A new feature has the potential to put Amazon devices — and your business — at risk.
It seems like everywhere we go nowadays, the Internet is all around us. And beginning on June 8, 2021, the Internet will be waiting right outside your door. Always there, always-on, courtesy of Amazon, for Amazon devices.
Amazon Sidewalk is a new feature that uses the Bluetooth Low Energy (BLE) radio in newer Amazon Echo and Ring devices to broadcast a low-bandwidth (900 MHz), long-range wireless signal up to half a mile away. And unless you proactively opt-out of the feature, Amazon plans to activate and enable Sidewalk by default on supported devices on June 8.
The purpose of Sidewalk is to create a massive mesh network for Sidewalk Endpoints. This mesh network allows devices to connect instantly to each other and to help make it easier to set up new Amazon products on your home Wi-Fi network. This all sounds well and good, except when you stop to consider three glaring problems with this strategy.
There are 3 important reasons you should take particular care regarding smart devices and their security.
The first consideration is the inherent vulnerabilities in consumer smart home devices (including Echo smart speakers or Ring Cameras), but also in the Bluetooth communications protocols. Making matters even trickier, and potentially more interesting for bad actors, is that this is Sidewalk 1.0 — an entirely new feature, with all the potential for bugs and unknown vulnerabilities that you’d expect from a first-generation feature release.
Second, is the historically poor history of timely security updates for smart devices. The time between a vulnerability’s disclosure and the availability of an effective patch can take anywhere from days to months. In the worst cases, a vulnerability fix can’t be developed at all. And if and when patches are made available, it takes time for them to reach devices, and they very often require human intervention to get them installed. All the while these devices are left vulnerable to the significant risk of attacks.
And lastly, very, very, very few smart devices — for example the Amazon Echo — have operating systems that can support the installation of third-party software. That includes security agents that most traditional IT and security tools need to even know a device exists. And what’s worse than not knowing what’s on your network? Knowing you don’t know what’s on your network and not knowing what to do about it.
The three reasons why you should care are exactly the conditions that make every unmanaged and un-agentable connected device in your enterprise a security risk. Traditional security approaches do not have an effective means to manage and secure these devices.
And, more specifically, Sidewalk matters for enterprises today because Amazon Echo smart speakers are a ubiquitous part of our everyday personal and work lives. In fact, Echo smart speakers and their now-famous assistant, Alexa, are integrated into many popular business solutions found from the lunchroom to the board room.
Amazon devices that support Sidewalk include:
If a device on your network and beyond your control (like an un-agentable Amazon Echo or Ring smart home device) can establish a direct connection with another device outside of your control (like a Sidewalk endpoint), then the risk of exposing your business to a cyberattack multiplies.
While Amazon has published a lengthy explanation of its security measures for Sidewalk, the approach is based on authentication and encryption which alone are insufficient for complete security meaning it’s impossible to guarantee that the feature won’t compromise enterprise security. Armis recommends that consumer and business users of Echo devices that support Sidewalk disable this new feature prior to June 8.
Here’s how to do it:
The Armis platform can tell you whether or not there are Echo or Ring devices on your network. Our Armis Standard Query tool makes identifying these devices easy in just a few clicks. Once devices have been identified, you can use the Armis policy builder to take action. For example, you can set a policy to trigger alerts to let you know when Echo or Ring devices are found on your network. Or, you could create a policy that proactively prevents these devices from remaining connected to your network until you can validate whether or not Sidewalk has been disabled.
Sign up to receive the latest news