Amazon Key door-entry flaw: No easy fix to stop rogue couriers burgling your place unseen Amazon has pushed out an emergency security update to its door-unlocking system called Key – which is used by couriers to let themselves into people's homes to drop off packages inside when folks are out. Delivery workers show up at a home, and use a smartphone to temporarily disable the lock on the front door so they can pop …
Really? Letting someone you don't know into your locked home where they could nick anything and everything they wanted of yours is less risky than having them leave a few books or dvds outside where those few books or dvds could be stolen?
Yet another idea revealed in a flurry of excitable hype before anybody has properly thought about it (or more likely doesn't want to risk the potential career damage of going against the groupthink that will be rife in this part of the company's "ideas factory" or whatever terrible name they've given it).
The idea is that letting the driver in your house (under strict observation!) is less risky than leaving the goods on the stoop all day.
Is it though? I live fairly rurally and still have an Amazon Locker nearby we can use. Also when the package won't fit in the locker they leave it round the back of the house, rather than wanting access to my house..
Or the alternate option we use - the cat flap.
Works fine for almost everything we order (presuming Amazon don't get up to their old tricks of using a stupidly sized box compared to the size of the content), and has the added advantage of allowing the master of the house free access to bring his latest prey in to munch on in some hidden corner somewhere.
In any case most of the deliveries need to be signed for anyway, which no amount of gadgetry can overcome, at least until they start supplying auto-pen options as well.
"The idea is that letting the driver in your house (under strict observation!) is less risky than leaving the goods on the stoop all day."
If you deliver a parcel and I'm not there to accept it, then it's still your responsibility. If you have no proof I accepted it, then tough, you made the decision to step on my property and leave an item there, it's your fault if it gets stolen.
I may moan about the local Post Office and their daft 24 hour collection rule but I'd rather they took the parcel into their safe keeping as they usually do than leave it laying about like some of these crap couriers do. I once ordered a sweatsheet for my daughter, it never arrived. The courier said they'd dropped it off and it had been signed for. 2 days to get a copy of the signature and it was nothing like my wife's or mine. 3 days later the parcel was found 4 doors up in the neighbour's recycling bin!!! A round of applause for Yodel, the world's worst courier service! How the hell they stay in business I'll never know, I have yet to have a delivery from them that arrived correctly or on time.
The funny thing is, I moved to a small city in southern Utah 7 years ago, and petty crime seems not to happen here at all. It's the LDS influence I guess. The FedEx guy just dumps stuff against our front door and leaves. He does that to everybody! And no one complains because stuff just stays where it's put.
It's uncanny, but I like it! :)
If that's the idea, it's a plainly idiotic one that ignores a fundamental aspect of risk assessment -- what is at risk?
Leaving a package on my doorstep risks the package being stolen, but my loss is limited to the value of the package. Allowing strangers to unlock my door risks everything inside my house. May the likelihood of the latter is a fraction of the likelihood of the former, but the amount of loss if it happens is much, much higher.
The "strict observation" and "vetted delivery people" doesn't really impact that equation much.
What if I am an Amazon approved courier. And what if I have a friend who is a thief. I deliver the package but conveniently leave the door slightly ajar so that it does not lock. Some time later, my friend comes by with gloves and a mask on and robs the place while I continue to deliver packages. My face will be on another camera at another location so you know I wasn't there. And how can you prove that I made an honest mistake?
Or what if I have a friend and we work in tandem. My friend finds the cable and phone lines on the side of the house. We time it out so that I deliver the package and begin to walk out the door. But my friend disconnects the cable and phone lines so that the internet dies, whether it is DSL or cable. Then we rob the place. As we leave, we break a window from the outside so that it looks like a neighborhood robbery and reconnect the internet. How can you prove it wasn't just a random outage or glitch in the equipment?
Trusting people to be honest is about as smart as trusting Apple, Microsoft, Facebook, Google, et al with your privacy. Yet millions upon millions of people are naive and do so. Letting people in your house to deliver a package is a bad bad idea. Far better to leave it an approved drop center where you can pick it up.
> What if I am an Amazon approved courier. And what if I have a friend who is a thief. I deliver the package but conveniently leave the door slightly ajar so that it does not lock. Some time later, my friend comes by with gloves and a mask on and robs the place while I continue to deliver packages. My face will be on another camera at another location so you know I wasn't there. And how can you prove that I made an honest mistake?
Statistics. You would get away with it once. The second and subsequent times it would be rather obvious that the robberies were following you and you would have some explaining to do. If they stopped once the authorities had made their suspicions known to you, you would have more explaining to do. That's if you still had a job with Amazon, of course.
"You would get away with it once. The second and subsequent times it would be rather obvious that the [missing items] were following you and you would have some explaining to do.[...] That's if you still had a job [delivering parcels], of course."
Yodel (and companies offering a similar customer experience: Hermes, and DPD Local (formerly Interlink Express), and ...) still exist, don't they?
Is any more evidence needed to prove that your theory doesn't match the real world ?
If sellers who use these delivery companies made it obvious up front who would be responsible for delivering the goods, then customers would be able to make *informed* decisions on where to buy, and many might choose to shop elsewhere and/or pay a little more for a reliable delivery.
That way, underperforming delivery companies would fail, if they didn't improve.
Isn't that the way competitive markets are alleged to work?
