Twitter user demos 'Break & Enter dropbox' for Amazon Key

By Cal Jeffrey
Feb 5, 2018
Post New Reply
  1. Amazon Key is a program for Prime subscribers that installs a surveillance camera and electronic lock in your home so Amazon deliveries can be placed inside your door rather than outside. Personally, I find it very sketchy and would never trust it under any circumstance but that’s just me and probably a few million others.

    Our reservations seemed justified when Rhino Security Labs revealed it was possible to freeze the camera by executing a DDoS attack on the network from a remote computer. Not only did the exploit pause the video feed on an image of a closed door, it also disabled the lock. However, Amazon downplayed the severity of the flaw since it requires a dirty delivery driver to perform.

    Now an independent security “hobbyist” who goes by the handle MG on Twitter has revealed how an attacker who is not a delivery driver might exploit the system. He calls the physical hardware hack a “Break & Enter dropbox.” MG demonstrated an attack in a video using his own Amazon Key setup.

    In a nutshell, an attacker hides a device near the door of the target. The hardware will somehow interfere with the locking mechanism and perhaps the camera as well. When the driver comes with the package and uses the code to enter, the dropbox prevents the door from locking again.

    MG did not reveal details on how the mechanism worked but said it is functional under the current version of Amazon's software. He promised to give Amazon a chance to address the issue before he will release further details on how it works.

    Kristen Kish, a spokesperson for Amazon, provided the following statement to TechSpot regarding the hack:

    "This is not a real-life delivery scenario as the security features built into the delivery application technology used for in-home delivery are not being used in the demonstration. Safeguards are in place when the driver technology is used: our system monitors 1) that the door is only open for a brief period of time, 2) communication to the camera and lock is not interrupted, and 3) that the door is securely relocked. The driver does not leave without physically checking that the door is locked. Safety and security is built into every aspect of the service."

    Kish claims the software MG used in his demonstration was customer-side software and not the same as what Amazon's delivery drivers use. She also points out that drivers follow several steps during a delivery including a check to ensure the door is locked after delivery.

    Amazon wants to assure its Key customers that they are at very little risk from this type of attack due to countermeasures they already have in place.

    Permalink to story.

  2. jalmos

    jalmos TS Rookie

    "She also points out that drivers follow several steps during a delivery including a check to ensure the door is locked after delivery."

    Are these the same drivers who leave 'nobody home' door stickers that you find the next day because you were at home the whole time? The same ones who have literally chucked heavy packages at my door to avoid going up 4 steps? Same ones that sometimes hang out at my favorite pub and loudly tell stories of all the times they managed to get out of doing their job properly, while laughing themselves off the stools?

    Those are the ones who I should trust to make sure the door is locked before they leave?
  3. BSim500

    BSim500 TS Evangelist Posts: 463   +806

    ^ This. The whole concept is completely back to front. The same drivers who seem to be incapable of attempting at least one redelivery or leaving it with a neighbor, are precisely the same drivers you don't want to let into your house. And the ones who do put in a bit of effort are also the ones who can find a way to deliver it without even needing to enter your house. It's like watching courier firms invent the last-mile logistical equivalent of a "Rube Goldberg Machine" whilst ignoring the obvious - you won't solve a training problem by doing everything except fix the training problem...
  4. wiyosaya

    wiyosaya TS Evangelist Posts: 2,753   +1,320

    This is news?

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...