Amazon’s new Key device already hacked by security researchers, highlighting security flaws
02/27/2018 // David Williams // Views

Online retail giant Amazon has a unique new delivery service feature that allows delivery guys to open locked doors, leave packages inside people's homes, and leave after locking the door again behind them. This is called Amazon Key, and it's a service that is now a hot topic in the security industry as one researcher has exposed yet another vulnerability in it.

By using a customized Raspberry Pi minicomputer, a pseudonymous researcher named MG managed to bypass the Amazon Key's security system to gain access to locked doors and retrieved packages that have been tagged as delivered by the courier in charge. He has since shared the surface details of the method he used in a post on his Medium blog.

According to MG, he had tried to contact Amazon about a potential flaw in their Amazon Key service back in January, but the company wasn't interested until they could be presented with a proof-of-concept (PoC). That was MG's main motivation for going ahead and making the POC himself, which involved the customized Raspberry Pi that could intercept Wi-Fi signals sent out by the Amazon key service if it was placed nearby.

His "attack" was carried out simply by placing his minicomputer near his would-be victim's door, then letting it perform the necessary tasks automatically the moment that a door event occurred. It was all recorded on video and later posted on Twitter.

In a post on his blog, MG stated that he also added the sound of the lock motor in order to add "a bit of deception into the attack." Additionally, there was another vulnerability in that if you adjusted the specific time at which the deauthentication attack was executed, the actual Amazon Key app – the one that's installed on user smartphones – would incorrectly revert to showing a "locked" state.

Brighteon.TV

Deauthentication, in this case, simply refers to the type of attack used, which targets communication – the wireless signals, to be more specific, and the data in them – between a user and the Wi-Fi access point that is the Amazon Key.

Once the attack has been executed, the lock will remain open until the Pi minicomputer used to unlock it – unbeknownst to its owner – gets turned off to cease the deauthentication. But while this seems like a fairly serious concern regarding one of its current flagship products, Amazon is said to be downplaying the impact of the research.

For one thing, Amazon says, the driver app is not the same as the consumer app, which is what the researcher used to carry out his PoC. That means that any vulnerabilities used to perform the attack are likely not present since the app used in real life deliveries isn't the same. In fact, Amazon itself said as much, as it noted that the vulnerability doesn't involve "a real-life delivery scenario."

In an interview with Daily Mail online, Amazon said that the fact that human delivery drivers will be the ones dropping off packages would go a long way towards preventing these types of attacks from happening. "The driver does not leave without physically checking that the door is locked," they said. "This is not a real-life delivery scenario as the security features built into the delivery application technology used for in-home delivery are not being used in the demonstration."

It's a bit confusing and disconcerting how Amazon seems to think these are nothing to worry about, despite there already being two different security exploits reported. The company plans to issue a security fix to rectify any currently known issues, but time will tell if researchers will be able to find any more.

There's more news on Amazon's latest moves available in JeffBezosWatch.com.

Sources include:

DailyMail.co.uk

Medium.com



Take Action:
Support Natural News by linking to this article from your website.
Permalink to this article:
Copy
Embed article link:
Copy
Reprinting this article:
Non-commercial use is permitted with credit to NaturalNews.com (including a clickable link).
Please contact us for more information.
Free Email Alerts
Get independent news alerts on natural cures, food lab tests, cannabis medicine, science, robotics, drones, privacy and more.
App Store
Android App
eTrust Pro Certified

This site is part of the Natural News Network © 2022 All Rights Reserved. Privacy | Terms All content posted on this site is commentary or opinion and is protected under Free Speech. Truth Publishing International, LTD. is not responsible for content written by contributing authors. The information on this site is provided for educational and entertainment purposes only. It is not intended as a substitute for professional advice of any kind. Truth Publishing assumes no responsibility for the use or misuse of this material. Your use of this website indicates your agreement to these terms and those published here. All trademarks, registered trademarks and servicemarks mentioned on this site are the property of their respective owners.

This site uses cookies
Natural News uses cookies to improve your experience on our site. By using this site, you agree to our privacy policy.
Learn More
Close
Get 100% real, uncensored news delivered straight to your inbox
You can unsubscribe at any time. Your email privacy is completely protected.