Would You Give This Guy Your House Keys?

This guy is Jeff Bezos, the CEO of the gargantuan super-retailer Amazon.com. Would you give him the keys to your house?  No?  Well now you can!  Amazon recently launched their new Amazon Key service, a smartphone app controlled door lock.  As an Amazon Prime member myself, I have received several emails about this new product.  My first thought was “what could possibly go wrong with this idea?”  It did not take too long for security researchers at Rhino Security to provide a frightening answer.

If you aren’t aware, the idea behind Amazon Key is that once you install Amazon Key ($250) and connect it to your Amazon Alexa-controlled network, you will be able to use a smartphone app to unlock your door.  But wait!  There’s more!  This will also allow Amazon delivery personal to use the same smartphone app on their phone to unlock your door, so they can leave the package securely in your home.  So you are not giving Jeff Bezos your keys exactly (well, yes you are), its worse, its some anonymous delivery driver.  So now what would you pay?  What if we throw in some Ginzu knives?

Rhino Security figured out a way to circumvent the door lock and video surveillance camera operation, which is shown in the video below.

“In their demonstration, shown in the video below, a delivery person unlocks the door with their Amazon Key app, opens the door, drops off a package, and then closes the door behind them. Normally, they’d then lock the door with their app. In this attack, they instead run a program on their laptop—or, Rhino’s researchers suggest, on a simple handheld device anyone could build using a Raspberry Pi minicomputer and an antenna—that sends a series of “deauthorization” commands to the home’s Cloud Cam.”

The camera is not only disabled, but frozen.  This would give the driver the ability to reenter unobserved and liberate some of the gear you bought at Amazon a while ago.  Then they lock the door on the second exit.  Device logs show normal operation, and the video feed shows noting unusual.

Amazon is reportedly fixing this issue, but really, I am not letting some stranger with a smartphone app into my home when I am not there.  Especially since a lot of Amazon packages are being delivered by Uber, Lyft, and limo drivers who may or may not have been suitably background checked or have a criminal record.

More information:

1

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Comments

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.