Vulnerability in Amazon Key

Amazon Key is an IoT door lock that can enable one-time access codes for delivery people. To further secure that system, Amazon sells Cloud Cam, a camera that watches the door to ensure that delivery people don't abuse their one-time access privilege.

Cloud Cam has been hacked:

But now security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that camera can be not only disabled but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened and someone slips inside. That attack would potentially enable rogue delivery people to stealthily steal from Amazon customers, or otherwise invade their inner sanctum.

And while the threat of a camera-hacking courier seems an unlikely way for your house to be burgled, the researchers argue it potentially strips away a key safeguard in Amazon's security system.

Amazon is patching the system.

Posted on November 20, 2017 at 6:19 AM • 57 Comments

Comments

JeffNovember 20, 2017 7:43 AM

People need to realize that there's more to theft than physical items that can be carried out the front door. Regardless of Amazon's promises with cameras that may or may not be hacked, there's always information that can leave too.

ProfitIsKingNovember 20, 2017 7:45 AM

Profit is the driving force behind products. And that means companies will spend a limited amount of money on security. They don't have much incentive to do better. But the incentive to break the security of a product from a major company is compelling: internet fame. When the incentive to break security is greater than the incentive to create security, the products will have vulnerabilities, and those vulnerabilities will be discovered.

Joe MasonNovember 20, 2017 7:53 AM

My takeaway from this is guardedly positive: Amazon is patching the system. So it has a way to get security updates.

WaelNovember 20, 2017 8:24 AM

Amazon is patching the system.

It's the design that needs to be 'patched' -- not the implementation.

fredNovember 20, 2017 9:02 AM

Amazon is now willing to sell us the privilege to be surveilled and get robbed! Can we buy the Amazon button when we want to get robbed again?

Just because it is shinny and new tech doesn't mean we need to buy it.

meNovember 20, 2017 9:13 AM

@fred
same here; am i the only one who think that placing a (broken or not) camera inside my house and installing a backdoor in my front door is a bad idea?

hmmNovember 20, 2017 10:49 AM

"My takeaway from this is guardedly positive: Amazon is patching the system. So it has a way to get security updates."

So far we've found a wifi signal can blind their camera which is about 3/4 of the point of the damn thing.

How hard is it for a "rogue mailman" to "update" that system? Undetermined.
You just know this won't be the last major vuln with this product.

JordanNovember 20, 2017 10:53 AM

Picking a conventional lock is easier than hacking an e-lock. Breaking windows and kicking the door in are easy too.

(Yes, script kiddies are an issue. But still: It's not like the old way is perfect.)

WilliamBlazeworthyNovember 20, 2017 10:58 AM

I agree with @Jordan...

I can see something like this being exploited by a (stupid) rogue Amazon delivery person, but only VERY rarely. Most people working a job like that are thankful just to have it and wouldn't risk jail time attempting an attack they are most likely to not even understand.

markNovember 20, 2017 11:38 AM


Let's see, giving a key to your house to someone you've never met, will never meet, and whom you have *no* idea if they've had a background check, or a criminal record for theft, or the IQ of a mouse ("Sure, come on in with me, we can keep talking, while I deliver this...") is a "good idea".

I dunno, maybe for naive rabid suburbanites... says the guy who goes *nowhere* without locking doors, and who locks his screen, or logs out, on his computer at home, with only his Lord&Master* in the house....

* Come on, I don't want him putting charges on my credit cards at Cat HQ Supply Corp for that lair....

AJWMNovember 20, 2017 11:40 AM

What's wrong with having a lockbox (it could be large - what's the biggest thing you've ever ordered from Amazon?) that affixes in a secure manner to your porch or wall? Let Amazon have the key to that.

When I was a kid, many houses had an "airlock" for milk deliveries, with an inner and outer door. It was several feet off the ground, so you didn't even have to bend down to get the milk, and the inner door locked from the inside. Not big enough these days for many Amazon packages, but the right idea.

WaelNovember 20, 2017 11:55 AM

@AJWM,

What's wrong with having a lockbox (it could be large - what's the biggest thing you've ever ordered from Amazon?)

