Would You Give This Guy Your House Keys?

This guy is Jeff Bezos, the CEO of the gargantuan super-retailer Amazon.com. Would you give him the keys to your house?  No?  Well now you can!  Amazon recently launched their new Amazon Key service, a smartphone app controlled door lock.  As an Amazon Prime member myself, I have received several emails about this new product.  My first thought was “what could possibly go wrong with this idea?”  It did not take too long for security researchers at Rhino Security to provide a frightening answer.

If you aren’t aware, the idea behind Amazon Key is that once you install Amazon Key ($250) and connect it to your Amazon Alexa-controlled network, you will be able to use a smartphone app to unlock your door.  But wait!  There’s more!  This will also allow Amazon delivery personal to use the same smartphone app on their phone to unlock your door, so they can leave the package securely in your home.  So you are not giving Jeff Bezos your keys exactly (well, yes you are), its worse, its some anonymous delivery driver.  So now what would you pay?  What if we throw in some Ginzu knives?

Rhino Security figured out a way to circumvent the door lock and video surveillance camera operation, which is shown in the video below.

“In their demonstration, shown in the video below, a delivery person unlocks the door with their Amazon Key app, opens the door, drops off a package, and then closes the door behind them. Normally, they’d then lock the door with their app. In this attack, they instead run a program on their laptop—or, Rhino’s researchers suggest, on a simple handheld device anyone could build using a Raspberry Pi minicomputer and an antenna—that sends a series of “deauthorization” commands to the home’s Cloud Cam.”

The camera is not only disabled, but frozen.  This would give the driver the ability to reenter unobserved and liberate some of the gear you bought at Amazon a while ago.  Then they lock the door on the second exit.  Device logs show normal operation, and the video feed shows noting unusual.

Amazon is reportedly fixing this issue, but really, I am not letting some stranger with a smartphone app into my home when I am not there.  Especially since a lot of Amazon packages are being delivered by Uber, Lyft, and limo drivers who may or may not have been suitably background checked or have a criminal record.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.