the purpose.
Yep but most of this shit is going to backfire spectacularly.....
WE were doing "Bag tracking" devices exactly the same as the apple "tile" credit card sized crap
it's an off the shelf product.
but then the Samsung .... let's burn the phones fiasco started & airlines banned the tech.
so all the bag tags with lithium batteries was banned, and now they are trying to re-introduce the tech.
I would put it on github and offer 10K for each 0-day or info disclosure found.
As such, security barely got a mention. It is an awkward grab of consumer data made by an envious and vain corporation.
Might this be one reason why Bezos stepped away so when this blows up, not to sully his reputation - if that is even possible.
This is really problematic. Who thought this up?
"The Ring Of Fire doorbell is equipped with seven firewalls. That's one for each of the five advertised wireless protocols you can attack it over, one for the unpublished remote Amazon-telemetry protocol, and one physical butane burner which can be configured to protect the bell's push button itself from pre-identified individuals in the facial database as well as general classes of undesirable such as chuggers, preachers, and sellers of rival doorbells."
Much as I loathe Amazon, we’ve been sending our traffic over other peoples network kit since the internet began. In terms of security threat, it’s already solved by TLS.
The better argument against it is bandwidth, but that’s going to depend on your net connection. I suspect the number they mention are negligible for most
Finally doesn’t apple’s Find my device do the same thing? As does lorawan and so on? Much lower bandwidth of course, but it makes it harder to object to the principle
You don't have any ISP safe harbour provisions protecting traffic that passes through your router. It's assumed to all originate with you. When the police show up asking who has been posting IED making instructions or photos of little kids from your home, good luck convincing them the Echo dun it.
With this mesh, traffic through your router to your ISP now includes totally unknown encrypted traffic that you have no control over.
So actually LE suddenly lose the probable cause argument, and would have to inspect logs to determine what and where.
So... what Amazon may have to do is be able to turn off mesh activity for multiple node on police order, to isolate the traffic for a while as being just those households. Doesn't seem practical, and legally a fishing expedition.
> You don't have any ISP safe harbour provisions protecting traffic that passes through your router. It's assumed to all originate with you.
First, that's a huge, untested assumption, and even if it is true for the general case, the endpoint here is - by definition - Amazons servers, where it will necessarily be arriving tagged with details about which device generated it.
> good luck convincing them the Echo dun it.
To repeat: it's literally encrypted until it arrives at Amazons server, tagged with the device that generated it.
> posting IED making instructions
How? By holding pictures of them up in front of the doorbell?
I really don't think you've thought the specifics of this proposal through. I know it's fun to wave our hands in the air and shout over my dead body, but it's still just noise.
Most of this is disputable or wrong.
"we’ve been sending our traffic over other peoples network kit since the internet began. In terms of security threat, it’s already solved by TLS."
No, that's not how this works. The threat is not the security of our data. The threat is the pathway to a potential attack. If someone can use the sidewalk system to access a device on my network, they could use it to gain information about my network and other devices on it. While we have been using others' equipment to send our traffic, we typically don't allow unknown devices to use our equipment.
"Finally doesn’t apple’s Find my device do the same thing?"
No. It doesn't. It uses the network information already known by the device, which works pretty well because a lot of them have cellular radios and have connected to WiFi before. It does not have a secret tunnel through others' devices.
"As does lorawan"
LoRa? No, that doesn't either. That's a radio protocol which doesn't even connect to the internet. If you want to bridge the LoRa network you've set up to the internet, you need the equipment which does it. Or someone might (might) have one already and agree that you can use it, but that's like asking your neighbor to let you use their WiFi. It is not required for the system and not expected by it either.
> No, that's not how this works. The threat is not the security of our data. The threat is the pathway to a potential attack. If someone can use the sidewalk system to access a device on my network, they could use it to gain information about my network and other devices on it.
OK, so your concern is: you have Amazon kit, it's set to relay from other devices. So traffic will route over it, and some undiscovered flaw in the router may allow it to attack your local network. Which is reasonable, and you're correct it would be an attack vector that doesn't exist now. Of course a wireless AP is already attackable by anyone within range, and attacks have been made on WEP/WPA etc. However this brings the network stack into that realm too, giving an attacker a "bridgehead" if you like. If that's your point then sure, I'll accept that.
Not plan Lora, LoraWan. Gateways typically receive and forward packets from unknown sources, which is what everyone seems to be up in arms about.
