Knock, knock. Who’s there? Another Amazon Key door-lock hack

Little box of tricks can let crooks sneak in after a delivery

By Simon Sharwood, APAC Editor


Video The security of’s Key door lock has again been called into question.

The Key is a wireless-networked electrified lock designed to be temporarily disabled by delivery workers to drop off stuff at Amazon Prime members’ homes or businesses. Prime members receive the gear they ordered from Amazon without having to hang around all day to take the package, Amazon gets sales it may not otherwise have made, and delivery staff get recorded by a Wi-Fi-connected video camera to prove they dropped off the kit and to make sure they don’t steal the family silver.

The delivery person uses a smartphone app to request the door is unlocked, places the box in the home, leaves, and uses the app to lock the door. The app communicates to Amazon, which connects to the camera via the internet, which wirelessly passes on the command to lock or unlock to the Key.

Knock, knock? Oh, no one there? No problem, Amazon will let itself in via your IoT smart lock


The devices have already been shown to have one nasty flaw: last year, Rhino Security Labs found a way to flood the camera off a home's wireless network, disconnecting from the internet to stop it recording and preventing it from telling the door to lock itself.

Now a hacker has demonstrated another attack on the Key. As shown in the Twitter video below, the technique allows miscreants to open front doors “locked” by the Key even after a delivery worker has attempted to wirelessly lock the door.

Essentially, the deliverer turns up, uses their smartphone to briefly unlock the door, drops off the package, "locks" the Key again using the app, and leaves – however, a box of electronics placed near or next to the home, certainly within Wi-Fi range, blocks the lock command from Amazon to the camera, so the door is never told to lock itself. This allows a crook to slip in after the deliverer has left. This a variant of Rhino Labs' security hole, in that a box of electronics keeps the door unlocked rather than a rogue package delivery person.

We can see the theft relied on a “dropbox” – a computer of some sort with Wi-Fi connectivity that is able to prevent the Key from locking itself. Exactly how the hack works is not known for sure yet.

The Register has asked Amazon and MG, the source of the demo, for more information, and we will update this story if any comes to hand.

MG said on Twitter: "I'm withholding details until Amazon has a chance to fix this. Rhino Security Labs found an earlier vulnerability on this lock, and the Amazon response was disappointing. I can't share more until Amazon gets a chance to fix. I don't want this being abused in the wild."

We understand Amazon has been made aware of this latest flaw. It was previously able to mitigate the security vulnerability discovered by Rhino Labs. ®

Updated to add

Amazon, in a statement, has downplayed the attack, saying its systems should be able to detect if a door is left unlocked for too long, and that delivery staff should check the front door is locked before leaving.

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Europe plans special tax for Google, Apple, Facebook, Amazon

French minister says around two per cent of turnover sounds about right

Facebook caught up in court battle with Amazon and pals over 'ageist job ads' that targeted young

How's this any different to advertising in a teen mag, asks social network

Is this why Facebook is such a toxic dump? HP, HPE sued for 'leaking chems' into office site

Stanford uni fumes at Palo Alto soil contamination cleanup bill

Facebook, Amazon fund new trans-Pacific submarine cable

'JUPITER' is made for video, should see first light in 2020, boast 60 Tbps capacity

Hey, big vendor: Oracle, Apple, Google, Amazon, Facebook blow even more cash on lobbying

Spend a little bribe, er, time with me...

HP Ink's UK profits tumble nearly 85% – of course Brexit to blame

Currency fluctuation and rising component costs fingered

Town wants Amazon's new HQ so much it plans to split off new town called 'Amazon'

At last, the leadership America desperately needs

Facebook stuck with IRS bill after court tosses $7 BEEELLION appeal

Not even Zuckerberg can escape the tax man

Amazon scam trio primed for prison stretch after million-dollar fraud

Defected goods hustle brought in big bucks – for a while

Amazon can't or won't collect sales tax in Australia

How much can a koala bear? Aussies forced to shop in inferior Amazon AU