Everything You Should Know About Amazon Sidewalk
You have probably heard in the past few years about Sidewalk, Amazon's ad hoc IoT network formed by your Echo, Ring, and other supported devices. And there's a good chance that you've heard rumors that Sidewalk turns itself on regardless of your preference and opens your home up to observation and intrusion by hackers. These concerns seem to stem from misgivings about the way in which Sidewalk opens your network to neighboring Sidewalk users and routes its traffic through your internet connection.
Sidewalk has been live for over 18 months, and no major reports of issues have appeared thus far. But this is unsurprising, given that there are only a few Sidewalk-enabled devices on the market. At CES 2023, about 18 months after Sidewalk's launch, Amazon announced More partner companies who are developing Sidewalk devices. But there are only a few, all of them (as expected) in the smart home space, according to Amazon's PR site.
Thinking about Sidewalk involves weighing both the good and the bad. On one hand, a low-power, low-cost, long-range network for IoT devices could really open up the smart home and home automation horizons for many. But the other hand is holding some complaints that must be considered, mostly stemming from the shared internet connection and the fact that the service is enabled by default. The furor has quieted to some degree since Sidewalk's September 2019 announcement. Misgivings about the "forced opt-in" (by which critics mean "opt-out") aspect seem to linger, though.
What is Sidewalk?
Sidewalk is a low-power, low-cost, low-speed edge network cobbled together from a few technologies and protocols to provide network connectivity to smart home IoT devices as far away as your property line... or as far away as the opposite end of the country, if enough users fail to opt out of the service. Amazon resists the term "mesh network" in explaining Sidewalk, but that's how most tech journalists have described it. It can mitigate internet outages and Wi-Fi reach limitations by temporarily using neighboring Sidewalk networks for access, Amazon says.
But access by what? So far, a few fairly compelling use cases have been described, such as Tile trackers' extending their range indefinitely, and various critical sensors like gas and water leak alarms connecting where they previously could not.
Amazon's Sidewalk Privacy and Security Whitepaper lists other typical endpoints like Ring security cameras, outdoor lights, motion sensors, and pet trackers. Add to that the original crop of Sidewalk-enabled devices such as Level locks and CareBand senior-care wearables. Then there are the newly announced devices that include leak and freeze sensors, solar power monitoring, and typical smart home sensors for functions like motion detection, door and window position, and air quality. All devices must be approved by Amazon to use the Sidewalk network.
The big picture is a steadily evolving line of compatible devices that can communicate with each other and Amazon cloud services via Sidewalk — which probably wouldn't be as useful otherwise.
One other function that gets underplayed a bit is that Sidewalk can help your devices reconnect after dropped Wi-Fi connections. It's not explained in detail publicly as yet but is probably related to Amazon's Wifi Simple Setup feature, as implemented (for example) on Amazon's Eero mesh networking devices.
How important is Sidewalk?
Whether Sidewalk matters is a question of perspective. From the user's perspective, it is potentially very important. Use cases like leak detection and pet tracking have concrete value, and it's not hard to extrapolate important uses from such examples. A network of wildfire sensors would be valuable in certain areas, for example. What about a position sensor on a gate that's out of Wi-Fi range? Or an array of motion sensors watching over sheep in coyote country? Or simply keeping track of your purse.
Sidewalk seems important for Amazon, too. There are lots of competing protocols in the IoT space, but Sidewalk holds a lot of promise to be very profitable for Amazon (via Venture Beat). But amid negative reporting and news that Alexa, floundering in its search for a reliable and sufficient revenue stream, might be losing as much as $10 billion per year, the company seems to be pacing itself with Sidewalk.
The technology was largely downplayed at CES, and mentions of Sidewalk are scarce even on Amazon's Developer site, in spite of the fall announcement of Silicon Labs' Sidewalk development kit. And pretty much nothing is out-competing the emerging Matter standard for smart home headlines in early 2023. But none of that changes the fact that Amazon holds a dominant (or at least potentially dominant) place in the smart home universe.
According to CNBC, Amazon sported 5 million installed Echo devices before Google's competing product was even ready for the market, and in 2021 sold 11.5% of the smart home hardware bought in the U.S., versus 6.5% for Google. If Amazon can leverage Sidewalk into a differentiator in the crowded smart home space, it would be a huge win.
How does it work?
Sidewalk uses Bluetooth Low Energy (BLE) and longer-range 900 MHz communication via LoRa and Frequency Shift Keying (FSK, sometimes misreported as "frequency-shift keyring") to give you access to devices up to a half-mile away. The Sidewalk network's structure is fairly straightforward. A Sidewalk endpoint (say, a gate opener) communicates with a gateway (or "bridge") device like an Echo, which connects to the internet and passes the packet to an Amazon network server. The information is then routed to an Amazon application server and onto its ultimate cloud destination.
Along the way, at least three layers of encryption protect the data from access by unauthorized parties. The network layer ensures that data is only readable by the proper endpoints and network server. The application layer encrypts information so that only the endpoint and the application server have access to it. And a "flex layer" protects ID and routing information between the gateway and network server. (The flex layer appears to work only on the 900 MHz band, while TLS encryption is also used for both 900 MHz and BLE communications).
