Earlier in November, Amazon announced for its Prime members the Amazon Key, a program that would allow a delivery person to enter your home under video surveillance, securely drop off the package, and leave with the door locking behind them. The system could also be used to grant access to the people you trust, like your family, friends, or house cleaner.
A few days after the announcement, researchers with Rhino Security Labs demonstrated how to disable the camera on Amazon Key, which could let a rogue courier access the customers’ home.
Unfortunately, the technology seems to be totally secure, a hacker has in fact demonstrated another attack on the Amazan Key.
The hacker posted a video on Twitter to show how to access a locked door after a delivery worker’s one-time code has been used.
I call this the "Break & Enter dropbox" and it pairs well with my Amazon Key (smartlock & smartcam combo).
It's all current software. Amazon downplayed the last attack on this product because it needed an evil delivery driver to execute. This doesn't. pic.twitter.com/35krz46Kab
— MG (@_MG_) February 4, 2018
Technical details of the attack are not available, the hacker used a “dropbox” device that appears as tiny PC with Wi-Fi connectivity that is able to control the Amazon Key.
The Dropbox can be used to unlock the Amazon Key or to trigger a DoS condition in which the Amazon’s device is not able to lock the door after a courier accessed the customers’ home.
(Security Affairs – Amazon Key, De-authentication attack)