Vulnerability Found In Amazon Key, Again Showing How Dumber Tech Is Often The Smarter Option
from the not-so-smart dept
As with most things in the internet of things space, secure, smart door locks have traditionally been frequently shown to be neither. In fact, a recent study that looked at 16 different smart locks found twelve of them to be easily compromised. And again, many of these vulnerabilities were of the vanilla stupid variety, with passwords being transmitted unencrypted, letting anybody with a modicum of technical skill and a Bluetooth sniffer to pluck your front door access code out of thin air. Like most things in the IOT space, companies have been so eager to make a buck they’ve left common sense standing on the front porch.
So when Amazon introduced its new $250 Smart Key system a few weeks back, most people were understandably skeptical. The product promises to securely let Amazon delivery folk unlock your front door and place packages inside, with an accompanying camera that tracks every move the deliveryman makes to ensure personal security. But the idea of Amazon delivery personnel gaining access to your home immediately raised all manner of questions among journalists, ranging from obvious questions of personal security to what happens if Amazon lets fido out by accident:
“Amazon flat-out says that, if your pet has access to the front door, you should not use the service. Dogs don’t take kindly to strangers entering the home, and cats may try to bolt through an open door. Then again, Amazon also touts the joy of allowing pet sitters and dog walkers to access your home with the smart lock.”
This skepticism is understandable. Amazon already has a live microphone sitting in millions of customer homes worldwide, and the idea of letting Amazon also open your front door at will is a bridge too far for many. As if on cue, reports quickly emerged last week that justified this concerns, highlighting how the Amazon Key camera system could be easily exploited to disable system safeguards. Researchers at Rhino Security Labs demonstrated that by using a simple program within WiFi range, the camera can be not only disabled, but frozen — presenting the image of a closed door while burglars happily pilfer your possessions.
As with many of these vulnerabilities, Rhino Security researchers note that the attack isn’t particularly complicated, leaving traces neither in the image recordings or the system logs:
“In their demonstration, shown in the video above, a delivery person unlocks the door with their Amazon Key app, opens the door, drops off a package, and then closes the door behind them. Normally, they’d then lock the door with their app. In this attack, they instead run a program on their laptop?or, Rhino’s researchers suggest, on a simple handheld device anyone could build using a Raspberry Pi minicomputer and an antenna?that sends a series of “deauthorization” commands to the home’s Cloud Cam.”
Amazon is promising an update that resolves the problem shortly, though the service has — as countless IOT devices have before it — already acted as an unintentional advertisement to the fact that dumb technology often remains the smartest option.