Owners of Amazon Echo assistants and Ring doorbells have until June 8 to avoid automatically opting into Sidewalk
Mostly won't happen. The people who have this sort of kit want it to connect and be as useful to them as possible. The idea that their 'smart' speaker or whatever might fall off the network if PlusNet (other ISPs are more available) has a hiccup is abhorrent to them.
When some bastard screws them over by inventive use of these features their response will not be to blame Amazon or tighten their own security but to want a new law to stop people doing 'This Sort of Thing'.
(Side note: I was *very* pleased that a relative had the good manners to turn off her Echo device when I visited her recently.)
"(Side note: I was *very* pleased that a relative had the good manners to turn off her Echo device when I visited her recently.)"
There's an xkcd that shows how to make sure you always get that treatment. Just walk in the front door and clearly say: "Alexa, buy fifty gallons of creamed corn... Alexa, confirm purchase."
Substitute KY jelly, mayonnaise, or chicken blood as (in)appropriate.
While visiting my Mother she had a chat with the police officer who had come to investigate the burglary that had happened to her next door neighbour. The police man was trying to get her to buy a Ring doorbell.
"S, what's a Ring doorbell".
"Mum, it's state surveillance privately funded"
At this point the policeman nodded vigorously and said, "Yes! We want everyone to install it".
No, they won't abuse it because the system is built exactly for that. That's "stalking by design" - although Amazon wish it only could stalk its users - but obviously it won't be able to ensure it.
Have to call Shenzen to start mass producing "Tiles" in some cute and/or innocuous-looking shapes... "hey, girl, attach this cute soft and fluffy cat toy to your bag....", "look wife, I got you this 'Prada' (he he) wallet for your birthday...."
Those working at Amazon & C. are now utterly unable to understand what they are putting on the market - they can see only the $$$$$$ they hope to gain if they can gather more user data.
> if.., your internet connection goes down.., your Amazon smart home devices will .... wirelessly connecting to neighbors' ...gadgets and using their internet connection instead.
Urbanites. Up here in the woods of Maine I can hardly 'see' my one neighbor's WiFi router, 150 meters away through dense brush. It reads as barely 1 bar, and I have never connected. And the idea that Spectrum could issue new Wi-Fi boxes (potentially with longer reach) is absurd (I had to keep calling to get a Wi-Fi which worked across the house).
Yes, in-town I have seen places with a dozen or more Wi-Fi points visible. I feel sorry for those folks.
I do agree that several mega-corps have confused and confounded "find my keys" with "find my victim". And that happens so often out here that the newspaper has boilerplate advice for victims of abuse.
As someone who recently worked at Amazon helping to develop products, I can assure you that you are 100% correct. Their management, and especially product management, have been so diluted with bad hiring and incompetent policies while being put under pressure that contains so many perverse incentives that I'm shocked the company hasn't imploded yet.
It's become the picture of what Jeff used to call a 'day 2' company. Zero surprise he and his clique all got worried by what they saw around them and bailed, most of the good people throughout the organization are as well/were doing so throughout last year.
No thanks to all of this - no Rings, no Echos, no Dots, no Kindles, no flying cameras in my bedroom, no using my bandwidth for unknown purposes. I buy a few things from Amazon once in a whle, and I watch some of their movies and that's what the extent of our relationship will be, no more. Although I do get a warm feeling in my heart when I see videos of Ring doorbells being ripped off the wall with a crowbar by people in masks. Your cloud don't help you much there, eh? My $5 doorbell (lighted!) has never once been the victim of a crime. Perhaps the Amazon Ring could get an upgrade to send out warnings when this happens, and an Amazon drone can swoop in and attack, or the Dot could automatically re-order ammunition and a replacement Ring, this time with extra heavy-duty screws. Absurdness from a company that cares about nothing at all about anyone or anything except for themselves and making money. The fact that opting out is required demonstrates quite clearly where their priorities lie.
Well, I bought into Ring before Amazon bought the company out.
I am seriously considering ripping it all out and going with a independent solution. But, when thoughtfully considered, the large majority of independent home surveillance equipment is either build in, or marketed by, Chinese companies, a government that doesn't exactly care about the idea of "personal privacy".
You may be damned if you do, damned if you don't.
Regardless, I do not believe that Sidewalk will be of a concern for me, as my property is over a hectare and I only have one neighbor.
