Amazon explained ‘Key’ crack before it shipped fix, says hacker who found the hole

BezosMart doesn’t like being told it was w…wr…wrong

By Simon Sharwood, APAC Editor

Posted in Security, 7th February 2018 03:58 GMT

The researcher behind the teaser of a new method to crack’s “Key” connected door locks has revealed how his method works, and criticised Amazon’s response to his work because it detailed the flaw before shipping a fix.

In a Medium Post, the researcher known as “MG” explained that he revealed his riff on an attack vector identified by Rhino Security Labs and publicised his activities.

“A professional researcher saw this and reached out to me, offering to broker a disclosure with Amazon,” MG explained. “Unfortunately, this attempt failed. Amazon turned down the offer by demanding a working PoC be made for them.” MG was also told that Amazon has no bug bounties “or other reward pathways.”

“I wasn’t interested in a reward, but this level of arrogance was off-putting,” he wrote. “So I made the PoC”.

Amazon Key door-entry flaw: No easy fix to stop rogue couriers burgling your place unseen


The Register and others reported his handiwork and - surprise! – Amazon suddenly wanted to talk and MG “started helping them understand the attack.”

“I was impressed with the security response team,” he said, but found that when they asked for his code it “was a bit frustrating in context of the initial ‘lol we won’t give you anything but do work for us’ interaction”.

Amazon’s security team then went quiet. But the company’s PR team started saying MG’s hack was nothing to worry about and then explained it in full to Forbes – but before a fix had been implemented (and without even acknowledging The Register’s inquiries about MG’s initial post).

With Amazon revealing details in public, MG decided there was no reason not to disclose his method, which involves scanning the rate of frames produced by Key’s companion camera. That rate spikes when a delivery is made, because the camera records it.

Next, MG employed a Wi-Fi “de-auth” attack – a kind of DDOS – on the camera and lock with his Raspberry-Pi-powered Wi-Fi snooper.

“If the timing is right, you prevent a response from the lock informing the consumer app from knowing that the lock event was successful. For whatever reason, the app was not created to handle this error condition. The UI is also non-responsive, which opens up the opportunity for an inattentive app user to believe they actually pressed the button requesting a re-lock.”

To make the attack more convincing, the RPi plays audio of the Key locking.

MG’s post ends with a host of questions for Amazon about different ways to fool homeowners, delivery staff, or both, that would make this crack or others easier to pull off, and expressed his hope that Amazon takes the ideas seriously because its response to his ideas suggests it’s not thinking too hard about how the Key can unlock criminal possibilities. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Facebook, Amazon fund new trans-Pacific submarine cable

'JUPITER' is made for video, should see first light in 2020, boast 60 Tbps capacity

After Microsoft calls out HP Inc over stalled Windows 10 logins, HP bounces back with a fix

Shove this tool into your PC if it's getting stuck during startup

Zuckerborg, Microsoft, Amazon letting the side down for green energy among hyperscalers

But they're trying, bless 'em, says IHS Markit report

Mohawks fling patent infringement sueball at Microsoft and Amazon

Tribe has sovereign immunity to legal challenges

Hey, big vendor: Oracle, Apple, Google, Amazon, Facebook blow even more cash on lobbying

Spend a little bribe, er, time with me...

Microsoft and Facebook's transatlantic cable completed

In 2018 'MAREA' will move ads and Azure from USA to Spain at 160 terabits per second

Amazon: Intel Meltdown patch will slow down your AWS EC2 server

Sysadmins notice performance dip amid security fix rollout. Not everyone hit hard. YMMV etc

Black screen of death after Win10 update? Microsoft blames HP

OEM factory images create 'incorrect registry keys'

Town wants Amazon's new HQ so much it plans to split off new town called 'Amazon'

At last, the leadership America desperately needs

SHL just got real-mode: US lawmakers demand answers on Meltdown, Spectre handling from Intel, Microsoft and pals

Pact of silence questioned