Last week Amazon released Sidewalk – a low-bandwidth network between Sidewalk Bridge devices. While Sidewalk is grabbing consumer attention it is crucial for enterprises to understand the security implications of Sidewalk to the corporate network.
The point is that the Sidewalk technology, especially with it being enabled by default, increases the enterprise’s attack surface – that of their network airspace. In essence, when an Amazon device connected to a corporate network becomes a Sidewalk Bridge, consider motion sensors, security cameras or Alexa in the boardroom, it exposes the corporate network to data packets transmitted in the corporate airspace by untrusted devices.
For example, an attacker can craft packets to carry a malicious payload that compromises the Sidewalk Bridge, and hence, the corporate network it connects to. We’ve seen similar attacks in the past year such as with Apple’s peer to peer protocol, AWDL. Also there, the vulnerability enabled an attacker to attack the corporate network through a connected iPhone that was open to AWDL.
Additionally, an abundance of Sidewalk Bridges in the proximity of corporate networks allows attackers to create robust C&C networks. These C&C networks are bot-controlled networks – corporate devices that an attacker was able to take control of, waiting and operating to the attacker’s command – being used to exfiltrate sensitive corporate data. Enterprises invest heavily in security controls to detect and prevent C&C traffic. However, the Sidewalk simply opens up an alternative network that bypasses the corporate network and its security controls. Furthermore, enterprises do not own the Sidewalk network, let alone are able to place security controls into this alternative network.
What can enterprises do? First, organizations need to control the participation of their corporate devices in Sidewalk networks. Second, enterprises must enforce security policies on corporate devices that might become a Sidewalk Bridge. The only reliable and efficient way to achieve such control is by monitoring and controlling the corporate network airspace.