After dismissing security flaw, Amazon patches Key smart lock anyway

Amazon downplayed the attack as "not a real-life delivery scenario," but it was serious enough to fix anyway.
Written by Zack Whittaker, Contributor

Just how secure is Amazon Key, the company's smart door lock?

Amazon says it's very secure. But for the second time since Key first launched, the company has fixed a flaw that could bypass the lock mechanism. This time around, Amazon won't concede that the latest lock bypass technique is a bug.

Also: Amazon delivery service: Why Bezos is launching Shipping with Amazon

In case you missed it: a surprise video posted last week by a security researcher purported to show him accessing a house protected by Amazon Key.

Amazon Key is a regular door lock with a twist: Amazon delivery drivers can unlock your door, place a parcel inside, and lock the door again, all while being recorded and streamed to your phone by the corresponding Amazon Cloud Cam for peace of mind.

It's part of an effort to save your parcels from being pinched off your porch.

It's that smart lock that the security researcher, who identified himself only as MG, claims he can bust open with a few dollars worth of equipment: a Raspberry Pi microcomputer, a battery, and a wireless dongle. In his video, he's shown opening an Amazon Key-equipped door after a delivery driver leaves a parcel and closes the door behind him.

The hack effectively blocks the bolt from locking once it's opened, allowing the hacker to later walk right into the victim's home.

MG shared specifics of the bug with ZDNet, which he asked to withhold until Amazon fixed the flaw. He published his own write-up after Amazon dismissed the bug last week.

"I posted the [proof-of-concept] video with technical details redacted," said MG. "Amazon reached out to me the same day and I started helping them understand the attack."

"There was a window of time I didn't hear back for about half a day, meanwhile Amazon PR started talking about the attack and saying it was a non-issue," he added. "Annoying... but I promised Amazon that I would withhold technical details until they released a fix."

"A day later, [Amazon's public relations team] would completely explain the entire attack to Forbes even though a fix wasn't rolled out," he said.

When reached, Amazon spokesperson Kristen Kish said the attack was "not a real-life delivery scenario" because "the security features built into the delivery application technology used for in-home delivery are not being used in the demonstration."

"Safeguards are in place when the driver technology is used: our system monitors 1) that the door is only open for a brief period of time, 2) communication to the camera and lock is not interrupted, and 3) that the door is securely relocked. The driver does not leave without physically checking that the door is locked. Safety and security is built into every aspect of the service," she added.

However, Amazon released updates for both its iOS and Android apps late Sunday to mitigate the attack.

The attack works by placing a Raspberry Pi inconspicuously nearby the lock to automatically search and scan the airwaves for an Amazon Cloud Cam. The camera is easy to spot because part of the network address can identify Amazon as the camera maker without requiring access to the wireless network. Once the delivery person arrives, the Raspberry Pi can detect an increase in the rate of wireless frames sent over the air. That's when the hacker triggers a deauthentication attack which -- if timed correctly -- will interrupt the camera while the bolt is unlocking. Because the app can't process that error condition, the app will say the lock has been bolted even when it's still unlocked.

The Raspberry Pi will then send a notification back to the attacker, who can then open the door and steal the delivered items and/or other property.

Amazon's update will "notify you if the app cannot verify the lock status for any reason," effectively preventing MG's attack from working again.

MG confirmed Sunday that the app updates mitigate his attack.

Editorial standards