Amazon Key — Burglary as a Service?

And a story of a frustrating disclosure process with Amazon

Amazon Key — the smartlock product that requires you to disable your home alarm system for the service to work.

Background and poor disclosure experience

At the end of January, I postulated a fun way to weaponize the deauth attack that Rhino Security Labs found and disclosed last year. Especially after seeing how much Amazon downplayed the existing research. It didn’t take much imagination to figure out how to go from “it requires an evil delivery driver” to “anyone with a raspberry Pi.” A professional researcher saw this and reached out to me, offering to broker a disclosure with Amazon. Unfortunately, this attempt failed. Amazon turned down the offer by demanding a working PoC be made for them. In the same breath, they also said that they have no bounty or other reward pathways. I wasn’t interested in a reward, but this level of arrogance was off-putting.

Technical

Conclusion, Threat Models, and Amazon Response

At this point, the lock is left open until the Pi is powered off to stop the deauth. Amazon says the driver app is different than the consumer app. It has more security added. I’d be happy to audit the driver app, but why doesn’t the consumer side have the same security? Amazon says the fact that the homeowner gets quickly alerted of a disconnect is a sufficient safeguard. How is that alert actionable? Can I call the police to do a wellness check on my lock? What happens if I randomly deauth the Amazon Key throughout the week to generate alerts that desensitize the homeowner? Amazon says there is process for the delivery driver to prevent abuse. Why are you putting so much responsibility on low wage workers to be the last gate in a bad security model? How often has this process been audited for completion rates or holes? Amazon doesn’t talk about the consumer use of this app either. My PoC showed off a delivery driver opening the lock, but this could easily be a homeowner or guest dropping something off in their house or even just quickly running back in to grab something before driving off. Amazon also doesn’t talk about the fact that they require your house’s alarm to be turned off for a driver to use the Amazon Key without issue.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store