Amazon Sidewalk is coming to your home, if your home contains smart devices relying on wi-fi and Bluetooth for network services. And if your company’s cyber risk footprint extends to a remote workforce located in homes and apartments with smart IoT devices like Ring and Echo, you have some work to do to assure you are actively managing the cyber risks associated with this new technology. Let’s unpack this a bit.
What Is Amazon Sidewalk?
Simply, Amazon Sidewalk creates a network using Bluetooth to extend the working range of low-bandwidth, power, smart devices proximate to a home’s wi-fi router. For example, if you have outdoor security cameras that could lose connection to home wi-fi due to distance, Amazon Sidewalk helps those devices stay online. Amazon Sidewalk uses Bluetooth Low Energy (BLE), a 900 MHz spectrum, that is also used by emergency services via radio. Sidewalk’s server will use about 80Kbps of a home’s wi-fi bandwidth to act as a bridge to other Sidewalk users to manage their smart home devices. By design, this network of bridged wi-fi connections, (your own home’s plus any others with Sidewalk enabled) could enable extension of a home connection by a half mile. And since enabling Sidewalk enables this sharing, there will be sharing of encrypted traffic through known and unknown slices pared off from other “participants”.
Are There Security Issues To Address?
Well, Sidewalk security, as described in Amazon’s Sidewalk Privacy and Security Whitepaper, seems to be relatively robust and thought through. There are some foundational assumptions inherent in its methods I think bear closer scrutiny and cause for concern if your critical operating resources are now being utilized through work-from-home (WFH) staff during this pandemic. Also, according to Amazon, “Customers who own Sidewalk-enabled devices will know they are connected to Sidewalk but will not be able to identify which Bridge they are connected to.”[1] Keep in mind that domestically at least, this update will be distributed with a default of “on”. So once the update is installed, Sidewalk will be running unless users take specific action to disable it.
Sharing Public Profiles is Fine
Well, they are named public profiles, aren’t they? How many people have examined what’s in them, or their Amazon sharing settings to know if these have been made public. Names, wish lists, and the like, and if home users have linked Facebook to them so Amazon can use Facebook content to suggest purchases, or to share Amazon wish lists to Facebook so family and friends have hints for their own gifting, well, that’s ok, right? Maybe in a working world where work and personal home lives were clearly separated. But these bits of data, together with blended, shared bandwidth connections creates a rich field for potential phishers and other threat actors. These data could be used to create phishing attacks with enough accurate detail to foster trust from otherwise diligent and careful staff, leading to successful intrusions to your protected infrastructure.
Your Net or Another’s?
Creating something of a mesh network assembled through small slices of many proximate, independent WIFI instances sounds reasonably safe if the traffic is encrypted, as Amazon assures. Think of a hallway containing a number of locked doorways. The hallway is secure. But one must wonder, what about the entryways to that secure hallway. Sidewalk assumes that if it encrypts the data coming into its blended network, all is fine. But it’s not possible to know what other networks are participating or how they have been configured. Your WFH staff cannot monitor or control how their neighbors are managing their WIFI routers, whether they are relying upon default passwords or have enabled source point encryption. Their participating routers might be affording relatively unprotected gateways into your WFH staff’s local WIFI serving as a trusted pathway to your infrastructure. This may confound your best remote device management strategies and dramatically expand your potential cyber risk footprint beyond what you may be able to know, detect, or control. That is a situation you strongly want to avoid.
The Endpoints Are An Achilles Heel
Securing the tunnel is essential, but if the participating endpoints supported and joined to this expanded network of strangers are poorly managed or compromised to start, the security of the whole collapses rapidly. There have been countless reports and incidents of home baby monitors, door cams and other IoT devices being hacked and compromised for malicious purposes. Security is a chain, and like all chains, the weakest link defines its overall integrity. How often do homeowners change the default configurations of the wireless routers installed by major cable providers? Often the assigned passwords to these devices, sometimes assigned unique values as part of initial installation, are left unchanged. Those same trusting or indifferent practices also extend to each of the smart devices becoming more present in homes. Most mobile device management (MDM) software does not extend to the personal home IoT devices that may be present. While your home workers may be diligent, careful, and rigorous in their adherence to your best security practices, their efforts will be for naught if connected, even periodically, to unknown devices from unknown networks with unknowable intent or security.
Guidance For Your Remote Enterprise
First, and foremost, you should review your exposure, the potential risk specific to your situation, and establish a clear policy. This is foundational. How you do that is important too! If you’ve recently completed a risk assessment, look at the controls, risks, and threats associated with a risk footprint that extends to some or many of your staff now operating remotely. Specifically, pay particular attention to some of these control points:
- Implement Mobile Device Management (MDM) software
- Use VPN’s for all work from home (WFH) staff
- Expansion of VPN resource capacity
- Tightening of VPN configuration guidelines to minimize potential DNS leakage
- Communication and education for WFH staff on how to engage and manage VPN services
- Replace default passwords in all home VPN connected devices, including vendor-provided routers or repeaters
- Use infrastructure monitoring technology to scan the extended perimeter and activities resulting from increased volume and nature of remote access activity; leverage any cloud-based security operations center (SOC) services you may have
- Consider viability of split-tunneling configurations for VPN to manage costs and monitoring flow
- Watch for signs of a DDOS attack and have a plan to address them
- Establish remote support for clients and customers
- Continually update and promote end-user education regarding policy and practices
The use of split-tunneling configurations for VPN’s is now a point of discussion. While it will narrow the traffic bands you monitor, it also will ignore what might be going on all around you. That’s a risk in itself. However, it’s hard to accurately speculate the extend of the stream that might emerge from a home workplace where Sidewalk is enabled. You may need to evaluate your current monitoring capabilities and decide on the best course of action for your enterprise. Gathering recent risk assessment findings against these control practices should be a part of your regular risk assessments, regulatory reviews, and internal audits. Your risk data assembled for the past year should help you rapidly form a clear picture of where you are.
Next build a policy update that thoughtfully incorporates your assessment of the risk associated with Sidewalk’s use by remote staff. Review of your risk data, including assessments, remediation project status, late audit and regulator findings should all be a part of your effort. Be sure to align your findings with your corporate goals. This is where a GRC platform, if you have one, can simplify and streamline the assembly, organization and presentation of relevant information to inform your policy making decisions. Once established, be certain the policy is widely communicated to remote users, and to operations and IT staff who will shoulder the responsibilities to enable any control changes needed to enforce the policy.
Engage your IT staff, together with your risk team and management to determine what controls to alter, add, or tighten, and how to implement any changes. Consider the associated cost and any redistribution of resources against the potential risk associated with Sidewalk. Some or many of your recent risk assessments may have already noted strengths or vulnerabilities specifically impacted by its presence. If your risk process has been weak in addressing these control areas, it may be time to strengthen those processes going into 2021 (see last month’s Approaching Year-End And Evaluating Your Cyber Risk Program).
For Now, Consider “Not”
Consider requiring remote workers, and anyone else who occasionally works from home to disable Sidewalk initially. Remember its default setting is “on”, so this needs to be proactively done. They have all lived without its extended shared network services throughout 2020. The security of your workplace, which may now extend to many kitchens and living rooms, remains vital to your operational integrity and business success. It is reasonable to presume the working from home may imply working safely, and securely. And this may impose some constraints upon how at-home devices are configured and managed. Once Sidewalk has been out and about for some months, there’ll be an opportunity to explore and examine any unforeseen vulnerabilities and defects that may be in its initial implementation. Those findings will inform future decisions about the risk of enabling it, and the methods to monitor and control its impact upon your extended infrastructure.
Adjust Your Risk Processes
The introduction of Sidewalk is a fine example of the flexibility you need in your cyber risk management processes to adapt to the flow of change. Your GRC tools can play an important part throughout this process. The risk assessments will identify critical areas of potential impact and point to areas that will require strengthening. Adjust your future risk assessments to include inquiry on practices and controls intended to mitigate risk associated with WFH staffing, using personal and company remote devices. Be certain to associate these findings with those for user training mobile device management tools, and policy adherence. Include your current state of traffic monitoring and threat detection. Use your GRC to create reports on the state of current and planned remediations that may be easily accessed and understood. Summary data to support senior management decisions of policy and resource allocation should be readily at hand. A single source of vetted, authoritative information about company risk is an important, useful, and strategic advantage for any enterprise.
The work environment continues to transform and remodel itself dynamically during times of crisis, recovery, and renewal. But not just then. The pace of change propelled by social and business responses to new technologies, new behaviors, and new methods of communicating, transacting, negotiating, and partnering create new venues for business opportunity while also challenging those opportunities with cyber risk vulnerabilities and avenues for malicious actors. Monitoring the flow and exposure of personal data from your staff and confidential data from your business remains foundational to sound cyber security and risk management.
Sidewalk is a questionable stone on the path to continued safety, and one that for now, might be wise to step around. Use the information from your risk management program to guide your decision and shape your response to technologies like Sidewalk as they become available in the future.
[1] Amazon Sidewalk, Frequently Asked Questions; 2020.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.