Amazon Key is a program for Prime subscribers that installs a surveillance camera and electronic lock in your home so Amazon deliveries can be placed inside your door rather than outside. Personally, I find it very sketchy and would never trust it under any circumstance but that's just me and probably a few million others.
Our reservations seemed justified when Rhino Security Labs revealed it was possible to freeze the camera by executing a DDoS attack on the network from a remote computer. Not only did the exploit pause the video feed on an image of a closed door, it also disabled the lock. However, Amazon downplayed the severity of the flaw since it requires a dirty delivery driver to perform.
Now an independent security "hobbyist" who goes by the handle MG on Twitter has revealed how an attacker who is not a delivery driver might exploit the system. He calls the physical hardware hack a "Break & Enter dropbox." MG demonstrated an attack in a video using his own Amazon Key setup.
I call this the "Break & Enter dropbox" and it pairs well with my Amazon Key (smartlock & smartcam combo).
--- MG (@_MG_) February 4, 2018
It's all current software. Amazon downplayed the last attack on this product because it needed an evil delivery driver to execute. This doesn't. pic.twitter.com/35krz46Kab
In a nutshell, an attacker hides a device near the door of the target. The hardware will somehow interfere with the locking mechanism and perhaps the camera as well. When the driver comes with the package and uses the code to enter, the dropbox prevents the door from locking again.
MG did not reveal details on how the mechanism worked but said it is functional under the current version of Amazon's software. He promised to give Amazon a chance to address the issue before he will release further details on how it works.
Kristen Kish, a spokesperson for Amazon, provided the following statement to TechSpot regarding the hack:
"This is not a real-life delivery scenario as the security features built into the delivery application technology used for in-home delivery are not being used in the demonstration. Safeguards are in place when the driver technology is used: our system monitors 1) that the door is only open for a brief period of time, 2) communication to the camera and lock is not interrupted, and 3) that the door is securely relocked. The driver does not leave without physically checking that the door is locked. Safety and security is built into every aspect of the service."
Kish claims the software MG used in his demonstration was customer-side software and not the same as what Amazon's delivery drivers use. She also points out that drivers follow several steps during a delivery including a check to ensure the door is locked after delivery.
Amazon wants to assure its Key customers that they are at very little risk from this type of attack due to countermeasures they already have in place.