Another Amazon Key hack

Door’s on the latch…
Launched at the end of 2017, Amazon’s latest IoT device is Amazon Key. Currently available in big US cities for Prime members, you now never need to be at home to have your parcels delivered, or to let in neighbours, dog walkers, cleaners etc. It’s suited to our busy modern lives, apparently.

Sceptics are convinced that it’s not secure, that there’s got to be flaws in the system. Lots of naughty people like to test these things (especially when it’s a big company like Amazon), and quite often they do expose vulnerabilities.

Here comes the hack 
So, last week a ‘researcher’ posted a video on Twitter of an attack of the Amazon Key device. The individual apparently found a way to break into a home that had an Amazon Key device installed. Eek.

Amazon Key works by having an internet connected door lock and a cloud camera device, so that delivery drivers can scan the parcel’s bar code and the camera can check who is entering the home (owners can check this remotely). And you’re in, as simple as that. No entry codes or other security measures required.

The ‘researcher’
The ‘researcher’ allegedly planted a Raspberry Pi device near the door to trick the user into thinking the door was locked. The hack allows the attacker to stop the lock process that occurs when someone leaves the house (after a delivery for instance). The full details behind the hack were disclosed on the researcher’s Medium account.

Amazon is apparently working on a fix for the identified issue, and a patch for affected apps should be on its way soon. They’re keeping very hush hush in the press about this flaw though.