Amazon Sidewalk
-
Do you want to share with your neighbors? Another good reason why I do not have a device in my house that listens to what I say and orders stuff it thinks I want.
-
Do you want to share with your neighbors? Another good reason why I do not have a device in my house that listens to what I say and orders stuff it thinks I want.
@Mik said in Amazon Sidewalk:
Do you want to share with your neighbors? Another good reason why I do not have a device in my house that listens to what I say and orders stuff it thinks I want.
Not no, but hell no.
It's the same reason I didn't get an XFinity router/modem for my internet. You can be part of "XFinityWiFi" and allow guests to hop onto your part of a larger network.
-
“Amazon Sidewalk” is arguably worse than XfinityWifi in that, when Comcast sticks XfinityWifi into your Comcast-provided routers, Comcast have enough sense to use a separate channel for XfinityWifi data traffic, separate from your own data traffic, and where there are “data caps” Comcast knows to separately account for XfinityWifi traffic so it won’t count against your “data cap.” “Amazon Sidewalk” gives your no such consideration, Amazon by itself has no capability to get your ISP to separately account for “Amazon Sidewalk” traffic apart from your regular data traffic. So, yeah, you will foot the bill to carry the data traffic for “Amazon Sidewalk.”
-
More good news from Amazon.
Remember that Echo Dot you "reset" and sold on eBay?
Guess what, you didn't wipe it after all.
Researchers from Northeastern University bought 86 used devices on eBay and at flea markets over a span of 16 months. They first examined the purchased devices to see which ones had been factory reset and which hadn’t. Their first surprise: 61 percent of them had not been reset. Without a reset, recovering the previous owners' Wi-Fi passwords, router MAC addresses, Amazon account credentials, and information about connected devices was a relatively easy process.
The next surprise came when the researchers disassembled the devices and forensically examined the contents stored in their memory.
“An adversary with physical access to such devices (e.g., purchasing a used one) can retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (e.g., cameras, door locks),” the researchers wrote in a research paper. “We show that such information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset.”
In addition to the 86 used devices, the researchers bought six new Echo Dot devices and over a span of several weeks provisioned them with test accounts at different geographic locations and different Wi-Fi access points. The researchers paired the provisioned devices to different smart home and Bluetooth devices. The researchers then extracted the flash contents from these still-provisioned devices using the techniques described earlier.
After extracting the flash contents from their six new devices, the researchers used the Autospy forensic tool to search embedded multimedia card images. The researchers analyzed NAND dumps manually. They found the name of the Amazon account owner multiple times, along with the complete contents of the wpa_supplicant.conf file, which stores a list of networks the devices have previously connected to, along with the encryption key they used. Recovered log files also provided lots of personal information.
Because the researchers provisioned the devices themselves, they knew what kinds of information the devices stored. They used this knowledge to create a list of keywords to locate specific types of data in four categories: information about the owner, Wi-Fi-related data, information about paired devices, and geographic information. Knowing what kinds of data are on the device can be helpful, but it’s not necessary for carrying out the attack.
After dumping and analyzing the recovered data, the researchers reassembled the devices. The researchers wrote:
"We confirmed that the device connected successfully, and we were able to issue voice commands to the device. When asked “Alexa, Who am I?”, the device would return the previous owner’s name. The re-connection to the spoofed access point did not produce a notice in the Alexa app nor a notification by email. The requests are logged under “Activity” in the Alexa app, but they can be deleted via voice commands. We were able to control smart home devices, query package delivery dates, create orders, get music lists and use the “drop-in” feature."
"One of the queries is “Alexa, Who am I,” and the device will tell the owner's name. All services that the previous owner used are accessible. For example, you can manage your calendar through the Echo. Also, the Echo will get notifications when packages are about to arrive or you can use the Drop-In feature (as in, talking to another Echo of yours). If someone does not use any smart home devices, then you obviously cannot control them.
-
It’s still just a gadget to me and it never found a useful place in my life. Play Jeopardy on it with the fam and then unplug it again.
-
be aware that Sidewalk can only manage a speed of 80Kbps
Costs for traffic wouldn't be my main concern.
Theoretically, it would be possible to design such a system in a secure way, or at least as secure as your WiFi password, but one has to have a lot of trust in Amazon and there is no way to check what they are actually doing.
