Knock, knock. Who’s there? Another Amazon Key door-lock hack

Little box of tricks can let crooks sneak in after a delivery

By Simon Sharwood


Video The security of’s Key door lock has again been called into question.

The Key is a wireless-networked electrified lock designed to be temporarily disabled by delivery workers to drop off stuff at Amazon Prime members’ homes or businesses. Prime members receive the gear they ordered from Amazon without having to hang around all day to take the package, Amazon gets sales it may not otherwise have made, and delivery staff get recorded by a Wi-Fi-connected video camera to prove they dropped off the kit and to make sure they don’t steal the family silver.

The delivery person uses a smartphone app to request the door is unlocked, places the box in the home, leaves, and uses the app to lock the door. The app communicates to Amazon, which connects to the camera via the internet, which wirelessly passes on the command to lock or unlock to the Key.

Knock, knock? Oh, no one there? No problem, Amazon will let itself in via your IoT smart lock


The devices have already been shown to have one nasty flaw: last year, Rhino Security Labs found a way to flood the camera off a home's wireless network, disconnecting from the internet to stop it recording and preventing it from telling the door to lock itself.

Now a hacker has demonstrated another attack on the Key. As shown in the Twitter video below, the technique allows miscreants to open front doors “locked” by the Key even after a delivery worker has attempted to wirelessly lock the door.

Essentially, the deliverer turns up, uses their smartphone to briefly unlock the door, drops off the package, "locks" the Key again using the app, and leaves – however, a box of electronics placed near or next to the home, certainly within Wi-Fi range, blocks the lock command from Amazon to the camera, so the door is never told to lock itself. This allows a crook to slip in after the deliverer has left. This a variant of Rhino Labs' security hole, in that a box of electronics keeps the door unlocked rather than a rogue package delivery person.

We can see the theft relied on a “dropbox” – a computer of some sort with Wi-Fi connectivity that is able to prevent the Key from locking itself. Exactly how the hack works is not known for sure yet.

The Register has asked Amazon and MG, the source of the demo, for more information, and we will update this story if any comes to hand.

MG said on Twitter: "I'm withholding details until Amazon has a chance to fix this. Rhino Security Labs found an earlier vulnerability on this lock, and the Amazon response was disappointing. I can't share more until Amazon gets a chance to fix. I don't want this being abused in the wild."

We understand Amazon has been made aware of this latest flaw. It was previously able to mitigate the security vulnerability discovered by Rhino Labs. ®

Updated to add

Amazon, in a statement, has downplayed the attack, saying its systems should be able to detect if a door is left unlocked for too long, and that delivery staff should check the front door is locked before leaving.

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Amazon adds cloudy Linux desktops to encourage developers to code for EC2

Running Amazon Linux 2, which just scored long-term support

The march of Amazon Business has resellers quaking in their booties

Canalys Channels Forum 2018 'To team up with Amazon is like to team up with the devil'

HP Inc strips off, rolls around as Windows 10 money pours down

If only OS 'sunsets' happened every quarter

Automated Weather Source didn't see this cloud coming: Amazon snatches up

Uh, we'll be having that domain

Amazon Alexa outage: Voice-activated devices are down in UK and beyond

That sound ... yes, that lack of sound ... it's here

EU watchdog sniffing around Amazon's merchant data collection

Not yet an investigation, Margrethe Vestager says

Now here's an idea: Break up Amazon to get more shareholder cash

Analyst wants a bigger slice of Bezos' $1tn pie

Amazon Prime Music turns the volume down a little too much

Users face hours without tunes as streaming service trips up mid-dance move

New Amazon Linux

Overexcitable UK ads regulator gabbles that Amazon broke EU law

Adland self-manager taunts world's largest web retailer