This scheme has a few important corollaries. First, the plaintext information in the endpoint's payload is protected all along the way. Gateways and network servers that don't need this info aren't able to see it. Second, authentication is strictly managed so that only authorized devices may communicate. This means that devices needing re-authorization will not be able to communicate until they do; all unauthorized packets are dropped. And transmission IDs are rotated periodically so that it is difficult for snoopers to unpuzzle the relationships among packets. Third, devices reported lost or stolen are de-authorized from Amazon's network servers and subsequently from the user's gateway.
Which devices are affected?
The salient fact missing from all the tech talk is that all this happens over whatever participating Sidewalk internet connection your device can find. It is probably yours, it might be your neighbor's, and if the endpoint device is a Tile tracker in a suitcase, it could be a device 1000 miles away.
Sidewalk is a U.S.-only service at this point, and for the moment, the only devices that are equipped and approved to be Sidewalk gateways/bridges are Amazon's own Echo/Alexa devices and Ring security cameras that have been linked to an Amazon account. As of January 17, 2022, those include Echo (3rd Gen and newer), Echo Dot (3rd Gen and newer), Echo Dot for Kids (3rd Gen and newer), Echo Dot with clock (3rd Gen and newer), Echo Plus (all generations), Echo Show (2nd Gen), Echo Show 5 (1st Gen), Echo Show 5 (2nd Gen), Echo Show 8 (1st Gen), Echo Show 8 (2nd Gen), Echo Show 10, Echo Spot, Echo Studio, Echo Input, and Echo Flex (via Amazon).
Privacy concerns
A few aspects of this scheme immediately prompted the ire of tech journalists, privacy activists, security specialists, and anti-Amazon warriors across the world. Their concerns mostly centered around privacy, probably bolstered in some cases by opportunism (no journalist or security consultant ever went broke raising the alarm about big tech privacy and security failings). But the worries are pretty compelling. Claims include: low-powered devices won't use strong encryption; metadata won't be protected; they're stealing your bandwidth; they're stealing your ISP's bandwidth; and this is just another avenue for Amazon to continue learning everything there is to know about its customers.
For the record, Amazon suggests that it can't see your Sidewalk data unless you've asked Amazon to process something. If Amazon isn't supposed to act on data, the company claims that it can't even read it.
Metadata (data that describes other data) is an interesting avenue for concern. Sidewalk's three-layer encryption scheme seems to address the protection of the data itself as well as could be expected, and this includes most of the structured and transport-related information a packet contains. Some information is necessarily exposed, according to Pulsar Security, including metadata and information like packet size and timing, from which one could presumably glean valuable (if limited) intel about the Sidewalk user.
Some argue that the data itself can't be that well protected because the low-power environment precludes top-notch encryption. And if the data is exposed, the scope of information revealed could be epic. Consider the information produced by room-mapping robotic vacuums, recent Echo devices with ultrasonic presence detection, the Always Home flying Ring camera, the Astro robotic household monitor, the Echo Show and its follow functionality and visual identification capabilities, and the scads of data harvested by simple sensors.
Security concerns
There's obviously a lot of overlap between IoT privacy and security, and in the early days of new IT and IoT devices and software, security concerns tend to be speculative but based on long experience with security failures. So it is with the Sidewalk network. These vulnerabilities are practically inevitable, according to Wirecutter, which asserts that Amazon has a good track record compared to other companies, though from time to time there have been substantial problems related to specific products such as Ring doorbells.
The structure of Sidewalk invites the possibility that data could be captured even if Sidewalk performs flawlessly because of the possibility of data breaches at a Sidewalk-compatible device manufacturer. In its Sidewalk security whitepaper, Amazon says that third-party vendors will not have access to network information, and failure to protect customer privacy and data "in good faith" can result in an indefinite loss of access to the Sidewalk network. This would limit but not eliminate the risk of such data breaches and misuse of customer data.
Others speculate that Sidewalk represents a risk to enterprise networks when Sidewalk users log in from home, and perhaps in other circumstances. In 2021 Cato Networks produced a SASE (secure access service edge) Threat Research Report that claimed that system administrators would be unable to manage Sidewalk traffic, which could originate from the networks of users or their neighbors, and which by design obscure the origin and content of their packets. Cato claims to have identified "hundreds of thousands of Sidewalk enterprise networks," some of which contain hundreds of Sidewalk devices. Cato doesn't specify how it reached that network count or how it could count the devices.
Addressing privacy and security
Many of the concerns that have people on edge just don't hold a lot of water. Take claims — such as one by Kansas State's Eugene Vasserman (via Pulsar Security) — that low-power devices won't be able to use strong encryption. The one-way hashing key methodology used by Amazon is generally regarded as very secure, according to Okta. And even if you could decrypt individual packets, the rotating transmission IDs mean that you'd be hard-pressed to assemble them or tie them back to specific devices.
