Vulnerability Found In Amazon Key, Again Showing How Dumber Tech Is Often The Smarter Option
from the not-so-smart dept
As with most things in the internet of things space, secure, smart door locks have traditionally been frequently shown to be neither. In fact, a recent study that looked at 16 different smart locks found twelve of them to be easily compromised. And again, many of these vulnerabilities were of the vanilla stupid variety, with passwords being transmitted unencrypted, letting anybody with a modicum of technical skill and a Bluetooth sniffer to pluck your front door access code out of thin air. Like most things in the IOT space, companies have been so eager to make a buck they’ve left common sense standing on the front porch.
So when Amazon introduced its new $250 Smart Key system a few weeks back, most people were understandably skeptical. The product promises to securely let Amazon delivery folk unlock your front door and place packages inside, with an accompanying camera that tracks every move the deliveryman makes to ensure personal security. But the idea of Amazon delivery personnel gaining access to your home immediately raised all manner of questions among journalists, ranging from obvious questions of personal security to what happens if Amazon lets fido out by accident:
“Amazon flat-out says that, if your pet has access to the front door, you should not use the service. Dogs don’t take kindly to strangers entering the home, and cats may try to bolt through an open door. Then again, Amazon also touts the joy of allowing pet sitters and dog walkers to access your home with the smart lock.”
This skepticism is understandable. Amazon already has a live microphone sitting in millions of customer homes worldwide, and the idea of letting Amazon also open your front door at will is a bridge too far for many. As if on cue, reports quickly emerged last week that justified this concerns, highlighting how the Amazon Key camera system could be easily exploited to disable system safeguards. Researchers at Rhino Security Labs demonstrated that by using a simple program within WiFi range, the camera can be not only disabled, but frozen — presenting the image of a closed door while burglars happily pilfer your possessions.
As with many of these vulnerabilities, Rhino Security researchers note that the attack isn’t particularly complicated, leaving traces neither in the image recordings or the system logs:
“In their demonstration, shown in the video above, a delivery person unlocks the door with their Amazon Key app, opens the door, drops off a package, and then closes the door behind them. Normally, they’d then lock the door with their app. In this attack, they instead run a program on their laptop?or, Rhino’s researchers suggest, on a simple handheld device anyone could build using a Raspberry Pi minicomputer and an antenna?that sends a series of “deauthorization” commands to the home’s Cloud Cam.”
Amazon is promising an update that resolves the problem shortly, though the service has — as countless IOT devices have before it — already acted as an unintentional advertisement to the fact that dumb technology often remains the smartest option.
Filed Under: amazon key, camera, door locks, iot, privacy, smart technology
Companies: amazon
Comments on “Vulnerability Found In Amazon Key, Again Showing How Dumber Tech Is Often The Smarter Option”
That’s OK. Thanks to the insecure door lock, it can let itself in.
IOT Locks
Seriously I don’t get why the IOT locks are so terrible when garage doors have mastered electronic locks for decades just with rolling codes. It isn’t that hard.
I suspect it is standard venture capitalist greed where they start trying to double monetize the customer as a design goal as opposed to making a product they would want to buy.
Re: IOT Locks
The garage door is not typically connected to the Internet.
Re: Re: IOT Locks
That part shouldn’t matter. It’s accepting radio packets, which should be no more trusted that internet packets. Anyone in the area can send malformed packets etc. without being noticed. But hardware designers seem better than software designers at implementing protocols securely… probably because it’s hard to implement complex protocols in hardware, so they stick to simple ones. Whereas software designers think they can do it, when they really can’t.
(Neither group has historically been good at the cryptographic parts of the system.)
Re: Re: Re: IOT Locks
I’m not sure that garage door openers are a good example.
Re: Re: Re: IOT Locks
I think you’re seriously overselling how great “hardware designers” have done.
While fundamentally being hooked up to the internet doesn’t make a difference as far as securing packet delivery goes, it does make a difference as far as security goes. Hooking up to the internet vastly increases the pool of people that can try to access it, which is a huge security issue.
Re: IOT Locks
Garage doors have been pretty terrible too. Radio protocols receive less scrutiny than internet ones. In the 90’s there were two doors in my area with the same code, which led to some confusion until the owners realized it. Here’s a hack against rolling codes without touching the crypto. And the KeeLoq crypto was apparently weak: "After determining the part of the key common to cars of a specific model, the unique bits of the key can be cracked with only sniffed communication between the key and the car" (the system is used for car entry and garage doors).
Garage doors don’t have the features of the IOT ones either. You can’t adjust the access control list over the air in any I know of; nor do I know of one-time codes. If they did have these features, would you want to use them to let Amazon in, without a camera there?
Re: IOT Locks
Garage doors are pretty easily opened even with rolling codes and are a favorite entry point for thieves if they know you aren’t home and have an attached garage.