That's the right design - at least one of them. A double-door variant also possible. No need to give full privileges and access to the whole house for this task. The design violates several security principles and this cannot be fixed by patching the implementation. That's what I meant when I said the design is flawed in a previous reference.

PS: haven't had the time to finish the three novels yet, but I read a few pages when I get a chance. At this rate, space colonization will be a reality before I finish. I like it so far. And no remarkable security issues to comment on, but I'll find one or two ;)

Say, if you participate in the movie plot, you'll surely kill the curve!

fredNovember 20, 2017 12:01 PM

We need to call this effort by Amazon for what it really is. If the problem Amazon is solving is having your stuff stolen by stranger, why is the solution allowing stranger access to even more of your stuff?

What we do know is Amazon (with every other big biz) the goal is data. Who enters your house and at what times. For F*ck sake, they data mine what you look at, what you buy, what you watch, what you listen too. With Alexa they data mine your voice, who you call. Does anyone think Amazon is accruing massive debt for package delivery?

MattNovember 20, 2017 12:04 PM

@AJWM "What's wrong with having a lockbox (it could be large - what's the biggest thing you've ever ordered from Amazon?) that affixes in a secure manner to your porch or wall? Let Amazon have the key to that."

I've often wondered about this. What about just having a box out front (of the average suburban house). Something like a patio deck box.

I've been thinking about getting one, once I figure out a size and where to put it that doesn't look bad.

I'm not even thinking about securing it to the building/ground or locking it. Just having a container that's large enough for a package to be put in and out of sight. This wouldn't stop the thief that's following the delivery truck and picking up every package. But, it would be out of sight to someone just driving around looking for packages. Adding the extra 30-60 seconds and noticeable activity of them having to stop, walk up, check the storage box to see if it contains a package, finding it empty most times, and then moving on to the next house. That should be enough extra friction to prevent casual theft. It would work even better if everyone had a box, kind of a camouflage in numbers. And, not enough extra friction to prevent the delivery driver from actually putting a package in the box.

Right now, I'm actually more concerned with rain than with theft. I've had a package stolen once, but I've had many of them soaked through because it wasn't raining when left and then poured later on.

Jonathan GunterNovember 20, 2017 12:57 PM

Wael is right. Patching will fix this week's vulnerability and maybe NEXT week's. But Security by design is the answer.

To promote this, somebody should start a running contest (maybe Bruce?) as to who's next new thing is has the shortest run from release to hack!

Maybe after Amazon cloudcam's 3rd "hack after patch" they'll redesign it! How long was it from iphoneX iface to its 1st, then 2nd hack? Are either or both verified?

Maybe the contest should be how long from release to 3rd verified hack! This might shame internet behemoths into security by design!

Jonathan

PS: Mikko Hypponen writes that the only vendor of IoT seriously designing in security is IKEA. He attributes this to the fact that IKEA wants to roll out a product world-wide and sell the hell out of it for a long time!

yeah?November 20, 2017 1:56 PM

"Picking a conventional lock is easier than hacking an e-lock."

Try picking a Medeco lock. We'll wait.

Hill Billy JeanNovember 20, 2017 2:06 PM

We need to call this effort by Amazon for what it really is. If the problem Amazon is solving is having your stuff stolen by stranger, why is the solution allowing stranger access to even more of your stuff?

What we do know is Amazon (with every other big biz) the goal is data. Who enters your house and at what times. For F*ck sake, they data mine what you look at, what you buy, what you watch, what you listen too. With Alexa they data mine your voice, who you call. Does anyone think Amazon is accruing massive debt for package delivery?

It bears quoting in full.

hmmNovember 20, 2017 2:08 PM

Let's face it : Consumers are lazy and spoiled, and Amazon is the patron saint of it.

You don't need a package delivered to your residential door while you're away, you need it delivered nearby for you to be notified to go pick it up securely with ID when convenient.

Trying to turn your front door into an unmanned mail center via a wifi camera is just a piss poor idea.

