Amazon explained ‘Key’ crack before it shipped fix, says hacker who found the hole

BezosMart doesn’t like being told it was w…wr…wrong

By Simon Sharwood


The researcher behind the teaser of a new method to crack’s “Key” connected door locks has revealed how his method works, and criticised Amazon’s response to his work because it detailed the flaw before shipping a fix.

In a Medium Post, the researcher known as “MG” explained that he revealed his riff on an attack vector identified by Rhino Security Labs and publicised his activities.

“A professional researcher saw this and reached out to me, offering to broker a disclosure with Amazon,” MG explained. “Unfortunately, this attempt failed. Amazon turned down the offer by demanding a working PoC be made for them.” MG was also told that Amazon has no bug bounties “or other reward pathways.”

“I wasn’t interested in a reward, but this level of arrogance was off-putting,” he wrote. “So I made the PoC”.

Amazon Key door-entry flaw: No easy fix to stop rogue couriers burgling your place unseen


The Register and others reported his handiwork and - surprise! – Amazon suddenly wanted to talk and MG “started helping them understand the attack.”

“I was impressed with the security response team,” he said, but found that when they asked for his code it “was a bit frustrating in context of the initial ‘lol we won’t give you anything but do work for us’ interaction”.

Amazon’s security team then went quiet. But the company’s PR team started saying MG’s hack was nothing to worry about and then explained it in full to Forbes – but before a fix had been implemented (and without even acknowledging The Register’s inquiries about MG’s initial post).

With Amazon revealing details in public, MG decided there was no reason not to disclose his method, which involves scanning the rate of frames produced by Key’s companion camera. That rate spikes when a delivery is made, because the camera records it.

Next, MG employed a Wi-Fi “de-auth” attack – a kind of DDOS – on the camera and lock with his Raspberry-Pi-powered Wi-Fi snooper.

“If the timing is right, you prevent a response from the lock informing the consumer app from knowing that the lock event was successful. For whatever reason, the app was not created to handle this error condition. The UI is also non-responsive, which opens up the opportunity for an inattentive app user to believe they actually pressed the button requesting a re-lock.”

To make the attack more convincing, the RPi plays audio of the Key locking.

MG’s post ends with a host of questions for Amazon about different ways to fool homeowners, delivery staff, or both, that would make this crack or others easier to pull off, and expressed his hope that Amazon takes the ideas seriously because its response to his ideas suggests it’s not thinking too hard about how the Key can unlock criminal possibilities. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Amazon's creepy facial recog doorbell, Facebook open sources machine learning code and much more

Roundup Plus: Listen to some new classical piano generated by an algorithm

HP's Neon Dion says if anything goes wrong, it's totally Intel's fault: CPU shortage may hit PC maker's financials

Once upon a time it was Windows 10. Now it's Chipzilla's turn

Europe plans special tax for Google, Apple, Facebook, Amazon

French minister says around two per cent of turnover sounds about right

Facebook caught up in court battle with Amazon and pals over 'ageist job ads' that targeted young

How's this any different to advertising in a teen mag, asks social network

Is this why Facebook is such a toxic dump? HP, HPE sued for 'leaking chems' into office site

Stanford uni fumes at Palo Alto soil contamination cleanup bill

Facebook, Amazon fund new trans-Pacific submarine cable

'JUPITER' is made for video, should see first light in 2020, boast 60 Tbps capacity

Facebook's new always-listening home appliance kit Portal doesn't do Facebook

Trust us, pleads the Zuck

The march of Amazon Business has resellers quaking in their booties

Canalys Channels Forum 2018 'To team up with Amazon is like to team up with the devil'

'Massage parlour' location looks like Amazon stealth-testing secret new wireless network

Happy ending? Nope. Big seller, small cells – report

Amazon tried to entice Latin American officials with $5m in Kindles, AWS credits for .amazon

Brazil, Peru snub cheap gifts, refuse to unblock dot-word