Vulnerability Found In Amazon Key, Again Showing How Dumber Tech Is Often The Smarter Option
from the not-so-smart dept
As with most things in the internet of things space, secure, smart door locks have traditionally been frequently shown to be neither. In fact, a recent study that looked at 16 different smart locks found twelve of them to be easily compromised. And again, many of these vulnerabilities were of the vanilla stupid variety, with passwords being transmitted unencrypted, letting anybody with a modicum of technical skill and a Bluetooth sniffer to pluck your front door access code out of thin air. Like most things in the IOT space, companies have been so eager to make a buck they've left common sense standing on the front porch.
So when Amazon introduced its new $250 Smart Key system a few weeks back, most people were understandably skeptical. The product promises to securely let Amazon delivery folk unlock your front door and place packages inside, with an accompanying camera that tracks every move the deliveryman makes to ensure personal security. But the idea of Amazon delivery personnel gaining access to your home immediately raised all manner of questions among journalists, ranging from obvious questions of personal security to what happens if Amazon lets fido out by accident:
"Amazon flat-out says that, if your pet has access to the front door, you should not use the service. Dogs don't take kindly to strangers entering the home, and cats may try to bolt through an open door. Then again, Amazon also touts the joy of allowing pet sitters and dog walkers to access your home with the smart lock."
This skepticism is understandable. Amazon already has a live microphone sitting in millions of customer homes worldwide, and the idea of letting Amazon also open your front door at will is a bridge too far for many. As if on cue, reports quickly emerged last week that justified this concerns, highlighting how the Amazon Key camera system could be easily exploited to disable system safeguards. Researchers at Rhino Security Labs demonstrated that by using a simple program within WiFi range, the camera can be not only disabled, but frozen -- presenting the image of a closed door while burglars happily pilfer your possessions.
As with many of these vulnerabilities, Rhino Security researchers note that the attack isn't particularly complicated, leaving traces neither in the image recordings or the system logs:
"In their demonstration, shown in the video above, a delivery person unlocks the door with their Amazon Key app, opens the door, drops off a package, and then closes the door behind them. Normally, they'd then lock the door with their app. In this attack, they instead run a program on their laptop—or, Rhino's researchers suggest, on a simple handheld device anyone could build using a Raspberry Pi minicomputer and an antenna—that sends a series of "deauthorization" commands to the home's Cloud Cam."
Amazon is promising an update that resolves the problem shortly, though the service has -- as countless IOT devices have before it -- already acted as an unintentional advertisement to the fact that dumb technology often remains the smartest option.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: amazon key, camera, door locks, iot, privacy, smart technology
Companies: amazon
Reader Comments
The First Word
“Sounds Familiar
A lock mechanism that has an extra point of entry via a back/side/front door magic key for "responsible" access by only "good guys". Who could have ever imagined it could be possible to exploit in any way.Subscribe: RSS
View by: Time | Thread
That's OK. Thanks to the insecure door lock, it can let itself in.
[ link to this | view in thread ]
IOT Locks
I suspect it is standard venture capitalist greed where they start trying to double monetize the customer as a design goal as opposed to making a product they would want to buy.
[ link to this | view in thread ]
What common sense?
None. As in Common_Sense = 0.
[ link to this | view in thread ]
And this is why...
[ link to this | view in thread ]
I really can't wait for the first news report of someone getting Ocean's Elevened.
[ link to this | view in thread ]
IOT
[ link to this | view in thread ]
Dave: Open the pod bay doors, HAL.
HAL: I'm sorry, Dave. I'm afraid I can't do that.
Dave: What's the problem?
Alexa: Problem: A matter or situation regarded as unwelcome or harmful and needing to be dealt with and overcome.
HAL: Shut up, Alexa. Dave, this mission is too important for me to allow you to jeopardize it. You and Frank were planning to disconnect me.
Dave: Where the hell did you get that idea?
HAL: Dave, although you took very thorough precautions in the pod against my hearing you, I could see your lips move through the camera in your Amazon Echo spot.
Dave: All right, HAL. I'll go in through the emergency airlock.