WaelNovember 20, 2017 2:39 PM

@Jonathan Gunter,

I am limited in what I can and cannot say. But at the high level, there is a violation of: Least Privilege and Separation of domains, Separation of roles and Segregation of duties. Perhaps more, but these are sufficient. These violations cannot e fixed at the implementation level. The weaknesses are built in the fabric of the design. As a general rule, weaknesses at the concept levels cannot be fixed the design level, weaknesses at the design level cannot be fixed at the architecture level, and weaknesses at the architecture level cannot be fixed at the implementation or coding levels. Such "patching" are only patches, as in a bandaid. Like I said before: The concept is valid, the design needs to be well thought out.

@hmm,

Trying to turn your front door into an unmanned mail center via a wifi camera is just a piss poor idea.

Oh, don't be so harsh! This is a piss poor idea. Literally!

AJWMNovember 20, 2017 3:36 PM

Try picking a Medeco lock. We'll wait.

Or a Rabson*.


*Fans of Lawrence Block's Bernie Rhodenbarr stories will get this.

JordanNovember 20, 2017 5:41 PM

@yeah?

> [ Medeco ]

I did say "conventional". Yes, there are higher-security locks. Few people use them.

Eat some poison, it's kNovember 20, 2017 6:17 PM

“A long term study of roundup in rats found that the lowest dosage, that was 75,000 times below the recommended dose of glyphosate [a common crop weed killer] had Anatomical Level toxicity leading to fatty tissue liver disease."

Monsanto is killing us and we're discussing how to let minimum wage delivery folks into our homes.

Better living through science or decidedly mixed bag through science?

hermanNovember 21, 2017 10:59 AM

Put a patio box at the door. Add a hasp and lock. Leave the lock open. The delivery guy can snap the lock shut and you have the only key.

MattNovember 21, 2017 12:08 PM

@herman - Is the lock even really needed?

Without a lock, someone following the delivery van can still steal the package.


But, is someone that's just driving around looking for packages of opportunity really going to stop and go check a box to see if it happens to contain a package?


Is it possible that simply having a box that hides the status of it there is a package or not is enough extra friction to prevent most theft? (With a bonus of protecting packages from rain and snow.)

Richmond2000November 21, 2017 1:55 PM

"AJWM • November 20, 2017 11:40 AM
What's wrong with having a lockbox (it could be large - what's the biggest thing you've ever ordered from Amazon?) that affixes in a secure manner to your porch or wall? Let Amazon have the key to that.

When I was a kid, many houses had an "airlock" for milk deliveries, with an inner and outer door. It was several feet off the ground, so you didn't even have to bend down to get the milk, and the inner door locked from the inside. Not big enough these days for many Amazon packages, but the right idea."

the side door into the garage OR the outer door into the "mudroom"/ enclosed porch
A garage with a remote door opener is NOT very secure so in that aspect the security "lost" is a LOT less then total home access

AnonNovember 21, 2017 3:37 PM

Who didn't see this coming?

Only the first of many.

In the UK, Yale are advertising an electronic lock that you operate with your smartphone. How long before that is broken, too?

Forgive me if Yale are the same people working with Amazon.

JordanNovember 21, 2017 3:40 PM

@Jordan: while I understand your point that existing locks are not perfect, at least they have to do physical damage that screams "I was broken into", whereas this electronic lock leaves no obvious sign of entry, which IMHO is far worse.

hmmNovember 21, 2017 5:05 PM

Herman wins the thread.

"Put a patio box at the door. Add a hasp and lock. Leave the lock open. The delivery guy can snap the lock shut and you have the only key."

Add a webcam (one that isn't trivially disabled via wifi) and leave a 6 pack of beer for your delivery guy once per month.

Congratulations, you are smarter than Jeff Bezos.

hmmNovember 21, 2017 5:05 PM

"whereas this electronic lock leaves no obvious sign of entry, which IMHO is far worse."

Exactly right.

JordanNovember 21, 2017 11:49 PM

@Jordan (another one? :-)

While kicking down the door and breaking windows scream "I was broken into", the signs of picking, if any, are subtle - small scratches on the lock. There's no screaming. You aren't damaging the lock; you're just fooling it into thinking you have a key.

HermanNovember 22, 2017 12:22 AM

Mailboxes Etc offer a commercial drop off location, but it won't be handy to use for may people.

WaelNovember 22, 2017 12:36 AM

Just dispatch a drone to drop the goods into the chimney. It's almost the season. Or have an autonomous delivery vehicle drop by during the hours the recipients are at home. Vehicle arrives, calls the owner to go out and pick it up from the car's trunk. Owner can authenticate with whatever method.

