Knock, knock. Who’s there? Another Amazon Key door-lock hack

Little box of tricks can let crooks sneak in after a delivery

By Simon Sharwood


Video The security of’s Key door lock has again been called into question.

The Key is a wireless-networked electrified lock designed to be temporarily disabled by delivery workers to drop off stuff at Amazon Prime members’ homes or businesses. Prime members receive the gear they ordered from Amazon without having to hang around all day to take the package, Amazon gets sales it may not otherwise have made, and delivery staff get recorded by a Wi-Fi-connected video camera to prove they dropped off the kit and to make sure they don’t steal the family silver.

The delivery person uses a smartphone app to request the door is unlocked, places the box in the home, leaves, and uses the app to lock the door. The app communicates to Amazon, which connects to the camera via the internet, which wirelessly passes on the command to lock or unlock to the Key.

Knock, knock? Oh, no one there? No problem, Amazon will let itself in via your IoT smart lock


The devices have already been shown to have one nasty flaw: last year, Rhino Security Labs found a way to flood the camera off a home's wireless network, disconnecting from the internet to stop it recording and preventing it from telling the door to lock itself.

Now a hacker has demonstrated another attack on the Key. As shown in the Twitter video below, the technique allows miscreants to open front doors “locked” by the Key even after a delivery worker has attempted to wirelessly lock the door.

Essentially, the deliverer turns up, uses their smartphone to briefly unlock the door, drops off the package, "locks" the Key again using the app, and leaves – however, a box of electronics placed near or next to the home, certainly within Wi-Fi range, blocks the lock command from Amazon to the camera, so the door is never told to lock itself. This allows a crook to slip in after the deliverer has left. This a variant of Rhino Labs' security hole, in that a box of electronics keeps the door unlocked rather than a rogue package delivery person.

We can see the theft relied on a “dropbox” – a computer of some sort with Wi-Fi connectivity that is able to prevent the Key from locking itself. Exactly how the hack works is not known for sure yet.

The Register has asked Amazon and MG, the source of the demo, for more information, and we will update this story if any comes to hand.

MG said on Twitter: "I'm withholding details until Amazon has a chance to fix this. Rhino Security Labs found an earlier vulnerability on this lock, and the Amazon response was disappointing. I can't share more until Amazon gets a chance to fix. I don't want this being abused in the wild."

We understand Amazon has been made aware of this latest flaw. It was previously able to mitigate the security vulnerability discovered by Rhino Labs. ®

Updated to add

Amazon, in a statement, has downplayed the attack, saying its systems should be able to detect if a door is left unlocked for too long, and that delivery staff should check the front door is locked before leaving.

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Amazon's creepy facial recog doorbell, Facebook open sources machine learning code and much more

Roundup Plus: Listen to some new classical piano generated by an algorithm

HP's Neon Dion says if anything goes wrong, it's totally Intel's fault: CPU shortage may hit PC maker's financials

Once upon a time it was Windows 10. Now it's Chipzilla's turn

Europe plans special tax for Google, Apple, Facebook, Amazon

French minister says around two per cent of turnover sounds about right

Facebook caught up in court battle with Amazon and pals over 'ageist job ads' that targeted young

How's this any different to advertising in a teen mag, asks social network

Is this why Facebook is such a toxic dump? HP, HPE sued for 'leaking chems' into office site

Stanford uni fumes at Palo Alto soil contamination cleanup bill

Facebook, Amazon fund new trans-Pacific submarine cable

'JUPITER' is made for video, should see first light in 2020, boast 60 Tbps capacity

Facebook's new always-listening home appliance kit Portal doesn't do Facebook

Trust us, pleads the Zuck

The march of Amazon Business has resellers quaking in their booties

Canalys Channels Forum 2018 'To team up with Amazon is like to team up with the devil'

'Massage parlour' location looks like Amazon stealth-testing secret new wireless network

Happy ending? Nope. Big seller, small cells – report

Amazon tried to entice Latin American officials with $5m in Kindles, AWS credits for .amazon

Brazil, Peru snub cheap gifts, refuse to unblock dot-word