But perhaps more importantly, it's not clear that many people are very concerned. Ask yourself this: how much battery life would you sacrifice in a pet tracker (or a child tracker, if Amazon had the nerve) just to keep hackers from becoming aware of your pet's location?
And as for Sidewalk devices on corporate networks, the threat seems to be mitigated, not worsened, when you compare the Sidewalk IoT network to the current Wild West of smart home devices, with few encrypted (in 2020, Palo Alto Networks found that 98% of IoT traffic was unencrypted) and some with suspect Chinese firmware (like Tuya's data harvesting, Huawei surveillance, Telnet backdoors in security cameras, etc.). How are three layers of encryption and careful sandboxing of who can see what not an improvement on that common scenario?
Data and bandwidth use concerns
Some onlookers have fretted about Sidewalk's use of data and its potential impact on home network performance. Amazon was quick to point out the built-in limitations on bandwidth and total data use, but some are still concerned about the effects on metered home internet connections. But according to a December 2022 report from HighSpeedInternet.com, more than half of the largest providers don't have caps at all, though a couple of satellite providers that focus on rural areas have caps as low as 10 GB per month. For context, monthly home internet usage topped 400 GB in the spring of 2020, in the early days of the pandemic (via Pulsar Security).
Sidewalk's data usage is capped at 500 MB per month for each customer, which represents only 0.125% of that 400 GB, but 5% of the data offered by HughesNet's cheapest plan.
Bandwidth has also been the subject of some concern. Amazon's whitepaper points out that Sidewalk has an 80 Kbps bandwidth cap that represents about 1/40th of the bandwidth required to stream a high-definition video file. This rate is unlikely to affect any but the slowest of internet connections. The 80 Kbps appears to be a limit on each gateway so a user with 3 Echo devices and a Ring doorbell cam might experience a 320 kbps slowdown... still pretty limited.
The real problem could lie in the bandwidth caps themselves. What happens after your 500 MB is exhausted, or your neighbor's cap is reached? It seems inevitable that some functionality, which you've presumably come to rely on to some degree, will stop working until the bandwidth limit is refreshed. To the extent that Sidewalk is important, it will be important to keep it running.
Business model grousing
Many of the complaints about Sidewalk's bandwidth and data use turn out to really be problems with the business model, worries about ISP terms of service violations, and simple indignation along the lines of "hey, that's my internet connection!" But is the behavior of Sidewalk meaningfully different from other commonly used services?
A Wirecutter piece features an ISP employee calling Sidewalk's network use "straight-up theft" in the best internet tradition of anonymity-fueled hyperbole. The employee also noted that Sidewalk is putting ISP customers in involuntary violation of their terms of service. Of course, residential cable bandwidth is already shared among neighbors, as are DSL and shared fiber services. When it comes down to it, Sidewalk is not, in principle, any different from Apple's AirTags and Find My ad hoc network.
The internet traffic involved is all related to sensors and services the homeowner has signed up for, and even in a neighborhood with more than one broadband carrier the sharing of those signals, the burden on each ISP should be more or less proportional to their representation in the area.
Meanwhile, a Washington state couple's attempt to start a class action lawsuit over Sidewalk's internet sharing was rejected by a Seattle court on the grounds that actual injury had not been proven. The couple had sought damages based in part on the value of unquantified bandwidth used by Sidewalk, the time the couple invested in informing themselves about the service and disabling it, and the cost of data overages that weren't substantiated in the filings.
How to disable Sidewalk, and why you might not bother
Perhaps anticipating the backlash against Sidewalk, Amazon made opting out pretty simple. You can manage your participation from the app used for any Sidewalk-capable Alexa device. Open the Alexa app and tap More, then Settings. Select Account Settings, then Amazon Sidewalk. From this screen, you may disable (or enable) Sidewalk.
There does not appear to be any way to disable Sidewalk on a per-device basis, presumably because doing so would only reduce the effectiveness of devices you leave enabled. Finally, for unspecified reasons the setting to opt in or out of Sidewalk does not exist in the web-based version of the Alexa app, but only on the platform-native versions.
Amazon is betting, wisely, that most of its huge Echo and Ring user base won't bother to disable Sidewalk, either because they have found the risks minimal, or because they simply trust Amazon to handle it properly... which also has the virtue of being the path of least resistance.
In spite of all the naysaying, there haven't yet been any significant problems with the Sidewalk rollout. Even as the IEEE Communication Society's blog pronounced Sidewalk "a dud" five months after its launch, the author admits that there hadn't been any security vulnerabilities reported. This might be because the Sidewalk rollout has been slow to date.
To be sure, Amazon has been moving cautiously but making progress that includes testing environmental sensors and the enterprise-class Bridge Pro at Arizona State University, according to Protocol. And with new device manufacturers identified at CES 2023 and Sidewalk coverage maps widely anticipated by developers as early as the first quarter of the year per Stacy Higgenbotham, the technology seems poised to accelerate a bit. And given its potential, great things could be on the horizon.