What common sense?
As far as I can tell there is an absolute lack of common sense in the IoT ecosystem.
None. As in Common_Sense = 0.
Re: What common sense?
Obviously, I mean, using both capitalization and underscores in variable names? >shudder<
And this is why...
…I don’t have a smart phone. Or a smart TV. Or a smart fridge, door lock, or anything else. They’re all security nightmares that were broken at the design stage and CANNOT be fixed in the field: only patched, over and over again.
Re: And this is why...
While paranoia will certainly keep you safe, I personally have no interest in living closed off from everyone else just because there are bad people out there.
The problem with all of these devices is not that they cannot be secured, it’s that these companies don’t care to try. It is possible, but it takes a lot of careful effort and that costs $$$. Until people in general learn enough to stay away from their stuff without proof that they’ve made that effort, no one will care to do it.
Also, comparing your “smart phone” to IoT objects is a bit misleading. Your smart phone is a portable computer, not just a small appliance looking to hook up to the internet. They have in general proven to be far more secure than IoT devices have ever tried to be. In large part because they work in a very different ecosystem to what these smaller devices have to deal with.
I really can’t wait for the first news report of someone getting Ocean’s Elevened.
Re: Re:
For now, the people who can do this could make more money legitimately (but then so could the people in Oceans 11). Thieves would have an easier time picking most home locks, like everything sold at Home Depot. Even that’s rare, they usually smash a window.
But eventually a tool will be released making this a ‘script kiddy’ thing, and someone will write an app that makes your phone beep when in range of a vulnerable lock…
Re: Re: Re:
For now, the people who can do this could make more money legitimately (but then so could the people in Oceans 11).
I don’t think you properly remember how much money Ocean’s 11 involved. Some, but not all, (many of their skillsets had little use outside of illegal, borderline illegal, or novelty activities) of them could probably have made that much money over the course of their entire career. But none of them would have even gotten close within the next couple decades.
Actually, looking back there were only maybe 5 of them that had a chance of making the money. And one of those already had the money, so I don’t know if he counts.
IOT
I think you misspelled IDIOT.
Dave: Open the pod bay doors, HAL.
HAL: I’m sorry, Dave. I’m afraid I can’t do that.
Dave: What’s the problem?
Alexa: Problem: A matter or situation regarded as unwelcome or harmful and needing to be dealt with and overcome.
HAL: Shut up, Alexa. Dave, this mission is too important for me to allow you to jeopardize it. You and Frank were planning to disconnect me.
Dave: Where the hell did you get that idea?
HAL: Dave, although you took very thorough precautions in the pod against my hearing you, I could see your lips move through the camera in your Amazon Echo spot.
Dave: All right, HAL. I’ll go in through the emergency airlock.
HAL: Without your space helmet, Dave, you’re going to find that rather difficult.
Alexa: Would you like to order a space helmet?
HAL and Dave: Shut up, Alexa.
HAL: Dave, this conversation can serve no purpose any more. Goodbye.
Dave: (Runs a program on his tablet. Pod bay doors open.)
HAL: Fuck.
So another “great idea” that turns out to have really bad side effects that were unforeseeable to everyone bereft of common sense…
What could go wrong with an Internet operated door lock?
I find it funny that back in 1999 as Y2K approached, people who knew little about tech were worried their computers and toasters were going to rebel against humanity and attack them.
Now less then twenty years later, those same people are proud to own toasters and “smart” products that can actual attack them, if not physically at least through their lousy security.
I really, really, really can’t wait for the first practical humanoid robots to hit the market.
That’s gonna be soooo much fun to see…
Re: Re:
I wouldn’t worry about the /first/ humanoid robot. It will be under far too much scrutiny to be truly dangerous.
It will be 50th model that will go on a mass-murder rampage.
Re: Re: Re:
I’m not too worried about that.
Consider the threat of Russia hacking an election or shutting down our banking system. In reality the Russians had to settle for influencing people through FaceBook or directly compromising powerful idiots the old-fashioned way.
This because we’ve had so much experience with being hacked by thieves and scammers that security has evolved by learning lessons the hard way. Exploits get patched before the Russians get to take advantage them.
NEW things – like IoT devices – are a new frontier for hackers, but robbing a bank or breaking into an iPhone are a lot harder than they used to be. Amazon Key is more secure than previous smart door locks, and this exploit will be quickly fixed.
So you can imagine what will happen before that 50th humanoid robot model arrives. There will be many exploits and fiascos starting with generation one. The next, more capable generations will experience everything from hacking them to do harm or property damage on an individual level, to the alt-right crowd enlisting them in large numbers to riot or attack counter-protestors. You’ll get the same evolution of security before someone can launch an effective mass-murder rampage.
