You’d never believe that Amazon Key, the service that enables Amazon delivery drivers to unlock your door and put your parcels inside, could actually be a security risk – but a new hack as shown that the system has a couple of flaws.
A video posted on Twitter shows a hacker unlocking the Amazon Key protected door, using a special device. The man, who is only known as 'MG', says that he wouldn’t reveal the details as to let the technique be "abused in the wild”.
Essential reading: The best smart locks
The video shows the attacker setting up what he calls a 'Dropbox' and concealing the device near the door. When a delivery takes place, this device – a Raspberry Pi – intercepts the app and lock communicating. When the attacker returns, he opens the door and removes the device, an the video seems to show that he now has complete control of the lock.
I call this the "Break & Enter dropbox" and it pairs well with my Amazon Key (smartlock & smartcam combo).
It's all current software. Amazon downplayed the last attack on this product because it needed an evil delivery driver to execute. This doesn't. pic.twitter.com/35krz46Kab
— MG (@_MG_) February 4, 2018
For the uninitiated, Amazon Key is a service launched by the company last year for Prime services. It’s a combination of a smart lock and security camera, which enables an Amazon delivery driver to open and relock your door after dropping off your package. You can watch on the camera, and the smart locks are supplied by Kwikset.
There have been multiple reports of hacks since the service went live, with some exploiting vulnerabilities around the camera and Wi-Fi network. Amazon has responded each time, and in this case it released a detailed statement to Forbes, which claimed that the hack was only possible theoretically – and not in real world situations.
"The security features built into the delivery application technology used for in-home delivery are not being used in the demonstration,” Kristen Kish, Amazon spokesperson, told Forbes.
Amazon claims the demonstration shows a vulnerability between the customer version of the app and the door, not the delivery driver's, which it claims has an added layer of security. Of course, that’s still a sizeable vulnerability, and Amazon says it’s working on a fix. Amazon also pointed out that there are many layers of added security, including the driver checking that the door is locked before they leave.
As smart locks become more prevalent, this kind of flaw has to be stamped out. Consumer trust can’t be built with these kinds of flaws seemingly being found on a weekly basis.