Amazon Key vulnerability allows the disabling of entire lock and camera system

Cal Jeffrey

TS Evangelist
Staff member

Last month we reported on Amazon’s upcoming delivery service called Amazon Key. It is an electronic lock and camera combo that will allow deliveries to be placed just inside the door rather than on the porch. The lock will let delivery drivers inside with a temporary code; the camera, which is focused on the door, records to ensure the drivers only make the delivery rather than doing a little home shopping of their own.

The service officially launched on November 8 and researchers at Seattle’s Rhino Security Labs have already discovered an exploit that critically damages confidence in the system.

It seems that the camera can be relatively quickly disabled using a DoS attack from any computer that is within Wi-Fi range. What’s worse is that the camera is not just disabled but the picture is frozen. Anyone watching it live or recorded only sees the closed door and not the delivery driver making off with the TV or other household items.

Oh, but it gets worse. Once the camera is kicked off the network, it disables the lock as well because it does not operate on its own connection — it piggybacks on the camera’s Wi-Fi connection. The driver can just enter the code, drop off the package and leave, then disable the whole system and reenter for as long as he wishes.

This flaw completely hobbles Amazon's new delivery program and undermines any confidence that consumers might have had with what seems like a sketchy idea in the first place.

“The camera is very much something Amazon is relying on in pitching the security of this as a safe solution,” Ben Caudill, the founder of Rhino Security Labs told Wired. “Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.”

A delivery driver with the skills and guts to execute the attack is probably relatively rare but that is no defense for the flaw. That would be like saying it’s okay if your lock is broken because most of your neighbors are honest.

After being presented with the findings, Amazon stated that it plans to send out an automatic update later this week that will plug the security hole. Whether that will be enough to restore confidence in Amazon Key remains to be seen.

Permalink to story.

 

IAMTHESTIG

TS Evangelist
Oh no! Who could have foreseen this type of thing from ever happening?

You always pay for convenience in one way or another... I think people would just be better off recording their front door and turn in video of package thieves to the police.
 

Skjorn

TS Guru
Once again the public is the beta tester..

If your ordering or getting your orders stolen so much that you need this. I think a nice cage or something anchored to the ground with a Masterlock would be a lot better and you don't keep wasting money developing software for th electronic free cage.

Electronic house locks are a bad idea..
 
  • Like
Reactions: Theinsanegamer

Emexrulsier

TS Evangelist
Why not just do the same as the UK, if someone isnt in to sign for it they will try a neighbour if not you miss the delivery and can arrange another day. It's ludicrous they leave things on porches over there just asking for it to be stolen but then I suppose its America what do you expect..
 
  • Like
Reactions: BSim500

BSim500

TS Evangelist
"Restore" confidence makes it sound like they had any in the first place. How can you "plug a security hole with a patch" where one of the flaws (other than DDOS) is basically that it can be jammed open / held in an unlocked state with a $100 Wi-Fi jammer on a hardware level? That's why proper grown-up insurance-approved electronic door-entry systems are hard-wired in the first place...

As mentioned previously, what about the legal stuff? Who is liable for a dog attacking / escaping or driver injuring himself whilst inside your house? If you got burgled with an Amazon lock whose codes are known by complete strangers by design, would your home insurance refuse a claim and declare it "self-compromise" because you voluntarily gave away the code to a complete stranger you couldn't even name? Is the Amazon lock even insurance approved in the first place given its many flaws? What if Amazon's database tying key-codes to addresses got hacked / stolen? If you have an existing burglar alarm, are you supposed to disable it or give the code of that to the driver too? So many questions...

Why not just do the same as the UK, if someone isnt in to sign for it they will try a neighbour if not you miss the delivery and can arrange another day. It's ludicrous they leave things on porches over there just asking for it to be stolen but then I suppose its America what do you expect.
Apparently there's this epidemic in the USA of badly trained drivers to which the "solution" is an endless stream of techno-gimmikry that does everything to project the blame of non-deliveries onto the householder whilst avoiding addressing the actual problem with a simple proven working solution - better logistics staff training...
 

Camikazi

TS Evangelist
Why not just do the same as the UK, if someone isnt in to sign for it they will try a neighbour if not you miss the delivery and can arrange another day. It's ludicrous they leave things on porches over there just asking for it to be stolen but then I suppose its America what do you expect..
I haven't ever had anything stolen from my porch and have been ordering things through the mail for YEARS now. It all depends on the neighborhood you live in, some are worse than others.
 

IAMTHESTIG

TS Evangelist
Why not just do the same as the UK, if someone isnt in to sign for it they will try a neighbour if not you miss the delivery and can arrange another day. It's ludicrous they leave things on porches over there just asking for it to be stolen but then I suppose its America what do you expect..
That's a very liberal perspective... But then again you may be a Brit so what can you expect.

Anyway package thief's are most common in large, liberalized cities where crime is rampant. The smaller and more conservative towns don't experience this as much, or at all.
 

Evernessince

地獄らしい人間動物園
Why not just do the same as the UK, if someone isnt in to sign for it they will try a neighbour if not you miss the delivery and can arrange another day. It's ludicrous they leave things on porches over there just asking for it to be stolen but then I suppose its America what do you expect..
That's a very liberal perspective... But then again you may be a Brit so what can you expect.

Anyway package thief's are most common in large, liberalized cities where crime is rampant. The smaller and more conservative towns don't experience this as much, or at all.
So much Stereotyping in this comment it's funny.
 
  • Like
Reactions: Phr3d