Search This Blog

Showing posts with label Amazon Key. Show all posts

Amazon denies risk in Amazon Key — while it is working to fix it

Earlier this week, Anonymous researcher and Twitter user, MG, posted a video showing how Amazon Key, the company’s recently launched service which allows delivery staff to unlock a customer’s house and deposit items when no one’s home, can be used to disable customer’s alarm systems and break into their homes using a software.

After a failed attempt at disclosure with Amazon, where it demanded to see a PoC and refused the possibility of any reward or payment, MG took to Twitter and uploaded the video showing how Amazon Key can be exploited by “anyone with a raspberry pie.”

Once the video was posted, Amazon finally reached out to him and is currently working on a fix to the vulnerability.

However, Amazon is still denying any risk associated with its product.

"The security features built into the delivery application technology used for in-home delivery are not being used in the demonstration,” said Kristen Kish, Amazon spokesperson.

She added that, “Safeguards are in place when the driver technology is used: our system monitors 1) that the door is only open for a brief period of time, 2) communication to the camera and lock is not interrupted, and 3) that the door is securely re-locked. The driver does not leave without physically checking that the door is locked. Safety and security is built into every aspect of the service.”

While MG is withholding technical details until Amazon has a chance to fix the issue, the video shows how a hacker can easily enter a house enabled with Amazon Key.

Amazon also told Forbes that the hack involves “disrupting Wi-Fi connections used by the Key system, not Amazon software. The Raspberry Pi does some as yet undisclosed deauthorization, which would indicate a disconnection between the various pieces of the Amazon Key setup.”

MG, in his report, questions this process.

“Why are you using low wage workers to be the last gate in a bad security model? How often has this process been audited for completion rates or holes?” he writes.

He is also concerned about the “fact that they require your house’s alarm to be turned off for a driver to use the Amazon Key without issue,” saying that Amazon doesn’t talk about the consumer use of the app either.