Amazon Key Opens Your Door to Theft

In October 2017, Amazon announced its “Amazon Key” service just in time for the holiday shopping craze. In a perfect world, this service allows Amazon delivery drivers to open your front door and leave your package just inside your home, securely locking the door after them. According to security researchers and a few enterprising hackers, that’s not always the case. They’ve discovered ways to disable Amazon Key safety features, particularly the camera function and door lock. It literally opens the door to having your house ransacked by rogue drivers or tech savvy thieves.

Cloud Cam

Amazon Key has a camera aimed at the inside of your front door. The customers have an app named Cloud Cam, giving a live feed to their remote device. The idea is they see their door opening for a delivery, see their package tucked safely inside by the driver, and see the door closed and locked behind them. What could possibly go wrong with a real time delivery camera? It’s simple – the camera is frozen in time. The customer sees the door closed when it’s actually wide open. But, having a thief run amok in your home while you’re seeing and believing your front door is still closed and locked is an unnerving prospect.

Amazon Key Lock

One big safety feature of Amazon Key is the door lock itself. It’s also been proven that when Cloud Cam has been frozen and disabled, the Key lock on the door is also disconnected. As if that’s not scary enough, a separate attack can be done on the lock itself without disabling Cloud Cam. Just as the driver is closing the door to leave, a hacker following the delivery route sends a command knocking the Key offline. The closed door stays unlocked for the hacker, opening a world of hurt to you and the package that started it all.

Amazon Fights Back

In defense of their Amazon Key service, a spokesperson said “Every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time…” About the lock hack, they claim protocol is after “several minutes” of a lock being open, their app notifies the driver and the home dweller that something is amiss.

Shortly after Amazon was notified about their Key service vulnerabilities, announced they would be deploying an update that will “more quickly provide notifications if the camera goes offline during delivery.” Let’s hope that update works because this year, Amazon is set to offer their Key services to other businesses like Rover dog walking, Merry Maids cleaning service, and more. What else can be said for now but “buyer beware!”

Stickley on Security
Published May 16, 2018