RPi Zero W (https://www.adafruit.com/product/3400), CSI-2 cable (https://www.adafruit.com/product/3157), and a CSI-2 wide angle camera (https://www.seeedstudio.com/Raspberry-Pi-Wide-Angle-Camera-Module.html), powered from the hardwired doorbell circuit using a 48V DC power supply instead of the standard 120VAC-to-12VAC transformer (https://www.digikey.com/en/products/detail/mean-well-usa-inc/MPM-30-48ST/7707313), and a little point-of load step down regulator at the RPi (https://www.digikey.com/en/products/detail/analog-devices-inc/LTM4653EY-PBF/8572272).
With this Bill-of-Materials, you can replace a Ring Pro Doorbell - and you will have power of the whole software stack you elect to implement.
"there is bound to be at least one bug or overlooked shortcoming that will affect someone somewhere"
Just need to wait until somebody cracks the protocol used and then people can happily download "forbidden content" (bring your own subtext) on somebody else's connection.
There needs to be legislation to the effect of "only devices that the bill payer authorises is permitted to use their connection", to prevent companies sneaking in shit like this.
1) This is a great opportunity for anyone selling 900MHz jammers. The LoRa will be the backbone of actually talking to your neighbours for most people considering that Bluetooth has trouble linking two rooms in the same house. A fairly low power simple oscillator and antenna will get the job done I suspect. Easy to do and very cheap.
2) I like the Amazon devices for their convenience, but it looks like I'm going to have to move them to a separate wifi network and lock down its internet access to just their primary back end server and nothing else. I would recommend others take a similar approach if keeping these.
Coverage of this 'issue' has been overwhelmingly negative but its all based on an outdated notion of data devices. To a large extent we're still mentally stuck in the telephone age, back where a subscriber had a dedicated link and bought time/data on that link as needed. This notion went away with wireless but people still had this mental model, they thought in terms of exclusive channels and were much put out to discover that their WiFi kit was communicating with anything within range, in fact it seems that most people still haven't grasped the notion of shared spectrum, they still think in terms of radios that need tuning like the ones that they grew up with.
Sidewalk appears to be just a fallback mesh network, a backup for when the main external connection fails. We have come to rely on our data connections but as many people have learned to their cost the entire system -- ISPs, cell providers and so on -- is just not as reliable as the old-fashioned POTS used to be. We've had outages in the last year that have lasted a day or more, outages where we've had to rely on spotty (and now completely overloaded) cell service. Since we're now relying on an unreliable data connection to defend our property and person and, increasingly, to monitor our well being having a fundamentally unreliable system at its core is making a nonsense of the provisioning of those services. This has to be addressed. Its not just security that's important, either -- as we age we are starting to rely on Internet connected devices to monitor our well being (Amazon, for example, is piloting a program which uses Echo devices to monitor aged relatives, the system notifying designated contacts if it detects a problem.)(No, its not the Evil Empire striking again -- its a logical use for voice assistants; anyway, think about it -- if you're housebound then you're going to need to get most of your stuff delivered to you.....)
I haven't downvoted you, but I suspect others have because we live in a world where the powers that be consider it acceptable to tie an IP address to a person when it suits them, and along come a device that would appear to be happy to opt you in to sharing your connection with "whatever".
I get that Amazon wants to have a more stable and reliable connection to the mothership, as it makes news on this very site when smart gadgets fall over and cease working because they aren't even remotely smart and seem incapable of working without being constantly told what to do.
But, you know, my internet is that there for provisioning their service. Aak for permission first, and be prepared to provide incentives. Otherwise FO.
Another way to look at it - if Amazon is successful in doing this, who else might look to using the connectivity that you pay for as part of their service? When will it end?
And as mentioned at the very start, your IP address is you. You are responsible for what happens with your connection. The buck stops with you. That alone should be sufficient motivation to not want to share your connection with complete strangers.
Er, no. The notion that a subscriber has a link hasn't gone away with Wi-Fi. I still subscribe to, and pay for, the backhaul link, just like in the Good Old Days when it was just voice. The fact that we've now added a data device at the edge doesn't make any difference to the underlying arrangement.
I'm fortunate enough to be on an unlimited plan, but I can imagine this mightn't be popular with those on a metered plan.
What's the Ring model here? They're saying that the traffic would be low. What about that nice video traffic? So, could I, say, set up a Ring doorbell, then ban it from my network, so it just uses my neighbour's link?
Biting the hand that feeds IT © 1998–2021