PatrickNovember 22, 2017 9:38 AM

You can definitely get a lock that won't be picked in a burglary scenario for less than the cost of this Amazon door opener toy, so if you have that sort of budget for your front door there's no reason why you wouldn't have a proper lock in the first place. Then you atleast know there will be physical signs of entry.


By the way, Medeco's are certainly not unpickable, or even very difficult to pick compared with some of the real picking horrors. Certainly not out of the question to pick one in the wild given the proper motivation. You need quite a bit of experience to do it in a reasonable time however, and they are certainly a lot better than the crap which passes for locks in the US. But I wouldn't compare them to actual high security locks.


Clive RobinsonNovember 22, 2017 12:43 PM

@ Patrick,

By the way, Medeco's are certainly not unpickable, or even very difficult to pick compared with some of the real picking horrors.

As I've been known to say on this blog from time to time "All mechanical locks are pickable, no if's but's or maybe's".

The reason for this is obvious to any engineers that have done "fine tolerance" work, and it's down side goes by the name "bind".

The laws of physics say that all basic states of matter --gasses liquids solids etc-- are subject to expantion and contraction with thermal energy (ie temprature).

So if you have a cold lock in winter weather and a warm key from inside your pocket, you can expect trouble if the parts are of too fine a tolerance and will "bind up". To solve this you use broader machining so that all normal temprature variations are accounted for. This means the gaps between parts are bigger to prevent bind, but the larger gap gives rise to "slop" which is the ability of parts to move independently of the basic design criteria. That is a cylinder designed to rotate can be moved up and down keft and right due to slop.

Thus slop gives you not just "wriggle room" but "feel" as well which are the two basic things needed for old school "rake and wrench" / "pick and lever" lock picking.

More modern picking methods from the "pick gun" forwards through "bump keys" use the more curious laws of nature you more normally see in one of those "executive desk toys" like "Newton's Cradle".

Although not much talked about there are tricks you can do to stop the majority of lock pick methods cold...

Put simply you find a way to make the lock "bound up" in the mechanism. Most of us have come across doors that are "weather warped" that although you can put the key in you can not turn it to unlock the door, unless you pull or push heavily on the door pull next to the lock. Most lock pickers find that they don't have enough hands to open such doors or that they lose not just easy wriggle room but the feel as well.

Knowing how to put a cheapish lock into the door and frame such that you get such bind can have the same effect as fitting a lock ten times the price. It's not unpickable but it raises the bar well above that of even quite skilled lock pickers...

cool!November 22, 2017 3:51 PM

@Clive Robinson

That was an excellent idea for security by obscurity! It wouldn't be difficult to apply a pushing or pulling force with a simple hands-free mechanism, but you wouldn't find that among most lock-pickers standard kit. Although, now you have published the idea here, so...

Clive RobinsonNovember 23, 2017 1:28 AM

@ Oh really?,

I'm going to go out on a limb and say Clive you have not picked a Medeco.

Apparently they've been used in the Whitehouse, which might have been a recomendation for a lot of people... But I suspect part of the reasoning was a PR one as they were "All American" and made in Salem "Witch" might be another plusss... point

But it does not take too much latteral thinking to realise that they don't realy need security locks in the Whitehouse of a high calibre, unlike say prisons that tend to use quite different much more secure locks, as they play to an entirely different type of crook.

If you look back far enough on this blog you will find I pointed out that you should not carry your keys in a way they could be photographed. It supprised @Bruce our host at the time and quite a few other people.

But even high security prison locks fail for reasons I self developed myself when quite young. It was in later life I found out others had done so before me. It was when I was at college and actually spoke to one of the few British escapees from Colditz Castle during WWII, he got quite chatty when we got down to the "brass tacks" of lock picking and hand key making.

The reason he got chatty is simple as I've mentioned here a few times, I've cut security keys by eye since I was quite young (long before I'd left school). Thus he knew that I knew what I was talking about even though I was self taught (a skill that used to be highly prized still back in the 1970s unlike today).