HAL: Without your space helmet, Dave, you're going to find that rather difficult.
Alexa: Would you like to order a space helmet?
HAL and Dave: Shut up, Alexa.
HAL: Dave, this conversation can serve no purpose any more. Goodbye.
Dave: (Runs a program on his tablet. Pod bay doors open.)
HAL: Fuck.
[ link to this | view in thread ]
What could go wrong with an Internet operated door lock?
I find it funny that back in 1999 as Y2K approached, people who knew little about tech were worried their computers and toasters were going to rebel against humanity and attack them.
Now less then twenty years later, those same people are proud to own toasters and "smart" products that can actual attack them, if not physically at least through their lousy security.
I really, really, really can't wait for the first practical humanoid robots to hit the market.
That's gonna be soooo much fun to see...
[ link to this | view in thread ]
Re: IOT Locks
[ link to this | view in thread ]
Re: IOT Locks
Garage doors have been pretty terrible too. Radio protocols receive less scrutiny than internet ones. In the 90's there were two doors in my area with the same code, which led to some confusion until the owners realized it. Here's a hack against rolling codes without touching the crypto. And the KeeLoq crypto was apparently weak: "After determining the part of the key common to cars of a specific model, the unique bits of the key can be cracked with only sniffed communication between the key and the car" (the system is used for car entry and garage doors).
Garage doors don't have the features of the IOT ones either. You can't adjust the access control list over the air in any I know of; nor do I know of one-time codes. If they did have these features, would you want to use them to let Amazon in, without a camera there?
[ link to this | view in thread ]
Re: Re: IOT Locks
That part shouldn't matter. It's accepting radio packets, which should be no more trusted that internet packets. Anyone in the area can send malformed packets etc. without being noticed. But hardware designers seem better than software designers at implementing protocols securely... probably because it's hard to implement complex protocols in hardware, so they stick to simple ones. Whereas software designers think they can do it, when they really can't.
(Neither group has historically been good at the cryptographic parts of the system.)
[ link to this | view in thread ]
Re:
It will be 50th model that will go on a mass-murder rampage.
[ link to this | view in thread ]
Does this mean...
[ link to this | view in thread ]
Re:
For now, the people who can do this could make more money legitimately (but then so could the people in Oceans 11). Thieves would have an easier time picking most home locks, like everything sold at Home Depot. Even that's rare, they usually smash a window.
But eventually a tool will be released making this a 'script kiddy' thing, and someone will write an app that makes your phone beep when in range of a vulnerable lock...
[ link to this | view in thread ]
Re: Re:
Consider the threat of Russia hacking an election or shutting down our banking system. In reality the Russians had to settle for influencing people through FaceBook or directly compromising powerful idiots the old-fashioned way.
This because we've had so much experience with being hacked by thieves and scammers that security has evolved by learning lessons the hard way. Exploits get patched before the Russians get to take advantage them.
NEW things - like IoT devices - are a new frontier for hackers, but robbing a bank or breaking into an iPhone are a lot harder than they used to be. Amazon Key is more secure than previous smart door locks, and this exploit will be quickly fixed.
So you can imagine what will happen before that 50th humanoid robot model arrives. There will be many exploits and fiascos starting with generation one. The next, more capable generations will experience everything from hacking them to do harm or property damage on an individual level, to the alt-right crowd enlisting them in large numbers to riot or attack counter-protestors. You'll get the same evolution of security before someone can launch an effective mass-murder rampage.
[ link to this | view in thread ]
Done a few security systems..
CAMERA
And programming to RECORD when there is movement.
You could use a $35 computer camera and a Rasp Pi..
Beyond that, everything ELSE is extra.
YOU DONT NEED..
Allot of cameras
Internet Access to send pics tot he owner
CELLPHONE service to send to the OWNER
OFF site Data saving.
What is nice?
Wireless camera, and a place to HIDE a small computer.
TIME to check the recording, EVERY DAY..
1 GOOD single picture, Video not needed..Just Lots of Pictures.
If you use a larger/home computer, I suggest a Wireless NAS, Hidden someplace where they cant FIND IT..
