Security experts review Apple and Amazon IoT networks


Both companies have conducted due diligence in creating a network of connected devices, but the ubiquity of the devices worries some security researchers.

Apple and Amazon, the two largest manufacturers of connected devices, now have operational low-power communication networks that can be mounted on their devices to support various services. But security experts are carefully studying whether the transmission of simple messages will expand the attack surface of their devices.

Last week, Amazon announced that its Sidewalk connected device network has become active. The network was originally announced in 2019, using the bandwidth of Amazon gateway devices, such as ring cameras or Bluetooth low energy (BLE) devices. As far as Apple is concerned, it released the AirTag tracking device in May, which uses the Find My network to send messages using the bandwidth of nearby Apple devices.

According to Johannes Ullrich, research director at the SANS Institute of Technology, the network-and parasitic bandwidth sharing-raise questions about how easy it is for such technologies to be abused. Hackers will find a way to send data over the network, even if Amazon limits the total bandwidth of a particular gateway to 80 Kbps.

“It’s about sharing data and bandwidth-random people can use your device, but you can also use their device,” he said. “In terms of risk, you don’t know who actually uses your device or what they use it for. You can’t control who is using your device or how they use it.”

Concerns about the ubiquitous networks of these two equipment manufacturers highlight that security will be a major part of the technology’s future considerations. Although Apple has been operating its Find My network for many years, the recently added AirTags connection tracker was again under scrutiny. Apple’s Find My network has been used to send messages created by attackers and as a covert channel for sending data. Although user data has not been compromised, the company has discussed some defensive measures to make the network privacy-friendly, and recently announced that it will open the Find My network to approved partners. Amazon has made the same commitment to its Sidewalk network.

Ullrich said that in many ways, especially for users who use devices to send data, the risk is not greater than when they use Internet service providers to send data.

“Once your data leaves your device, you can’t control how it is routed on the Internet,” he said. “Like shared networks, everything is encrypted by default. There are no unencrypted options for these networks.”

However, risks do exist.

To prevent denial of service attacks, the communication traffic can be parsed to verify that it is valid traffic. SANS’s Ullrich said that any time a device peers data input from an untrusted user, the security may be attacked.

“You are basically receiving these messages from random users. The question is, how is the implementation?” he said. “Amazon Sidewalk must parse the message and ensure that it is a valid message, so if a vulnerability is discovered, a code execution attack may occur.”

In a brief analysis posted to the SANS blog, Ullrich suggested that users opt out of Amazon Sidewalk until security researchers have reasonable time to review the company’s implementation.

Amazon has released a security white paper outlining the steps the company has taken to protect its technology, including three layers of encryption and the trusted identity of the device.

The company said: “As a crowdsourcing community benefit, the power of Amazon Sidewalk lies in the trust our customers place in us to protect customer data.” “For this reason, this document outlines our efforts to protect the network and maintain customer privacy. Steps taken.”

Apple also promised to protect the privacy of its users and stated that its Find My network is completely anonymous.

SANS’s Ullrich said that despite Amazon and Apple’s due diligence, if the company’s universal network is opened up to the community, consumers will be better served. He said that at this point, Amazon’s documentation is vague, with few details about the actual operation of the agreement.

“This is really asking for a standard,” he said. “Why do we need multiple networks? The whole open source concept, where I can check the actual protocol or software, I can potentially find defects and improve the protocol. Over time, as more and more developers gain access , I hope they will be able to open the document.”

A senior technical reporter for more than 20 years. Former research engineer. Contributed to more than two dozen publications, including CNET, Dark Reading, MIT Technology Review, Popular Science, and Wired News.Five journalism awards, including the best deadline… View full bio

Recommended reading:

More insights

Related Articles

Back to top button