This guy is Jeff Bezos, the CEO of the gargantuan super-retailer Amazon.com. Would you give him the keys to your house? No? Well now you can! Amazon recently launched their new Amazon Key service, a smartphone app controlled door lock. As an Amazon Prime member myself, I have received several emails about this new product. My first thought was “what could possibly go wrong with this idea?” It did not take too long for security researchers at Rhino Security to provide a frightening answer.
If you aren’t aware, the idea behind Amazon Key is that once you install Amazon Key ($250) and connect it to your Amazon Alexa-controlled network, you will be able to use a smartphone app to unlock your door. But wait! There’s more! This will also allow Amazon delivery personal to use the same smartphone app on their phone to unlock your door, so they can leave the package securely in your home. So you are not giving Jeff Bezos your keys exactly (well, yes you are), its worse, its some anonymous delivery driver. So now what would you pay? What if we throw in some Ginzu knives?
Rhino Security figured out a way to circumvent the door lock and video surveillance camera operation, which is shown in the video below.
“In their demonstration, shown in the video below, a delivery person unlocks the door with their Amazon Key app, opens the door, drops off a package, and then closes the door behind them. Normally, they’d then lock the door with their app. In this attack, they instead run a program on their laptop—or, Rhino’s researchers suggest, on a simple handheld device anyone could build using a Raspberry Pi minicomputer and an antenna—that sends a series of “deauthorization” commands to the home’s Cloud Cam.”
The camera is not only disabled, but frozen. This would give the driver the ability to reenter unobserved and liberate some of the gear you bought at Amazon a while ago. Then they lock the door on the second exit. Device logs show normal operation, and the video feed shows noting unusual.
Amazon is reportedly fixing this issue, but really, I am not letting some stranger with a smartphone app into my home when I am not there. Especially since a lot of Amazon packages are being delivered by Uber, Lyft, and limo drivers who may or may not have been suitably background checked or have a criminal record.