All you need to do, as a delivery driver, is call your thief friend after you leave and say "Number 22 Acacia Avenue - lots of nice stuff, camera is on the shelf in the hallway on the left, nobody is home".
Said thief can then break into the house (which is generally not that difficult) and be sure of nobody being there, and would know where the camera is to avoid it/break it.
"What if I am an Amazon approved courier. And what if I have a friend who is a thief. I deliver the package but conveniently leave the door slightly ajar so that it does not lock."
As the article makes very clear, since it's important to how this vulnerability works, locking the door is part of the process. If you leave the door open, Amazon know that you have done so. As will the camera which won't stop running until the door is locked. There are all kinds of legitimate reasons to criticise this kind of system, there's no need to invent imaginary ones that are shown to be impossible by simply reading the actual article.
"As we leave, we break a window from the outside so that it looks like a neighborhood robbery and reconnect the internet. How can you prove it wasn't just a random outage or glitch in the equipment?"
Or, here's a crazy thought, you could just smash the window and rob the place without worrying about being an Amazon delivery driver. Actually carrying out a regular burglary is not an effective way to disguise your burglary.
Allowing strangers to enter your home when you arn't there.with just some third rate, built down to a price tech equipment to make sure all is well?
Someone seriously thought it would end well?
You have to Amazon 10/10 for trying everything to actually make a profit, but 0/10 for reality awareness.
Why not have a locked "Amazon box" that they can open and drop stuff into? That way they can't get into your house, and unless you are having something huge delivered it works just as well without the security risk of letting a stranger into your home?
Such a stupid idea, I can't believe any mouth breathers are dumb enough to sign up for this! No doubt there will be far worse exploits in the future, which will make Amazon deservedly look stupid.
I've had the same idea, if I can ever get around to making one: large box on the front porch that will lock when closed. Currently drivers for the delivery services are just leaving parcels out front, generally without even ringing the door bell. Buying online and having things delivered is only going to increase and demands an answer to this issue.
Erm, don't know about the english-speaking world, but here in the Fatherland, DHL already have stuff like that:
https://www.dhl.de/en/privatkunden/pakete-empfangen.html
(the page in in english, don't worry)
I've used their free Packstation service for about 10 years, maybe longer. Any online retailer worth their salt can accept Packstation addresses. Amazon were one of the first to offer it. In fact, I think I first found out about this on Amazon.
There are Amazon specific boxes inside a few large shops near me, so accessible most of the day (and 24/7 in some supermarkets that do not close bar the wuirky Sunday hour limits).
Plus smaller places e.g. newsagents that allow Amazon drop off/ pickup with goods held in teh shop and you deal with shop staff to pick them up.
When I had my iPhone X delivered a couple weeks ago it was signature required but I wasn't going to be home part of the day. I went on UPS' site and had the delivery changed to a UPS store a few miles away (pretty sure Fedex offers the same service) Just walked in, showed an ID, and was handed the package. Probably be a good idea regardless since even if signatures weren't required having so many small, similar and known to be worth $1000 packages left lying around would be a banner day for porch thieves!
No reason you can't do the same for Amazon packages that are valuable stuff. Most of the time what I'm getting from them is under $50, so if someone ever stole a package off my front porch I'm not going to be unduly bothered. If I had a TV shipped to me or something else that's both valuable and by the form factor of the box screams "here is something you want to steal" to thieves driving by, I'd either make sure I was home for the delivery or have it redirected somewhere I could pick it up.
Way better than letting some rando into my house!
This post has been deleted by its author
Yep - a parcel safe works for me. Postie bungs item in box, locks it. Seem not to be easily available any more.
I remember a lot of people said to me "Don't see the point. What if you get two parcels, and the second person can't get into your parcel safe?" I never could persuade them that 95% of my parcels being delivered rather than taken back to the sorting office was significantly better than zero.
Our main problem with the parcel safe seems to be that our local couriers cannot see a three foot by two foot green metal box on the wall right beside the front door.
If I am not going to be in, I have the courier deliver it to the off-licence down the road or in the next town to where I am travelling.
That way I can be sure of the security, get a bottle of something nice with a cork in the top and, lastly, give the licencee some trade.
I wonder how insurance companies view claims made by people who deliberately chose to allow strangers into their homes. I haven't read my homeowner's policy in awhile, but I bet my insurer would try to find a way to deny a claim based on some clause in there they feel covers this. Negligence of some sort, I'd wager.
Not there's any fucking way I'd put such a lock on my house in the first place.
So Amazon assumes it is just delivery drivers would re-enter? What about someone who waits at a local delivery center, looks for the big package, follows the driver to their destination, waits for them to exit, and then starts the camera jamming process?
Nice try, Amazon, but your spin is weak.
Exactly my thoughts as I read those bits in the article. Pick a delivery driver, any delivery driver, and while the miscreant might have a wasted day hoping he'll reach a household with this idiotic device installed, if he does get led to one it could make it all worthwhile.
Also, from the article:
"One potential fix would be for the CloudCam to include extra storage, and cache video locally for some period of time after it is knocked offline. That would then capture footage of any attempted reentry.
But that approach is not only imperfect – a potential thief could keep the camera offline until the cache was full "
Yeah... or he could just nick the camera in order to dispose of the evidence.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
