[SANS ISC] Amazon Sidewalk: Cutting Through the Hype, (Mon, Jun 7th)

Later this week (tomorrow?), Amazon will enable its new Sidewalk feature. The feature has already gotten a lot of bad press. Much of this comes from the fact that existing devices are automatically used as Sidewalk Gateways and users will have to opt-out. New devices may require a specific opt-in during setup.

Let’s first start with what Amazon Sidewalk is not: Amazon Sidewalk is not WiFi. It has WiFi components, but you are not allowing access to your WiFi network if you enable Amazon Sidewalk. Amazon Sidewalk allows for the exchange of specific messages to Amazon’s “Sidewalk Network Server”.

The use case for Amazon Sidewalk is sensors or IoT devices exchanging messages with applications. For example, a motion sensor may send a message whenever it detects motion, or a Tile tracker may update the network about its location.

Amazon Sidewalk consists of three components:

Endpoint Device (“Device”): This is the device using Amazon Sidewalk to communicate (for example location trackers, light switches or motion sensors).
Gateway: A gateway receives messages from devices and passes them to Amazon’s infrastructure (SNS). Amazon Echo devices or Amazon Ring Cameras are examples of gateways. They are always-on devices that are connected to the internet.
Amazon’s Sidewalk Network Service (SNS): This is the infrastructure Amazon runs to send and receive messages.

There are a number of radio standards that can be used by devices to send messages to gateways. Amazon mentions Bluetooth LE, LoRa, and 900 Mhz Frequency Key Shifting (“Garage Door Openers”). Once a message hits a gateway, it will likely use Wifi to travel to an internet router and from there via the Internet to Amazon’s SNS.

Intially, only Amazon devices and applications will be able to use Sidewalk. But Amazon specifically suggests that in the future, authorized 3rd parties will be able o participate as well. You may see various IoT or home automation production that will be able to connect to Amazon sidewalk, or act as a gateway.

In order to use Sidewalk capable devices, you will need a gateway. But you do not have to share the gateway with others. Your gateway will still work, and your own devices should still be able to use it. Typically you use a device specific Application to connect to your device or gateway. The same application will be used to configure the device and disable the sharing feature.

A Sidewalk capable device will arrive from the factory with a set of trusted certificate authorities pre-set. It will also include a unique public/private key pair with certificates that are signed by an trusted manufacturer’s signing certificate. This will be the used to identify the device, and authorize access to the network. Amazon may block devices that misbehave. Devices will regularly register with Amazon using these certificates, and negotiate encryption keys.

Any messages sent by the device will be encrypted on the device, and then again by the gateway (the gateway is not able to decrypt the messages). The message can only be decrypted on Amazon’s SNS as it has the keys for both the gateway and the device (gateways also register with Amazon). Amazon will remember which gateway sent a message from a particular device. To reply, or send a message to a particular device, Amazon will send it to the gateway that was last used by the device.

There are a couple of things Amazon says it is doing to protect the network and the customers:

The network will be “closed” with only approved developers and manufacturers being able to use it. To use the network, a manufacturer needs a trusted signing certificate. We will see how well Amazon manages the process (like “Marketplace” ?)
The total bandwidth used by a gateway will not exceed 80Kbps. This network is meant for small messages/status updates. Not for “Web Browsing”.
A gateway will limit itself to 500MB of total traffic. This isn’t much, but could be a problem on some expensive minimum data cap internet connections (cellular modems or some legacy satellite services)
Privacy: Amazon says that the gateway will not see any device identifier and the device will not see the gateway’s identifier.

While the network isn’t intended for “Internet Access”, it is almost certainly going to be used as a messaging network. It should be trivial to open an approved device and replace the sensor with a device providing values to be sent over sidewalk. This would retain the certificate infrastructure embedded into the device without having to extract them. As a next step, someone is going to figure out (or already has?) how to extract the certificates used to authenticate the device and completely re-build them in software.

A lot of the “magic” happens on Amazon’s side, and it remains to be seen what Amazon will do with the data. Should you disable Sidewalk access sharing? For the most part: You are already connecting to Amazon’s cloud, and entrusting Amazon with your security camera’s video footage and home automation sensor data just by using Amazon devices. Sidewalk does not appear to expose you to a substantial additional risk. There is a possibility that gateways will not implement the protocol correctly, and a malformed message will lead to code execution on the gateway. Give it a couple weeks/months for people to play with this to see what happens. Notably, a lot of checking and access control is done by Amazon. The gateway will just validate that the message is formated correctly.

[1] https://www.amazon.com/Amazon-Sidewalk/b?ie=UTF8&node=21328123011

[2] https://developer.amazon.com/en-US/blogs/alexa/device-makers/2020/09/amazon-sidewalk-paves-the-way-for-more-connected-communities

[3] https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf





Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[BleepingComputer] Linux version of HelloKitty ransomware targets VMware ESXi servers

​The ransomware gang behind the highly publicized attack on CD Projekt Red uses a Linux variant that targets VMware’s ESXi virtual machine platform for maximum damage. […] Source: Read More (BleepingComputer)

Read More

[ThreatPost] ‘Battle for the Galaxy’ Mobile Game Leaks 6M Gamer Profiles

All posts, ThreatPost

Unprotected server exposes AMT Games user data containing user emails and purchase information. Source: Read More (Threatpost)

Read More

[SecurityWeek] CISA Analyzes FiveHands Ransomware

All posts

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the FiveHands ransomware, roughly one week after FireEye’s Mandiant security researchers reported seeing the malware in recent attacks. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.