Knock, knock. Who’s there? Another Amazon Key door-lock hack
Little box of tricks can let crooks sneak in after a delivery
Video The security of Amazon.com’s Key door lock has again been called into question.
The Key is a wireless-networked electrified lock designed to be temporarily disabled by delivery workers to drop off stuff at Amazon Prime members’ homes or businesses. Prime members receive the gear they ordered from Amazon without having to hang around all day to take the package, Amazon gets sales it may not otherwise have made, and delivery staff get recorded by a Wi-Fi-connected video camera to prove they dropped off the kit and to make sure they don’t steal the family silver.
The delivery person uses a smartphone app to request the door is unlocked, places the box in the home, leaves, and uses the app to lock the door. The app communicates to Amazon, which connects to the camera via the internet, which wirelessly passes on the command to lock or unlock to the Key.
Knock, knock? Oh, no one there? No problem, Amazon will let itself in via your IoT smart lockREAD MORE
The devices have already been shown to have one nasty flaw: last year, Rhino Security Labs found a way to flood the camera off a home's wireless network, disconnecting from the internet to stop it recording and preventing it from telling the door to lock itself.
Now a hacker has demonstrated another attack on the Key. As shown in the Twitter video below, the technique allows miscreants to open front doors “locked” by the Key even after a delivery worker has attempted to wirelessly lock the door.
Essentially, the deliverer turns up, uses their smartphone to briefly unlock the door, drops off the package, "locks" the Key again using the app, and leaves – however, a box of electronics placed near or next to the home, certainly within Wi-Fi range, blocks the lock command from Amazon to the camera, so the door is never told to lock itself. This allows a crook to slip in after the deliverer has left. This a variant of Rhino Labs' security hole, in that a box of electronics keeps the door unlocked rather than a rogue package delivery person.
I call this the "Break & Enter dropbox" and it pairs well with my Amazon Key (smartlock & smartcam combo).— MG (@_MG_) February 4, 2018
It's all current software. Amazon downplayed the last attack on this product because it needed an evil delivery driver to execute. This doesn't. pic.twitter.com/35krz46Kab
We can see the theft relied on a “dropbox” – a computer of some sort with Wi-Fi connectivity that is able to prevent the Key from locking itself. Exactly how the hack works is not known for sure yet.
The Register has asked Amazon and MG, the source of the demo, for more information, and we will update this story if any comes to hand.
MG said on Twitter: "I'm withholding details until Amazon has a chance to fix this. Rhino Security Labs found an earlier vulnerability on this lock, and the Amazon response was disappointing. I can't share more until Amazon gets a chance to fix. I don't want this being abused in the wild."
We understand Amazon has been made aware of this latest flaw. It was previously able to mitigate the security vulnerability discovered by Rhino Labs. ®
Updated to add
Amazon, in a statement, has downplayed the attack, saying its systems should be able to detect if a door is left unlocked for too long, and that delivery staff should check the front door is locked before leaving.
Sponsored: Becoming a Pragmatic Security Leader