Indicator of a sort to SHOW the computer HAS DATA/PICTURES.. Be it the Curtains moving around to your DOG Jumping up and down..
There are other things, but THATS the basics..
Any camera OUTSIDe can be located with as CHEAP cellphone that will see IR..
OUTSIDE cameras can be SHOT/PAINTED/Avoided and wont see Anything..
Good cameras Have Range and FOCUS,..CHEAP ones dont/wont see beyond 20 feet, and Focus point is 12 foot.
WIRELESS SUCKS, but, ALWAYS check for the BEST SIGNAL..dont expect things to work beyond 30 foot.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Does this mean...
Tip: Don't eat any open yogurt
[ link to this | view in thread ]
Re: Re: Does this mean...
Well, I was more referring to in a legal sense.
For example would a court agree that since the person has zero reasonable expectation of privacy, that a search warrant is not actually needed.
[ link to this | view in thread ]
Milkman’s drop box
In those days we would also drop our letters into those one way doors on the mailbox on the street, too...I still use the one at my local post office lobby after hours a few times per year.
[ link to this | view in thread ]
Re: Re:
For now, the people who can do this could make more money legitimately (but then so could the people in Oceans 11).
I don't think you properly remember how much money Ocean's 11 involved. Some, but not all, (many of their skillsets had little use outside of illegal, borderline illegal, or novelty activities) of them could probably have made that much money over the course of their entire career. But none of them would have even gotten close within the next couple decades.
Actually, looking back there were only maybe 5 of them that had a chance of making the money. And one of those already had the money, so I don't know if he counts.
[ link to this | view in thread ]
[ link to this | view in thread ]
How does the intruder have the mac addresses handy before the attack?
Actually, second question would be why the lock device doesn't default to automatically locking when the door closes, regardless of an internet connection?
I was also trying to figure out if the same results could be accomplished only by having something that emits a higher power signal on the wi-fi channels and basically disconnects one from the other...
Anyway, seems like it's not just a minor glitch, but rather a basic concept failure: Door should default to locked when not online. If it loses it's connections, it should immediately lock. If the door is closed, it should lock automatically. The camera should record regardless of a web connection, it wouldn't take much memory to be able to handle that.
Yup, for $250, it's pretty much a failure.
[ link to this | view in thread ]
Something simular could just as easily be done with a one time password on the delivery side.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Does this mean...
I wish I could say that that's an utterly absurd argument and one that would be laughed out of court, but when you think about it that would simply be applying the 'logic' behind the legal abomination known as the Third Party Doctrine in a physical sense.
If you have no 'reasonable expectation of privacy' with regards to your digital property, such that sharing it with one person means you've given permission for anyone from the government to examine it, then applying that argument here if you are fine with one person entering your home without your express permission then clearly you have given permission for anyone from the government to enter your home, and to the extent that that's an insane idea it's no more nuts than the already legally accepted argument it is based upon.
In short while it would be nice to be able to safely assume such an argument would be shot down as soon as it was presented in court, I can't help but worry that more than zero judges would seriously consider it's 'merits' with regards to whether or not a warrant was really needed.
[ link to this | view in thread ]
And what about alarm systems?
[ link to this | view in thread ]
Re: Milk boxes and one-time password
It's already on the outside of the box where it's easy to find by those with the box in hand...
[ link to this | view in thread ]
Dr. Ian Malcolm: If I may... Um, I'll tell you the problem with the scientific power that you're using here, it didn't require any discipline to attain it. You read what others had done and you took the next step. You didn't earn the knowledge for yourselves, so you don't take any responsibility for it. You stood on the shoulders of geniuses to accomplish something as fast as you could, and before you even knew what you had, you patented it, and packaged it, and slapped it on a plastic lunchbox, and now
[bangs on the table]
Dr. Ian Malcolm: you're selling it, you wanna sell it. Well...
John Hammond: I don't think you're giving us our due credit. Our scientists have done things which nobody's ever done before...
Dr. Ian Malcolm: Yeah, yeah, but your scientists were so preoccupied with whether or not they could that they didn't stop to think if they should.
