I like that this makes it easy to completely avoid Amazon devices and to not recommend them to your non-technical friends. I don't care if the data amount is piddlingly small, the simple fact is you let somebody outside your trusted network of friends and family onto your personal broadband, you lose control of what criminal activities get undertaken.
There is no way I am exposing myself to that kind of liability and Amazon won't be selling me or my family anything.
I think that Amazon's marketing for this is horrible, reminds me of XBox' failed marketing around their online-only plan for XBox One game purchases [1].
But really all they've done is built AirTags as a platform rather than an application, e.g. Tile is supported by Amazon's new platform.
I don't want to give random people with random apps any amount of arbitrary bandwidth; I'd rather that users of the Sidewalk platform would have to register app specific message types publicly (to ensure transparency) and with Amazon (who should enforce message type and payload restrictions).
> I don't want to give random people with random apps any amount of arbitrary bandwidth
It uses a maximum of 500 megabyte per month.
Regarding payload type registration – it seems like it would be pretty difficult to monitor that, given that payloads are encrypted.
That actually seems more like a feature than a problem to me: If my IP address does not show up in any logs and I can't even see what's being transmitted, I really doubt there would be any liability for the user here.
That's a fair point, and I do hope that regional caps will take that into consideration.
Generally speaking, are volume caps on fixed line internet a thing in many countries? I'd imagine that it would be hard to use something like a smart speaker on such a tight data budget in the first place, as I can't imagine them to be very bandwidth-conscious in general (music streaming having no "low data usage" option on them usually, etc).
Any AirTag owned by anybody can and will communicate with your iPhone over Bluetooth if you have the right features enabled (which are default). Your phone will contact Apple and tell them about the interaction. I haven’t seen protocol details, but last week a security researcher demonstrated that it is possible to use the AirTags protocol as a covert channel (with very low bandwidth).
I recently read up on Bluetooth low energy. The AirTags are most likely periodically broadcasting announcement packets, and folks' iPhones are passively receiving them. It therefore seems comparable to using 802.11 SSID beacons for geo-location, except that folk intentionally bought the AirTag to be position tracked.
Just by modulating whether or not the AirTag is transmitting, it seems like you could communicate at a low data rate. You could even use hundreds or thousands of AirTag IDs to get a useful data rate. Just because you could do it, though, it seems like there are plenty of other more practical covert channels.
What I've noticed is that the blackhat behaviors of the past have become business models.
I remember when going around logging locations of wifi access points was "wardriving". Now apple and google do it as a matter of course using everyone's phones.
You mean like HolaVPN or Geosurf the “free VPN” applications that quite literally install a backdoor proxy on your phone or PC? The parent companies then sell access to the proxies running on your devices as “residential proxies” and also sell access to your browsing history?
I absolutely think that qualifies as malware, yes. Apps and browser extensions harvest PII all day and the owners of those platforms (apple, google, microsoft, mozilla) do absolutely nothing to prevent it.
Silent auto-update would also be normally classified as a deliberate RCE vulnerability or a backdoor, but for some reason most people are okay with that.
Corporate broad spectrum wire tapping has been greenlit legally for a long time. An employer can listen to private and public communications that occur on and off of company owned resources. This includes:
- emails
- text messages
- microphone arrays
- shared networks
- keyboard input
- file storage
- contact and communication history
It's a logical next-step from there to expand these services under the guise of subscriptions. That's why you owning a device is problematic for them. That said, owning the platform is the next best thing because they can now do many but not all of those things in the name of protecting their platform from "abuse".
not to defend Amazon or anything, but are we sure this is actually sharing your internet connection? the way i understand it is that this would be strictly Amazon devices and strictly for control traffic (ie reboot/configure your device). It shouldn’t be possible to straight up browse the web or download whatever. I may be terribly wrong.
Also, this does not excuse the fact that they made it opt out. If it was opt in and new devices came with it... maybe...
It might just be Amazon control traffic initially, but who's to say in time someone won't publish a TCP tunnel over the Alexa protocol project on github
i’m not advocating for it. i think it’s terrible. i’m just pointing out that maybe we are misrepresenting what this is.
also, as far as illegal traffic and stuff: if the traffic goes through the amazon device, wouldn’t the isp see traffic that goes only go random amazon datacenter ? at that point they would ask amazon about it (hopefully) and do their homework.
It may go through an Amazon device, but that fact is stripped away as soon as the packet leaves your network. Your router may know it came from your Echo, but your ISP won't have a clue.
