Security

Amazon explained ‘Key’ crack before it shipped fix, says hacker who found the hole

BezosMart doesn’t like being told it was w…wr…wrong

By Simon Sharwood

11 SHARE

The researcher behind the teaser of a new method to crack Amazon.com’s “Key” connected door locks has revealed how his method works, and criticised Amazon’s response to his work because it detailed the flaw before shipping a fix.

In a Medium Post, the researcher known as “MG” explained that he revealed his riff on an attack vector identified by Rhino Security Labs and publicised his activities.

“A professional researcher saw this and reached out to me, offering to broker a disclosure with Amazon,” MG explained. “Unfortunately, this attempt failed. Amazon turned down the offer by demanding a working PoC be made for them.” MG was also told that Amazon has no bug bounties “or other reward pathways.”

“I wasn’t interested in a reward, but this level of arrogance was off-putting,” he wrote. “So I made the PoC”.

Amazon Key door-entry flaw: No easy fix to stop rogue couriers burgling your place unseen

READ MORE

The Register and others reported his handiwork and - surprise! – Amazon suddenly wanted to talk and MG “started helping them understand the attack.”

“I was impressed with the security response team,” he said, but found that when they asked for his code it “was a bit frustrating in context of the initial ‘lol we won’t give you anything but do work for us’ interaction”.

Amazon’s security team then went quiet. But the company’s PR team started saying MG’s hack was nothing to worry about and then explained it in full to Forbes – but before a fix had been implemented (and without even acknowledging The Register’s inquiries about MG’s initial post).

With Amazon revealing details in public, MG decided there was no reason not to disclose his method, which involves scanning the rate of frames produced by Key’s companion camera. That rate spikes when a delivery is made, because the camera records it.

Next, MG employed a Wi-Fi “de-auth” attack – a kind of DDOS – on the camera and lock with his Raspberry-Pi-powered Wi-Fi snooper.

“If the timing is right, you prevent a response from the lock informing the consumer app from knowing that the lock event was successful. For whatever reason, the app was not created to handle this error condition. The UI is also non-responsive, which opens up the opportunity for an inattentive app user to believe they actually pressed the button requesting a re-lock.”

To make the attack more convincing, the RPi plays audio of the Key locking.

MG’s post ends with a host of questions for Amazon about different ways to fool homeowners, delivery staff, or both, that would make this crack or others easier to pull off, and expressed his hope that Amazon takes the ideas seriously because its response to his ideas suggests it’s not thinking too hard about how the Key can unlock criminal possibilities. ®

Sign up to our NewsletterGet IT in your inbox daily

11 Comments

More from The Register

Europe plans special tax for Google, Apple, Facebook, Amazon

French minister says around two per cent of turnover sounds about right

Facebook caught up in court battle with Amazon and pals over 'ageist job ads' that targeted young

How's this any different to advertising in a teen mag, asks social network

Is this why Facebook is such a toxic dump? HP, HPE sued for 'leaking chems' into office site

Stanford uni fumes at Palo Alto soil contamination cleanup bill

Facebook, Amazon fund new trans-Pacific submarine cable

'JUPITER' is made for video, should see first light in 2020, boast 60 Tbps capacity

Hey, big vendor: Oracle, Apple, Google, Amazon, Facebook blow even more cash on lobbying

Spend a little bribe, er, time with me...

Town wants Amazon's new HQ so much it plans to split off new town called 'Amazon'

At last, the leadership America desperately needs

New age discrim row: Accenture, Facebook sued by sales boss for favoring 'new blood'

Bloke hits out after losing job to former underling in his 30s

Facebook stuck with IRS bill after court tosses $7 BEEELLION appeal

Not even Zuckerberg can escape the tax man

Amazon: Intel Meltdown patch will slow down your AWS EC2 server

Sysadmins notice performance dip amid security fix rollout. Not everyone hit hard. YMMV etc

Amazon scam trio primed for prison stretch after million-dollar fraud

Defected goods hustle brought in big bucks – for a while