By using a customized Raspberry Pi minicomputer, a pseudonymous researcher named MG managed to bypass the Amazon Key's security system to gain access to locked doors and retrieved packages that have been tagged as delivered by the courier in charge. He has since shared the surface details of the method he used in a post on his Medium blog.
According to MG, he had tried to contact Amazon about a potential flaw in their Amazon Key service back in January, but the company wasn't interested until they could be presented with a proof-of-concept (PoC). That was MG's main motivation for going ahead and making the POC himself, which involved the customized Raspberry Pi that could intercept Wi-Fi signals sent out by the Amazon key service if it was placed nearby.
His "attack" was carried out simply by placing his minicomputer near his would-be victim's door, then letting it perform the necessary tasks automatically the moment that a door event occurred. It was all recorded on video and later posted on Twitter.
In a post on his blog, MG stated that he also added the sound of the lock motor in order to add "a bit of deception into the attack." Additionally, there was another vulnerability in that if you adjusted the specific time at which the deauthentication attack was executed, the actual Amazon Key app – the one that's installed on user smartphones – would incorrectly revert to showing a "locked" state.
Deauthentication, in this case, simply refers to the type of attack used, which targets communication – the wireless signals, to be more specific, and the data in them – between a user and the Wi-Fi access point that is the Amazon Key.
Once the attack has been executed, the lock will remain open until the Pi minicomputer used to unlock it – unbeknownst to its owner – gets turned off to cease the deauthentication. But while this seems like a fairly serious concern regarding one of its current flagship products, Amazon is said to be downplaying the impact of the research.
For one thing, Amazon says, the driver app is not the same as the consumer app, which is what the researcher used to carry out his PoC. That means that any vulnerabilities used to perform the attack are likely not present since the app used in real life deliveries isn't the same. In fact, Amazon itself said as much, as it noted that the vulnerability doesn't involve "a real-life delivery scenario."
In an interview with Daily Mail online, Amazon said that the fact that human delivery drivers will be the ones dropping off packages would go a long way towards preventing these types of attacks from happening. "The driver does not leave without physically checking that the door is locked," they said. "This is not a real-life delivery scenario as the security features built into the delivery application technology used for in-home delivery are not being used in the demonstration."
It's a bit confusing and disconcerting how Amazon seems to think these are nothing to worry about, despite there already being two different security exploits reported. The company plans to issue a security fix to rectify any currently known issues, but time will tell if researchers will be able to find any more.
There's more news on Amazon's latest moves available in JeffBezosWatch.com.
Sources include: