Amazon Is Fixing a Security Loophole with its 'Key' Service

After a researcher posted a video of an alleged hack of Amazon Key, the company is now trying to push a fix—while also telling journalists there isn’t really an issue.
February 7, 2018, 2:30pm
Image: @_MG_

A researcher claims to have found a way to surreptitiously break into a home protected by Amazon Key, the company’s recently launched service which allows delivery staff to unlock a customer’s house and deposit items when no one’s home. MG, the pseudonymous researcher who detailed the issue, told Motherboard that Amazon is working on a fix, despite Amazon telling journalists that the issue really isn’t anything to worry about.

“Look like Amazon is legit working on it,” MG told Motherboard in a text message, and MG shared his disclosure email sent to Amazon. As Forbes reported, that patch to affected apps should be coming this week.

In short, MG’s attack involves planting a small computer or device near the target door, which tricks a user into thinking the door has been locked, leaving it exposed to a burglar.

Amazon Key combines a smart, internet-connected door lock and Amazon’s Cloud Cam, a wi-fi-enabled camera. Normally, the courier would arrive at the home, and scan the package’s barcode.

“Amazon verifies that the package(s) belong to the address and the driver is near the door, turns on Cloud Cam and unlocks your door. No special codes or keys are given to the driver,” Amazon’s own description reads. The courier then places the item just inside the house, and sends another request to lock the door.

MG claims his hack, however, allows an attacker to stop that lock process, and then just waltz into the house. As MG showed in a brief video posted to Twitter on Sunday, the technique involves an attacker placing a so-called ‘dropbox’ near the target’s Amazon Key-linked front door.

In a follow-up post on Medium published Wednesday, MG explained this device was a Raspberry Pi “that would detect Amazon Key hardware and attack when a door event occurred.” The hacker sends a specifically timed command to the camera, disconnecting it, MG continues.

“If the timing is right, you prevent a response from the lock informing the consumer app from knowing that the lock event was successful,” MG writes. In an attempt to fool the courier, the hacker then replays the sound of the lock motor re-locking at the appropriate time (it is difficult to tell how effective that approach may be from the video, though).

When asked for comment after MG published his original proof-of-concept video, Amazon said the issue—instead of letting someone unlock your smart lock—rather relies on a courier leaving the house without verifying that the door was left open. Amazon also highlighted that there are much simpler and traditional ways to successfully break into a house.

“The driver does not leave without physically checking that the door is locked,” Kristen Kish, an Amazon spokesperson, told Motherboard in an email.

“This is not a real-life delivery scenario as the security features built into the delivery application technology used for in-home delivery are not being used in the demonstration. Safeguards are in place when the driver technology is used: our system monitors 1) that the door is only open for a brief period of time, 2) communication to the camera and lock is not interrupted, and 3) that the door is securely relocked,” she added.

MG adds in his write-up that Amazon says the driver’s app is different to the consumer app.

“Amazon doesn’t talk about the consumer use of this app either. My PoC [proof-of-concept] showed off a delivery driver opening the lock, but this could easily be a homeowner or guest dropping something off in their house or even just quickly running back in to grab something before driving off,” he writes.

Criminals have allegedly taken researchers' work on physical security and used it to rob buildings. In 2015, Indiana cops claimed robbers had used a $30 device designed by hacker Samy Kamkar which could unlock various models of cars and garage doors.