Amazon explained ‘Key’ crack before it shipped fix, says hacker who found the hole

BezosMart doesn’t like being told it was w…wr…wrong

By Simon Sharwood


The researcher behind the teaser of a new method to crack’s “Key” connected door locks has revealed how his method works, and criticised Amazon’s response to his work because it detailed the flaw before shipping a fix.

In a Medium Post, the researcher known as “MG” explained that he revealed his riff on an attack vector identified by Rhino Security Labs and publicised his activities.

“A professional researcher saw this and reached out to me, offering to broker a disclosure with Amazon,” MG explained. “Unfortunately, this attempt failed. Amazon turned down the offer by demanding a working PoC be made for them.” MG was also told that Amazon has no bug bounties “or other reward pathways.”

“I wasn’t interested in a reward, but this level of arrogance was off-putting,” he wrote. “So I made the PoC”.

Amazon Key door-entry flaw: No easy fix to stop rogue couriers burgling your place unseen


The Register and others reported his handiwork and - surprise! – Amazon suddenly wanted to talk and MG “started helping them understand the attack.”

“I was impressed with the security response team,” he said, but found that when they asked for his code it “was a bit frustrating in context of the initial ‘lol we won’t give you anything but do work for us’ interaction”.

Amazon’s security team then went quiet. But the company’s PR team started saying MG’s hack was nothing to worry about and then explained it in full to Forbes – but before a fix had been implemented (and without even acknowledging The Register’s inquiries about MG’s initial post).

With Amazon revealing details in public, MG decided there was no reason not to disclose his method, which involves scanning the rate of frames produced by Key’s companion camera. That rate spikes when a delivery is made, because the camera records it.

Next, MG employed a Wi-Fi “de-auth” attack – a kind of DDOS – on the camera and lock with his Raspberry-Pi-powered Wi-Fi snooper.

“If the timing is right, you prevent a response from the lock informing the consumer app from knowing that the lock event was successful. For whatever reason, the app was not created to handle this error condition. The UI is also non-responsive, which opens up the opportunity for an inattentive app user to believe they actually pressed the button requesting a re-lock.”

To make the attack more convincing, the RPi plays audio of the Key locking.

MG’s post ends with a host of questions for Amazon about different ways to fool homeowners, delivery staff, or both, that would make this crack or others easier to pull off, and expressed his hope that Amazon takes the ideas seriously because its response to his ideas suggests it’s not thinking too hard about how the Key can unlock criminal possibilities. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Microsoft Windows 10 October update giving HP users BSOD

Updated Auto-updates come with a sting

Europe plans special tax for Google, Apple, Facebook, Amazon

French minister says around two per cent of turnover sounds about right

Facebook's new always-listening home appliance kit Portal doesn't do Facebook

Trust us, pleads the Zuck

Facebook, Google, Microsoft, Twitter make it easier to download your info and upload to, er, Facebook, Google, Microsoft, Twitter etc...

GDPR put a gun to their heads

Microsoft adds Windows module support to PowerShell Core while Amazon unleashes it on Lambda

Open-source command line botherer says hi! to 1,900+ Windows modules, cmdlets

Facebook caught up in court battle with Amazon and pals over 'ageist job ads' that targeted young

How's this any different to advertising in a teen mag, asks social network

Is this why Facebook is such a toxic dump? HP, HPE sued for 'leaking chems' into office site

Stanford uni fumes at Palo Alto soil contamination cleanup bill

Facebook, Amazon fund new trans-Pacific submarine cable

'JUPITER' is made for video, should see first light in 2020, boast 60 Tbps capacity

Facebook sued for exposing content moderators to Facebook

Updated Endless series of beheadings and horrible images take mental toll, US lawsuit claims

After Microsoft calls out HP Inc over stalled Windows 10 logins, HP bounces back with a fix

Shove this tool into your PC if it's getting stuck during startup