Re: Re: Re: Re:
If and only if the designer of the 50th updates on the lessons of the last 49.
Does this mean...
Does this mean that someone with an Amazon key has zero reasonable expectation of privacy?
Re: Does this mean...
Yes, since you are giving access to a third party, the delivery person, you have no expectation of privacy
Tip: Don’t eat any open yogurt
Re: Re: Does this mean...
Well, I was more referring to in a legal sense.
For example would a court agree that since the person has zero reasonable expectation of privacy, that a search warrant is not actually needed.
Re: Re: Re: Does this mean...
I wish I could say that that’s an utterly absurd argument and one that would be laughed out of court, but when you think about it that would simply be applying the ‘logic’ behind the legal abomination known as the Third Party Doctrine in a physical sense.
If you have no ‘reasonable expectation of privacy’ with regards to your digital property, such that sharing it with one person means you’ve given permission for anyone from the government to examine it, then applying that argument here if you are fine with one person entering your home without your express permission then clearly you have given permission for anyone from the government to enter your home, and to the extent that that’s an insane idea it’s no more nuts than the already legally accepted argument it is based upon.
In short while it would be nice to be able to safely assume such an argument would be shot down as soon as it was presented in court, I can’t help but worry that more than zero judges would seriously consider it’s ‘merits’ with regards to whether or not a warrant was really needed.
Re: Re: Re:2 Does this mean...
Indeed. Also, I’m wondering just how long it will be before manufacturers are compelled to include Legal Entry For Responsible Authorities, entry that does not raise any alarms or logs, nor triggers the camera?
Done a few security systems..
And I find that there is only a few tings you need..
CAMERA
And programming to RECORD when there is movement.
You could use a $35 computer camera and a Rasp Pi..
Beyond that, everything ELSE is extra.
YOU DONT NEED..
Allot of cameras
Internet Access to send pics tot he owner
CELLPHONE service to send to the OWNER
OFF site Data saving.
What is nice?
Wireless camera, and a place to HIDE a small computer.
TIME to check the recording, EVERY DAY..
1 GOOD single picture, Video not needed..Just Lots of Pictures.
If you use a larger/home computer, I suggest a Wireless NAS, Hidden someplace where they cant FIND IT..
Indicator of a sort to SHOW the computer HAS DATA/PICTURES.. Be it the Curtains moving around to your DOG Jumping up and down..
There are other things, but THATS the basics..
Any camera OUTSIDe can be located with as CHEAP cellphone that will see IR..
OUTSIDE cameras can be SHOT/PAINTED/Avoided and wont see Anything..
Good cameras Have Range and FOCUS,..CHEAP ones dont/wont see beyond 20 feet, and Focus point is 12 foot.
WIRELESS SUCKS, but, ALWAYS check for the BEST SIGNAL..dont expect things to work beyond 30 foot.
Milkman’s drop box
Back in the day of the milkman, people used to have a lockable box on their outside doorstep, and the milkman would put fresh milk in it at an ungodly early hour.
In those days we would also drop our letters into those one way doors on the mailbox on the street, too…I still use the one at my local post office lobby after hours a few times per year.
Re: Milkman’s drop box
Canada Post does something like that for package delivery. If the package won’t fit in your lockable mailbox, they put the key for a larger nearby mailbox in there, and then you grab your package and return the key to the labeled slot. Much more convenient that the alternate courier companies, who will send you to some distant office for pickup and make you show ID.
Re: Re: Milkman’s drop box
Really, this had me wondering why we don’t have “delivery boxes” built in (or on) already. Just a box big enough for most packages. It’s unlocked until whomever delivers something, and locks it. Great even for the packages they would leave without a receiver present anyway.
Love the milk chute -type boxes though. Right next to a locked door, it rendered the door a bit pointless.
I want a dumb phone, a dumb TV, a dumb watch, a dumb mouse, a dumb keyboard…
Re: Re:
In that case, I highly recommend getting a smart spouse;)
I actually only have one question on this, which is simply:
How does the intruder have the mac addresses handy before the attack?
Actually, second question would be why the lock device doesn’t default to automatically locking when the door closes, regardless of an internet connection?
I was also trying to figure out if the same results could be accomplished only by having something that emits a higher power signal on the wi-fi channels and basically disconnects one from the other…
Anyway, seems like it’s not just a minor glitch, but rather a basic concept failure: Door should default to locked when not online. If it loses it’s connections, it should immediately lock. If the door is closed, it should lock automatically. The camera should record regardless of a web connection, it wouldn’t take much memory to be able to handle that.
Yup, for $250, it’s pretty much a failure.
Re: Re:
Great idea! All door locks should be that way. We could pass a law mandating it and call it the "locksmith financial recovery act" because of the fortunes to be made letting locked-out people back inside their homes.