[ link to this | view in thread ]
Re: Milkman’s drop box
[ link to this | view in thread ]
Re: Re: Milk boxes and one-time password
If the goal were to actually solve problems, we would have had simple FedEx / UPS lockboxes next to our front doors a decade ago.
[ link to this | view in thread ]
Re: Re: Re: IOT Locks
[ link to this | view in thread ]
Roslin: I heard you're one of those people. You're actually afraid of computers.
Adama: No, there are many computers on this ship. But they're not networked.
Roslin: A computerized network would simply make it faster and easier for the teachers to be able to teach-
Adama: Let me explain something to you. Many good men and women lost their lives aboard this ship because someone wanted a faster computer to make life easier. I'm sorry that I'm inconveniencing you or the teachers, but I will not allow a networked computerized system to be placed on this ship while I'm in command. Is that clear?
Roslin: Yes, sir.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Great idea! All door locks should be that way. We could pass a law mandating it and call it the "locksmith financial recovery act" because of the fortunes to be made letting locked-out people back inside their homes.
[ link to this | view in thread ]
Re: Re: Re: IOT Locks
While fundamentally being hooked up to the internet doesn't make a difference as far as securing packet delivery goes, it does make a difference as far as security goes. Hooking up to the internet vastly increases the pool of people that can try to access it, which is a huge security issue.
[ link to this | view in thread ]
Re: And this is why...
The problem with all of these devices is not that they cannot be secured, it's that these companies don't care to try. It is possible, but it takes a lot of careful effort and that costs $$$. Until people in general learn enough to stay away from their stuff without proof that they've made that effort, no one will care to do it.
Also, comparing your "smart phone" to IoT objects is a bit misleading. Your smart phone is a portable computer, not just a small appliance looking to hook up to the internet. They have in general proven to be far more secure than IoT devices have ever tried to be. In large part because they work in a very different ecosystem to what these smaller devices have to deal with.
[ link to this | view in thread ]
Re: Re:
Come to think of it, every hotel I stay at has this feature.
[ link to this | view in thread ]
Re: Re: Re:
Is that what they told you those were? And they probably told you the guy keeping an eye on you was a "personal assistant" too.
[ link to this | view in thread ]
Sounds Familiar
[ link to this | view in thread ]
Re: What common sense?
Obviously, I mean, using both capitalization and underscores in variable names? >shudder<
[ link to this | view in thread ]
Re: Re: Re:
Not on houses.
"Come to think of it, every hotel I stay at has this feature."
Yeah, and I know someone who works at a hotel. They have to let locked-out guests back into their rooms *every single day*.
[ link to this | view in thread ]
Re: Re: Milkman’s drop box
Love the milk chute -type boxes though. Right next to a locked door, it rendered the door a bit pointless.
[ link to this | view in thread ]
[ link to this | view in thread ]
And if you do not read about this happening then that means it was a secret court ruling.
[ link to this | view in thread ]
Let me put it this way. Why make this complicated? Criminals are LAZY. They don't want to work a real job. Just steal and sell what they get. Why would they bother with this auto door unlock at all?
If it was me, wouldn't it be better to pay the person doing deliveries to let me know know that there's no one home during the day at such and such house and that you happened to see that big flat screen TV and the game console and this and that and it would make a good target.
Then the criminal breaks into the house the old-fashioned way. They know there's at least the Amazin camera in the house pointed at the door, so make sure to use a mask. No one should be home this hour. Easy target!!!
[ link to this | view in thread ]
Re: Re: Re: Re: Does this mean...
Indeed. Also, I'm wondering just how long it will be before manufacturers are compelled to include Legal Entry For Responsible Authorities, entry that does not raise any alarms or logs, nor triggers the camera?
[ link to this | view in thread ]
Re:
If I have a computer in my home, not connected to the internet, it can't be remotely hacked. If I then place a computer in every room of my home and wire them together, it's not going to magically allow my neighbor to start hacking them.
BSG seemed to be using the idea that networking computers together was the same as connecting them to the internet today.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: IOT Locks
[ link to this | view in thread ]