Hacker News new | past | comments | ask | show | jobs | submit login
An analysis of Amazon Echo's network behavior (arxiv.org)
125 points by pramodbiligiri 25 days ago | hide | past | favorite | 23 comments

It'd be interesting to compare this work with a similar dive into an Echo 3rd gen or later that adds support for Sidewalk.

It's a bit of an open secret at this point that Amazon is also using 802.11 PAF (Public Action Frames) to aid in the magic "unbox an amazon device and it immediately is online". Would admittedly be interesting to have this side of the Echo devices also look at as the paper seems to not mention this portion of the OOB experience

I’m familiar with the concept of action frames; but not public action frames. How does this get the device online instantly?

I had assumed they used BLE to bridge MQTT via the phone while their App was connected.

PAF can be thought of as basically a broadcast message to any and all WiFi devices in the area, regardless of if they are connected to the same access point or IP network. In the case of someone like Amazon, a device when it is first powered on can broadcast out looking for other Amazon WiFi devices in the home and receive the credentials from them.

>a device when it is first powered on can broadcast out looking for other Amazon WiFi devices in the home and receive the credentials from them.

Ah! That explains it. I was going to be really skeptical that other people's wifi endpoints would "help out" foreign devices, but this makes more sense.

> Overall, we find the Echo to be a well-designed device from the network communication perspective.

It seems the article does not concern itself with what the device tells Amazon about you, but rather whether it ensures only Amazon will be able to eavesdrop on you and that they do so reliably. What a "refreshing" perspective.

It's a device to make it easy to communicate with Amazon, if you didn't want to do that why would you buy it?

I don’t know anybody who has one to “communicate with Amazon”. They have one to listen to music, make grocery lists, set timers, etc. Who wants to communicate with Amazon?

I’m being downvoted, but the parent comment asked “why would you buy it” and I gave reasons.

I guess people who buy an iPhone do it to communicate with Apple, since people buy apps and Music subscriptions?

> They have one to listen to music, make grocery lists, set timers, etc.

[... through an amazon-provided service]

For the examples I listed, the fact that they’re serviced by Amazon is an implementation detail. People are not buying it to communicate with Amazon, they are buying it to get something done. Many would probably be just as happy “to communicate with Google” instead. The point I’m trying to make is that Amazon is not the motivating factor.

Ok, but they are necessary implementation details... if you want to stream music on a voice controlled device, it is going to have to send your request to the streaming service

It doesn't have to be Amazon, but it has to be someone... and it makes sense the Amazon device communicates with Amazon services

People who purchase music and groceries from Amazon, for one.

Yes, those are valid use cases. I listed alternative use cases for which communication with Amazon is irrelevant. Besides, I would imagine that “purchasing things with voice” is used much less frequently than the functions I listed.

What are they supposed to say if it is a well-designed device?

All in all, the NSA is an amazingly well built anti-privacy surveillance platform which allows them to track literraly every single thing you do and store it in a state-of-the-art datacenter which s a marvel of engineering!

Isn't that just swell!

I mean - look at just how smart these guys are, don't you want to be just like them!?


State that it is a well designed privacy invading device?

I think it’s important to distinguish expected privacy vs actual. The fact that I allow it to send my queries to Amazon isn’t a privacy issue.

If the network behavior showed it was sending data it’s not supposed to do, that would be noteworthy.

So this paper is helpful in this regard (in addition to other material).

This was a computing paper trying to prod for security holes, not a political statement. It's not relevant the device itself might be problematic, only that it's security is sound.

The security concerns about such devices are primarily regarding its communication with Amazon and Amazon's potential use of the device for surveillance and behavior tracking. That wasn't investigated in the paper.

I think most people know that an Echo is going to be sending data back to Amazon, and for people who know this and are fine with it, there's nothing wrong with having an article about the device that doesn't beat that dead horse. I know my phone has a GPS. I know Google gets an astonishing amount of my location data from it. I don't need every review to tell me so, and would get annoyed pretty fast if every single review of every single phone went out of their way to remind me of something I already know about them.

Of course, the question is never "is Amazon getting data about me" but "what data is Amazon getting about me, and how can they use that to invade my privacy", so I don't see how yours is really addressing the concerns per se.

That is among the interesting questions, not the sole interesting question.

This paper seems to answer “can entities other than Amazon get data from me via network exploits?” and “are drop-in calls transmitted in the clear or using end-to-end encryption?”

You might not be interested in those answers if you’ve already concluded you’ll never own one, but that doesn’t make them uninteresting to everyone else.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact