Knock, knock. Who’s there? Another Amazon Key door-lock hack

Little box of tricks can let crooks sneak in after a delivery

By Simon Sharwood, APAC Editor

Posted in Security, 5th February 2018 02:59 GMT

Video The security of’s Key door lock has again been called into question.

The Key is a wireless-networked electrified lock designed to be temporarily disabled by delivery workers to drop off stuff at Amazon Prime members’ homes or businesses. Prime members receive the gear they ordered from Amazon without having to hang around all day to take the package, Amazon gets sales it may not otherwise have made, and delivery staff get recorded by a Wi-Fi-connected video camera to prove they dropped off the kit and to make sure they don’t steal the family silver.

The delivery person uses a smartphone app to request the door is unlocked, places the box in the home, leaves, and uses the app to lock the door. The app communicates to Amazon, which connects to the camera via the internet, which wirelessly passes on the command to lock or unlock to the Key.

Knock, knock? Oh, no one there? No problem, Amazon will let itself in via your IoT smart lock


The devices have already been shown to have one nasty flaw: last year, Rhino Security Labs found a way to flood the camera off a home's wireless network, disconnecting from the internet to stop it recording and preventing it from telling the door to lock itself.

Now a hacker has demonstrated another attack on the Key. As shown in the Twitter video below, the technique allows miscreants to open front doors “locked” by the Key even after a delivery worker has attempted to wirelessly lock the door.

Essentially, the deliverer turns up, uses their smartphone to briefly unlock the door, drops off the package, "locks" the Key again using the app, and leaves – however, a box of electronics placed near or next to the home, certainly within Wi-Fi range, blocks the lock command from Amazon to the camera, so the door is never told to lock itself. This allows a crook to slip in after the deliverer has left. This a variant of Rhino Labs' security hole, in that a box of electronics keeps the door unlocked rather than a rogue package delivery person.

We can see the theft relied on a “dropbox” – a computer of some sort with Wi-Fi connectivity that is able to prevent the Key from locking itself. Exactly how the hack works is not known for sure yet.

The Register has asked Amazon and MG, the source of the demo, for more information, and we will update this story if any comes to hand.

MG said on Twitter: "I'm withholding details until Amazon has a chance to fix this. Rhino Security Labs found an earlier vulnerability on this lock, and the Amazon response was disappointing. I can't share more until Amazon gets a chance to fix. I don't want this being abused in the wild."

We understand Amazon has been made aware of this latest flaw. It was previously able to mitigate the security vulnerability discovered by Rhino Labs. ®

Updated to add

Amazon, in a statement, has downplayed the attack, saying its systems should be able to detect if a door is left unlocked for too long, and that delivery staff should check the front door is locked before leaving.

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

New Amazon Linux

Amazon's very own Linux now available for download

It turns out you need to test on-premises before you send an app to the cloud

Town wants Amazon's new HQ so much it plans to split off new town called 'Amazon'

At last, the leadership America desperately needs

French gov files €10m complaint: Claims Amazon abused dominance

Probe found unfair contracts for sellers

From Amazon to Ama-gone: Bezos swings the axe on hundreds at HQ

Sleepless in Seattle after shakeup

After Microsoft calls out HP Inc over stalled Windows 10 logins, HP bounces back with a fix

Shove this tool into your PC if it's getting stuck during startup

Amazon told to repay €250m in 'unfair state aid' from Luxembourg

EU competition commish cracks whip twice in a day

Amazon supercharges GPU power, spits out Nvidia-backed G3

Get your office benchmarking Crysi- *cough* I mean, working

Tech giants at war: Google pulls plug on YouTube in Amazon kit

You won't sell our stuff? We won't let you watch our vids

Italy leans on Amazon to retrieve €100m in unpaid tax

The MEF came, saw, and conquered Bezos' vaults of cash