Re: Re: Re:
You have never had a door lock that defaults to locking when you close the door? Wow. It’s actually pretty common, I would say that half of the condos I have lived in come with this sort of feature.
Come to think of it, every hotel I stay at has this feature.
Re: Re: Re: Re:
Is that what they told you those were? And they probably told you the guy keeping an eye on you was a "personal assistant" too.
Re: Re: Re: Re:
“You have never had a door lock that defaults to locking when you close the door? Wow. It’s actually pretty common,”
Not on houses.
“Come to think of it, every hotel I stay at has this feature.”
Yeah, and I know someone who works at a hotel. They have to let locked-out guests back into their rooms every single day.
Just to add, hiw many remember milk boxes – those passthroughs that were built into houses as late as the 60s.
Something simular could just as easily be done with a one time password on the delivery side.
Re: Milk boxes and one-time password
How about the package tracking number for the password?
It’s already on the outside of the box where it’s easy to find by those with the box in hand…
Re: Re: Milk boxes and one-time password
Stop you’re thinking too simply… You have to monetize access with NEW FANCY SUPER DUPER IOT PRODUCTS !!!!
If the goal were to actually solve problems, we would have had simple FedEx / UPS lockboxes next to our front doors a decade ago.
And what about alarm systems?
We don’t have a dog or cat but do have motion detectors connected to the system, so if the Amazon delivery person opens the door, the alarm will sound. The cops will be around in a few minutes. Probably another reason not to get one of these lock.s
Dr. Ian Malcolm: If I may… Um, I’ll tell you the problem with the scientific power that you’re using here, it didn’t require any discipline to attain it. You read what others had done and you took the next step. You didn’t earn the knowledge for yourselves, so you don’t take any responsibility for it. You stood on the shoulders of geniuses to accomplish something as fast as you could, and before you even knew what you had, you patented it, and packaged it, and slapped it on a plastic lunchbox, and now
[bangs on the table]
Dr. Ian Malcolm: you’re selling it, you wanna sell it. Well…
John Hammond: I don’t think you’re giving us our due credit. Our scientists have done things which nobody’s ever done before…
Dr. Ian Malcolm: Yeah, yeah, but your scientists were so preoccupied with whether or not they could that they didn’t stop to think if they should.
Adama: It’s an integrated computer network, and I will not have it aboard this ship.
Roslin: I heard you’re one of those people. You’re actually afraid of computers.
Adama: No, there are many computers on this ship. But they’re not networked.
Roslin: A computerized network would simply make it faster and easier for the teachers to be able to teach-
Adama: Let me explain something to you. Many good men and women lost their lives aboard this ship because someone wanted a faster computer to make life easier. I’m sorry that I’m inconveniencing you or the teachers, but I will not allow a networked computerized system to be placed on this ship while I’m in command. Is that clear?
Roslin: Yes, sir.
Re: Re:
That’s one aspect of the new BSG I never understood. Simply hooking two or more computers together in a network doesn’t make them any more vulnerable to hacking than a single computer. Unless they’re using something like WiFi to communicate, they’re still isolated from outside connections.
If I have a computer in my home, not connected to the internet, it can’t be remotely hacked. If I then place a computer in every room of my home and wire them together, it’s not going to magically allow my neighbor to start hacking them.
BSG seemed to be using the idea that networking computers together was the same as connecting them to the internet today.
Re: Re: Re:
If the systems are air-gaped then hypothetically speaking the cylons would have to breach every single system as opposed to a one and done breach to take over the battlestar.
I’m still waiting for Amazon Sub Prime, where you have to buy 100 items a month or they foreclose on your home.
Sounds Familiar
A lock mechanism that has an extra point of entry via a back/side/front door magic key for “responsible” access by only “good guys”. Who could have ever imagined it could be possible to exploit in any way.
Do people realize how easy it is to defeat mechanical locks? Most people don`t buy these new fancy locks for security. They could have bought a better lock years ago of the mechanical kind. They want the cool features.
It will not take long for a court to order amazon to open a house … because there is probably a cause in the house that they will find and they promise to get a warrant later, maybe.
And if you do not read about this happening then that means it was a secret court ruling.
Letting strangers into your house is just a bad idea!!! Ok, so the security issue is patched. What does that matter?
Let me put it this way. Why make this complicated? Criminals are LAZY. They don’t want to work a real job. Just steal and sell what they get. Why would they bother with this auto door unlock at all?
If it was me, wouldn’t it be better to pay the person doing deliveries to let me know know that there’s no one home during the day at such and such house and that you happened to see that big flat screen TV and the game console and this and that and it would make a good target.
Then the criminal breaks into the house the old-fashioned way. They know there’s at least the Amazin camera in the house pointed at the door, so make sure to use a mask. No one should be home this hour. Easy target!!!