Security researcher flags up major Amazon Key flaw

An anonymous researcher has called into question the security behind Amazon Key. The individual, who appears on Twitter as MG, has posted a video showing how it can be used to disable customers’ alarm systems and break into their homes.

After a failed attempt at disclosure with Amazon, where it asked to see a PoC and said it would not pay a reward, MG took to Twitter and uploaded the video showing how Amazon Key can be exploited by anyone with a Raspberry Pi. “Amazon reached out to me the same day and I started helping them understand the attack,” he claims. “There was a window of time I didn’t hear back for about half a day, meanwhile Amazon PR started talking about the attack and saying it was a non-issue. Annoying..But I promised Amazon that I would withhold technical details until they released a fix. A day later, PR would completely explain the entire attack to Forbes even though a fix wasn’t rolled out.”

"The security features built into the delivery application technology used for in-home delivery are not being used in the demonstration,” says an Amazon spokesperson. “Safeguards are in place when the driver technology is used: our system monitors 1) that the door is only open for a brief period of time, 2) communication to the camera and lock is not interrupted, and 3) that the door is securely re-locked. The driver does not leave without physically checking that the door is locked. Safety and security is built into every aspect of the service.”