Amazon Sidewalk, Apple AirTag and Involuntary Sharing - Security Boulevard

Amazon Sidewalk, Apple AirTag and Involuntary Sharing

If you own an Amazon device (Ring, Echo, Dot, Plus, Show, Spot, Studio, Input or Flex) then starting this week, you may be sharing at least some attributes of your device with other Amazon device users.

To create the kind of ubiquitous mesh network through which these devices can continuously communicate, Amazon will be rolling out its new “Sidewalk” feature, which uses BLE (Bluetooth low energy) and 900Mhz WiFi spectrum to keep these Amazon devices continuously connected.

The 900Mhz spectrum (remember your old cordless phones with the pull out antenna?? Yeah—that spectrum) has high throughput and range, and can help keep Amazon devices connected all the time. This means that the motion-sensing camera over your garage will continue to work even if your WiFi goes down. It means you can stream “the Boss” at full volume in your backyard. It means you can shout to your Echo device, “Open the pod bay doors!” from half a block away, and get it to respond, “I’m sorry, Dave, I’m afraid I can’t do that.”

Cool, cool, cool.

But this continuous connectivity comes at a price—and, perhaps, a hefty one. And I’m not talking about the cost of the devices (20% off on Prime day, right?) themselves. No, Amazon wants you to share.

Remember when you were a kid and your parents wanted you to share your toys with your siblings? While sharing is a great idea in principle, you never wanted your kid brother to touch your toys ’cause—well, you know what he’s like. He’s gonna break your favorite fire truck. And besides, who wants to play with his silly toys, anyway?

Amazon’s new “Sidewalk” application uses enabled devices to create a series of what they call “bridges,” using the devices and their connectivity to enhance the connectivity of the other devices on the bridge. The connected devices become hubs or mini hot spots that allow other devices to connect to them and share connectivity. It’s a kind of mesh network. It’s pretty cool for IoT and other connected devices, because they can have lower power, shorter range and more ubiquitous connectivity.

Tag—You’re It

It’s the same basic technology behind Apple’s AirTag—a tiny disc containing a flat battery with a one year lifespan that can track your movements—um, no, I mean the movements of your ex-girlfriend—um, no, I mean that you can attach to your “stuff” so if it/they are lost or stolen, you can find it using the “FindMy” Apple app.

In fact, a host of third parties can also make their stuff findable using the Apple U1 chip and the FindMy network. For AirTag to work, the disc has to know where it is, and has to communicate that fact back to the owner. It does this by creating or exploiting a similar mesh network, from which it learns its own location and then transmits that location back to the owner’s machine. To do this, Apple uses a proprietary U1 chip with ultra-wideband technology to create a peer-to-peer network that taps into the 1.65 billion Apple devices out in the wild to nail down the location of an AirTag.

Cool, cool, cool.

But let’s see what that really means. It means that even if I don’t own or use an AirTag, other AirTag users are connecting to my phone and learning the location of the AirTag by learning my location over the peer-to-peer mesh network. It’s not clear whether the AirTag can identify the Apple device (or any unique identifier) to which it has connected to learn its location, but assuming it can, then it would be possible not only to use the AirTag to learn its location, but also to learn the location of the Apple device from which the AirTag learned its location.

If the AirTag doesn’t perform some kind of “handshake” with the remote Apple device, then it seems likely that the AirTag can be spoofed by a rogue device sending a false signal to it, right? Also, there’s the dual problems of privacy and stalking.

Since the device knows where it is, then the device presumably knows where you are (if you are with your stuff). Hey, no big deal since, as Apple notes, “no location data or location history is physically stored inside AirTag. Communication with the Find My network is end-to-end encrypted so that only the owner of a device has access to its location data, and no one, including Apple, knows the identity or location of any device that helped find it.”

Yeah, but …

If the device is communicating with your phone—even through an “end-to-end” encryption scheme, then it is transmitting its location over the Internet through an app to your phone. Note the precise language used by Apple above. “No one, including Apple, knows the identity or location of any device that helped find [the Air Tag].” But that doesn’t mean that Apple doesn’t know the location of the AirTag. Or that Apple doesn’t store the location of the AirTag, even on your iCloud storage. Of course, anyone with access (lawful or otherwise) to either your iCloud or your FindMy app (or your Apple account) can log in as you (sure, with some MFA, which can be spoofed with SIM swapping) and use your own devices to track you.

Also, it’s not clear from the Apple literature whether, in response to a subpoena or other court order, Apple would have the ability to track an AirTag. Imagine a circumstance where a person carrying an AirTag is kidnapped. Could Apple help find them? If yes, the device is not so secure or private. If no, it’s not quite so useful. There’s always that tradeoff.

Location Stalking

Another problem with AirTags is the stalking issue. They’re small, unobtrusive and hard to detect. So you can slip them surreptitiously into your cheating spouse’s wallet (and there are cool ways to make ’em even thinner) or an ex-lover’s car. Instant stalker!

A gang could affix a few dozen to parked police patrol and undercover cars (in the lot at the police station) and get a map to track where the cops are at any time. So, to prevent this, Apple has added (and updated) an anti-stalking feature to the AirTag. If the AirTag owner is apart from their device for around three days, the AirTag will make a sound. With a firmware upgrade (available soon) the AirTag will now play a sound after it has been separated from its owner at a random time within an interval of eight hours and 24 hours.

Problem is, you bought the AirTag in case your stuff is stolen. That’s why you hide it in your car, your purse, your bike or your wallet. The same “ping” that alerts your ex-girlfriend or boyfriend that you are stalking them also alerts the thief that there’s a tracking device. All they have to do is follow the sound of the ping, remove the AirTag, and keep the car. Easy, peasy lemon squeezy.

But the good news is, with the tracking software, you can find and get back your $29 AirTag. In fact, Apple keeps track of the serial numbers of every AirTag, and anyone in range of the AirTag (Apple or Android users) can ping the AirTag and retrieve the serial number from it. That can’t be bad, right?

But the fundamental problem with AirTag, as with Sidewalk (and Ring Neighborhood, and XFinity routers) is that these consumer devices are designed to connect to larger networks and to share information across these networks—often without the knowledge or affirmative consent of the device owner.

By owning an Amazon Echo, you are agreeing to share 80Kbps of your bandwidth with the network. By owning an Apple device, you are agreeing that it can be used to connect to any device with a U1 chip and share and transmit data between the two. Some of these sharing services permit you to opt out, some do not. But opting out is not easy—it requires users to negotiate a series of screens and to understand the import of opting in or opting out.

From a data privacy and data security standpoint, the more devices through which your data travels, the more it is at risk. If other people’s data is traveling through your devices, then you may become a target, or may be able to exploit vulnerabilities to obtain access to that data. But, fundamentally, these services are making users’ data access part of an involuntary mesh network.

So, consumers are paying for data (to their ISP’s or cell providers) and involuntarily sharing this data connection with strangers.

This is likely the beginning of a much bigger trend of providers using consumers devices to create networks that share each others’ data connections as well as sharing data. An essential component of IoT is that devices will communicate with each other, or with some central server, and to do that, they need to collect some kind of data and communicate it somewhere. Because many of these devices have low power and low range, they will typically piggyback on someone else’s connection. All cool, if it’s done securely and with affirmative consent. Opting in or opting out illustrates the tragedy of the commons—you want everyone else to share their connections without you having to share yours. Sort of like with your siblings’ toys, right?

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 112 posts and counting.See all posts by mark