Would You Give This Guy Your House Keys?

This guy is Jeff Bezos, the CEO of the gargantuan super-retailer Amazon.com. Would you give him the keys to your house?  No?  Well now you can!  Amazon recently launched their new Amazon Key service, a smartphone app controlled door lock.  As an Amazon Prime member myself, I have received several emails about this new product.  My first thought was “what could possibly go wrong with this idea?”  It did not take too long for security researchers at Rhino Security to provide a frightening answer.

If you aren’t aware, the idea behind Amazon Key is that once you install Amazon Key ($250) and connect it to your Amazon Alexa-controlled network, you will be able to use a smartphone app to unlock your door.  But wait!  There’s more!  This will also allow Amazon delivery personal to use the same smartphone app on their phone to unlock your door, so they can leave the package securely in your home.  So you are not giving Jeff Bezos your keys exactly (well, yes you are), its worse, its some anonymous delivery driver.  So now what would you pay?  What if we throw in some Ginzu knives?

Rhino Security figured out a way to circumvent the door lock and video surveillance camera operation, which is shown in the video below.

“In their demonstration, shown in the video below, a delivery person unlocks the door with their Amazon Key app, opens the door, drops off a package, and then closes the door behind them. Normally, they’d then lock the door with their app. In this attack, they instead run a program on their laptop—or, Rhino’s researchers suggest, on a simple handheld device anyone could build using a Raspberry Pi minicomputer and an antenna—that sends a series of “deauthorization” commands to the home’s Cloud Cam.”

The camera is not only disabled, but frozen.  This would give the driver the ability to reenter unobserved and liberate some of the gear you bought at Amazon a while ago.  Then they lock the door on the second exit.  Device logs show normal operation, and the video feed shows noting unusual.

Amazon is reportedly fixing this issue, but really, I am not letting some stranger with a smartphone app into my home when I am not there.  Especially since a lot of Amazon packages are being delivered by Uber, Lyft, and limo drivers who may or may not have been suitably background checked or have a criminal record.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.