It sounded too good to be true from the start: A lock that allowed deliverymen and service providers in without a key, all while promising to be perfectly safe and monitorable. We’re talking, of course, about Amazon Key, a system that allows folks into your home once they have scanned a unique barcode. We called it “invasive and creepy” once it was announced and now that a report from Wired suggests the system can be hacked, our opinion seems further justified.
A team of security researchers from Seattle-based Rhino Security Labs demonstrated that Amazon Key and its companion Cloud Cam could be disabled and frozen, allowing just about anyone to waltz into your home. If the system is thus disarmed, even if you’re watching a “live” stream, you wouldn’t see anything out of the ordinary. This wasn’t just an unfounded claim — when Wired told Amazon about the new security research, the company noted that it would issue a software patch to fix the problem “later this week.”
So how exactly would an attack work? According to Rhino, a delivery person would first have to gain legitimate access, unlocking your door with the Amazon Key app. But instead of relocking the door with their app, they could simply run a program either on a computer or on a handheld device built with a Raspberry Pi and an antenna that would deauthorize the Cloud Cam. Rather than going dark, the Cloud Cam would simply continuously show the last frame recorded before it was deauthorized. That means that the attacker, or anyone else, would go undetected.
To be fair, the likelihood of such an attack is rather slim. An attacker would have to be authorized to deliver a package at a certain address and time, regardless of whether or not the Cloud Cam were switched on or off. “Every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time,” Amazon pointed out. So unless a delivery person had a longstanding plan to do something nefarious, the whole scenario is rather unlikely. All the same, Amazon noted in a statement, “We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery.”
Perhaps more concerning, however, is the fact that when a Cloud Cam is disabled, the Amazon Key is also disconnected. After all, the lock doesn’t maintain its own internet connection, as it relies upon the “Zigbee wireless protocol to the Cloud Cam, which acts as its connection to the Wi-Fi router and the rest of the internet,” Wired reports. This means that a potential thief could just follow a delivery person, and send the deauthorization command as the delivery is completed. Then, once is the coast is clear, the criminal could simply walk through the unlocked door.
Of course, this would involve a delivery person not paying attention to whether or not the door locked behind him or her, and Amazon notes that it instructs drivers not to leave a house if the door is unlocked. Plus, Amazon is also supposed to call a customer if a door is left unlocked for more than a few minutes.