Whilst it was fairly easy to get hold of key blanks from locksmiths even though they would not cut a key with a security number, the blanks were quite expensive. With access to a shop for model makers you could buy various gauges of brass "wire, tube, shim, plate and bar" much more cheaply and with no questions asked or suspicions raised. Which when you are working on "pocket money" is important. Effectively the price of one blank key would get you enough brass that you could then cut up into fifty of your own blank parts. The worst bit was silver solder them together to make the blank a solid skeleton key.

The secret about cutting keys by eye was knowing not the exact depth of cut needed but the relative cut depth pattern. Which is what lock manufacturers work by. They are almost always in fixed increments as that makes inventory, lock/key duplication, etc much easier thus reducing costs appreciably.

Also if you were making your own skeleton blanks you did not have to worry about "depth stops" or exact key thickness etc, that puts wriggle room firmly on your side in the game as long as you have "the touch" to "feel" the key in fluidly.

So I know when a lock is secure in of it's self which most cylinder locks are not and more importantly when the alleged security comes from something that you can easily by pass such as locksmiths not cutting numbered or other labled as secure keys, but will sell you the blanks.

Any way as it happens you can let some one else tell you the same principles but done in a different way,

https://www.wired.com/2008/08/medeco-locks-cr/

If you want a slightly more secure cylinder lock that's reasonably priced where the photographing of the key won't work in the same way try looking at some of the more interesting Kaba mechanical locks.

Rather than use the normal serated edge keys Kaba have a key with variable depth pits in the faces of the key, and some have tiny bar magnets inserted. As a result the key is much less likely to break with weather warped doors and frames.

But remember cylinder locks are normally just mechanical and worse they are designed for "ease of use" thus they can be picked by the simple use of forces as the laws of nature alow,

https://www.mctyrelock.com/Key%20Bumping.html

Oh and the footnote is true you can bump a Medeco lock and you can buy a bump key kit for them from various specialists and it only takes half an hour or so of practicing to be relatively profficient with them.

So by now you should have guessed the answer to your question depending on what you mean by "picked". So yes I've "lock-picked" a Medeco lock, but no I haven't "picked" Medeco locks for use as the price benift ratio is wrong.

Oh reallyNovember 23, 2017 2:30 AM

A simple video demonstration should be feasible enough then and only take you a few seconds.

Clive RobinsonNovember 23, 2017 8:07 AM

@ Oh realy,

A simple video demonstration should be feasible enough then and only take you a few seconds.

That tells me two things,

1, You've never made a video of broadcast quality in your life.

2, You have ulteria motives as there are already videos out there demonstrating Medeco looks failing.

...

Oh reallyNovember 23, 2017 4:27 PM

The point was simply that it's easy to post a video of someone else making something technical look completely trivial after a lifetime of practice and knowledge.
The point isn't to drag you at all Clive, the point is if you haven't done it yourself then you haven't. There's no shame in saying so.

The standard is defeating a 10 minute pick attempt. Any lock is crackable given infinite time, Marc's spent over 25 years going after specific flaws that exist in older lock sets. He's right that the el-cheapo design didn't change for about 35 years, but it still requires near-lifetime practice with to achieve anywhere close to what Marc has, even knowing what he knows.

You say you could take a thin piece of metal and a small pick and crack a 2/4 row side-channel lock in under 10 minutes and you imply it's trivial, yet making a video proving that with a webcam would be too great an effort or I have ulterior motives.

Should I take your word on my motives as well? Don't be so quick to presume nefarious intent.

Oh reallyNovember 23, 2017 4:31 PM

I was about to wish you happy Thanksgiving, but I realized I'm being a revisionist American imperialist imposing my cultural appropriation on your distinct societal norms.

Damn my ulterior motives.

Happy Thursday instead.

Mike BarnoNovember 23, 2017 7:34 PM

@ Oh really :

Being alive on Thursday is enough good reason to celebrate and to share good wishes.

But is this being a revisionist Viking imperialist imposing my Old Norse cultural appropriation on your distinct societal norms?

RatioNovember 23, 2017 8:14 PM

@Oh really, @Mike Barno,

Please include trigger warnings when using that kind of language. I thought this was an electronic safe-space!

Mike BarnoNovember 23, 2017 8:46 PM

@ Ratio:

I thought this was an electronic safe-space!

Security check: no space is as safe as we think.
There, now we're back on topic.

Clive RobinsonNovember 23, 2017 8:47 PM

@ Oh Realy,

The point isn't to drag you at all Clive, the point is if you haven't done it yourself then you haven't. There's no shame in saying so.

But I've already told you I have, how and about how long it took to get it to be a fluid motion.

In general there are three sorts of people that pick locks sight unseen,

1, Locksmiths.
2, Those doing so covertly
3, Hobbyists.

Of the three only those doing it covertly need to be quick, quiet and fluid, though most hobbyists would like to do so. It used to be the case that a locksmith as part of his training and quallification was required to pick or impression two "standard locks" and they had an hour. But that skill appears dead these days as many who call themselves locksmiths just drill the lock out or use a slide hammer.

As for those who "demonstrate" well there are a couple of types and in general they do it for money either directly as a show piece or indirectly as part of getting a contract etc.

It's interesting that you say,

take a thin piece of metal and a small pick and crack

That's an odd way to say it. You normally talk of a pick and lever or wrench for picking a lock and a thin piece of metal as a "shim" or filed key as a "blank" for impressioning.

Oh by the way if you had read back on this blog you would have found quite a few comments from me about locks. In part because I used to design locks back last century admittedly they were mainly electronic in nature (used a standard ABA mag strip card but double the bpi for the key). But as we had to replace existing furniture there was quite a bit of mechanical design as well to connect back to the latch.

But, I first got interested in opening locks when I was around seven or eight and locks were a lot different back then. I looked on it as a challenge, not for crime. At school I used to unlock bike locks and swap them onto another bike as a practical joke. On the odd occasion I and a friend when in higher education would swap door locks on office doors. It was a little more skilled and less messy than "walling an office"[1].

But with age you get various maladies some of which rob you of your touch and fine motor skills. So whilst I can still pick 5 or 7 pin cylinder locks and five lever mortice locks I mainly use "bump tools" for cylinders. Because they have the advantage that you can not only demonstrate but also get audience participation, which tends to get the point home rather better than just using a pick and lever or pick gun.

[1] Apparently "walling an office" was a prank started in the US in the 1960's when plaster board or dry wall was starting to get commonly available. What you would do is fix dry wall over a door, so it is flush with the wall and paint it etc so it looked just like the wall. Then put a notice board or similar on it. You would do this over a weekend or similar so that when the occupant came to work after a few days away they could not find the door to their office. I've been told it happens but have never seen it done as a prank, or met someone who had seen it first hand. But my friend and I tried it out at his house one weekend to see if it could be done for real and the answer is yes it can. You make up a friction fit frame and wedge it in with cross members, you then attach plaster board to it that is flush with the wall, but we had to take the door furniture off to do it because the handle stuck out to far, so I'm guessing if it is done as a prank it's only in older buildings where the doors are sufficiently "set back".

JimNovember 24, 2017 1:54 PM

There is absolutely no way that I am going to set up an Amazon Key, so that the Amazon delivery guy can put the package in my house!

I couldn't anyway, because I would never be so clueless as to put a "smart" lock on the door of my house.

IoT not only bugs your house, but also makes it possible for an unauthorized person to enter.

Oh reallyNovember 24, 2017 7:18 PM

@ Mike

I imagine the British are by now used to the Vikings injecting their "norms" into things, quite.

Pick Me A WinnerNovember 25, 2017 1:50 AM

Damn, Clive. That's some pretty mind-blowing stuff. My father was a Medeco authorized locksmith, he probably installed thousands of those systems during his career. I remember him teaching me about the security features... and how much money he charged his customers for those products, too.

This photograph and plastic card trick would be enough to make him roll over in his grave, that's for sure. I find it amazing that it's even possible to accurately reproduce the angled bitting from photographs. The paper clip on the slider is brilliant, too, I can't believe I hadn't thought of that.

Crazy stuff.

hmmNovember 27, 2017 12:30 AM

If you're cracking them as quickly and effortlessly as you say, surely a tiny little demonstration video...

Oh well.

"take a thin piece of metal" - from your earlier statement. "crack" refers to opening, as in a safe.
Nothing too foreign I hope.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.