And even if Amazon is tunneling all traffic now, that may change or someone may find a way to break out of it.
And even if law enforcement sees that the traffic is from Sidewalk, our legal system is pretty shit regarding the internet and I bet a dedicated prosecutor would try to get you for aiding a criminal because you technically allowed that access to your network. Look at the legal issues around running TOR exit nodes and the uncertainty there, in a lot of ways this is an opt-out version of that. (though I admit this might be a stretch, but I don't trust the legal system enough to handle this well).
i think you misunderstood what i was saying. I was pointing out that the echo talks to the alexa backend. so it’s evil device impersonator -> your device -> isp -> alexa backend
Do you mean the "xfinitywifi" ssid? Afaik you don't get the customer's IP address when you use that. And you definitely need to enter your Comcast credentials to use it, so law enforcement could probably trace who is really using it.
They probably remember your login based on wifi MAC, so it's probably easy to fake being somebody else, however.
They do it a bit more sophisticated than that. There's an xfinity profile that gets loaded and after the initial authentication you actually connect to a different SSID. When I had Comcast, I used this occasionally, but it was overall pretty flakey and I ended up disabling that SSID on my phone because it kept connecting to non-functioning xfinity hotspots while I was out and about and then I'd have no internet.
I don't like that comcast does this without adequately informing customers. But since Comcast is the ISP, at least in theory, they can mitigate some of the concerns, like not counting the shared bandwidth against the customer's limits and not associating any criminal behavior on the shared connection with the host.
Did you know that cable modems -- whether you rent 'em from Comcast or buy 'em yourself -- download their configuration files from the ISP when they boot up?
> ... you probably aren't part of the Xfinity hotspot system.
Because of the above, I wouldn't be so sure (mostly due to Comcast's reputation).
Personally, when I was forced to use Comcast for a while, I purchased my own "dumb" (i.e., non-WiFi) cable modem. I didn't want to pay their rental fees, I didn't want to run an open hotspot for them, and I already had my own -- much better -- WiFi gear.
No consumer bought cable modem/router/AP combo is going to create its own WiFi hotspot on behalf of Comcast due to a config file. Unless it’s the one Comcast provides.
You can turn off the Xfinity hotspots on the Cisco-brand modems. It appears to be neighbors and/or pole-mounted APs that provide the SSIDs where I was.
I guess it's another reason to buy your own modem?
I wondered which neighbor is the Hot Spot over Covid. By chance I discovered it was a house a few over because they replaced their main electrical panel, and the hot spot disappeared until pg&e terminated the Service lines. Ironically, the owner of the house despises Xfinity. I don't have the heart to tell him his modem is the Hot Spot. He's also a retired lawyer, but I assume Comcast has a legal right?
Does anyone have an alternative to Xfinity? I'm in Marin County. I would like some local channels too. I looked into AT&T, but they seem as devious as Comcast. Devious in high rentals of equipment, although less than Xfinity. Good deals only for new customers. I'm thinking about switching between the two every year, but that's a hassle. My bill is $230 a month. $100 just for low bandwidth internet. New customers are getting high speed for $50. Xfinity needs to be broken up. Oh yea, I heard Comcast decided to "milk" long term customers, instead of competing on price, or worrying about "Cord Cuters".
Rant over. I need an alternative, with tv. I live in Marin County, CA. Oh yea, I remember hearing about free local tv digital channels local channels here. I remember it being associated with UC Berkeley? I can't find it though. Does anyone remember? It was basically free local channels over the internet, which was great for Cord Cutters.
No it’s not the same FFS. Sidewalk is using your home internet connection. It counts against your data caps and if Amazon gets malware on those it’s associated with your IP.
When zero days start floating around that allow people to bypass the VPN they are just sitting directly on your internal network.
Amazon is absolutely sharing your Internet with randos, they are just being picky about where the traffic goes. Still your data caps and still your qos bucket.
I already give people reasons they should avoid them. Even when I tell them you have to tell Alexa to delete history at the end of the day they’re not all that concerned. Useful list of tips here :
Until an update or reset switches it back on, or an app or system feature requires you to turn it on, or you buy a device and forget about it, or you're just not aware of the feature at all.
IPhone shares data via Bluetooth. Windows shares data to download updates. I'm sure Android is similar. Samsung find my phone use network from other Samsungs nearby.
There is no way I am exposing myself to that kind of liability and Amazon won't be selling me or my family anything.