back to article Knock, knock. Who’s there? Another Amazon Key door-lock hack

The security of Amazon.com’s Key door lock has again been called into question. The Key is a wireless-networked electrified lock designed to be temporarily disabled by delivery workers to drop off stuff at Amazon Prime members’ homes or businesses. Prime members receive the gear they ordered from Amazon without having to hang …

  1. Mephistro
    Devil

    The best thing that can be said about IoT...

    ... is that it's very entertaining!

    1. Phil O'Sophical Silver badge

      Re: The best thing that can be said about IoT...

      Internet of Thieves?

      1. sorry, what?
        Facepalm

        Re: The best thing that can be said about IoT...

        As I've said before, the self-defining acronym for IoT users:

        "I Do Internet Of Things"

        1. newspuppy

          Re: The best thing that can be said about IoT...

          IoT....

          I prefer the acronym for the Incredibly Disruptive Internet of Things... IDIoT.

    2. The Man Who Fell To Earth Silver badge
      FAIL

      Compartimentalize

      Smart people, if they want to use this "service", would use the Idiot of Things (IoT) lock on a box/cabinet/closet on their porch, rather than on a door into the house.

      It's kind of odd that Amazon hasn't already marketed a cooler size bolt-down IoT lock box for the porch. Sell crap to have your crap delivered into.

      1. jukejoint

        Re: Compartimentalize

        Praise Allah that you fell to earth. We need a bit more intelligence around here than has been on display recently.

        Welcome aboard.

  2. Zog_but_not_the_first
    Facepalm

    Hand over securing my property to Amazon?

    Nah!

    1. Yet Another Anonymous coward Silver badge

      Re: Hand over securing my property to Amazon?

      That's not even the real scary part.

      This lock is only usable by you+Amazon

      The cleaning service, meal delivery, dog walking, repair person - can now only get access if they are an Amazon partner.

      You just paid to make Amazon a monopoly provider of any service that needs access to your building.

  3. redpawn

    No more breaking

    just entering.

  4. Neil Barnes Silver badge

    That sudden minor tremor?

    That's the earth's orbital eccentricity changing ever so slightly as Bramah, Yale, Chubb, et all spin quietly in their graves...

  5. TonyJ

    Hmmm....

    I would just about consider something like this on my outside door, as I have a porch and an inner door.

    So for my very specific use case, having something on the outer door like this wouldn't be such a security risk as I can still utilise a good old fashioned physical lock on the inner door.

    That said...rely on any of these IoT locks for the only point of security? Hell no!

    1. Dan 55 Silver badge

      Re: Hmmm....

      I might put one on a lockable box outside the house. That's how much I'd trust it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hmmm....

      " I can still utilise a good old fashioned physical lock on the inner door"

      The porch then provides cover for someone to attack the inner door by conventional means.

      1. TonyJ

        Re: Hmmm....

        "...The porch then provides cover for someone to attack the inner door by conventional means...."

        Ah probably should've pointed out you can see right into it as the glass isn't frosted :)

        1. Anonymous Coward
          Anonymous Coward

          Re: Hmmm....

          but it does deaden the sound of brute force entry...

          1. Muscleguy

            Re: Hmmm....

            I recall locking myself out of the house by dint of closing the front door and realising my keys were in my other trousers. All the locksmiths in the online yellow pages seemed to be the same guy who repeatedly refused to come help. Fortunately my garage workshop was unlocked so, armed with some tools:

            I used a chisel to lever off the strip of wood protecting the Yale lock.

            I tried the TV one of the credit card to trip the lever but it was not strong enough.

            So, a card scraper (metal oblong for smoothing wood with a hook on the edge). Strong enough but could not be pushed hard enough.

            So, I banged it a bit with a hammer and hey! presto! I was in.

            That was before we got a new front door with multipoint locking into a metal frame . . . Couldn't do that now. The polis don't even try for the locks on those with the ram, they go through the panels in the middle of the door.

            Nobody came to investigate. View of the door is somewhat obscured by shrubbery but not entirely. However I am probably well known as a DIY sort of guy, in the summer I leave the door open on my workshop for the air for eg. So it would have been assumed I was fixing it.

            First I heard of this sort of idea it was for a lockable box or you installed it inside the house in a side panel say and it had a one time code opening outer door and was large enough for most parcels and obviously a non accessible from the outside locking system on the inner door.

            This is just asking for trouble, and a mask/hat wearing burglar.

            A few years ago a male friend of our daughters was sitting in the middle of Dundee minding his own business when two neds came from behind him and apropos of nothing whacked him on the head. He woke up in the hospital. CCTV showed two hooded figures. To my knowledge they have never been apprehended.

            This idea that cameras are the be all and end all of security is bogus.

            1. Stoneshop
              Facepalm

              Re: Hmmm....

              So, a card scraper (metal oblong for smoothing wood with a hook on the edge). Strong enough but could not be pushed hard enough.

              So, I banged it a bit with a hammer and hey! presto! I was in.

              Couple of years back we had a temporary office with a temporary computer room next to it. Then someone decided that we were not to enter the computer room, despite us needing physical access to some of the systems therein. This they thought to achieve by installing a code lock on the door. However, it was easy to circumvent: the door turned outwards, and the hook on the serrated knife on the Leatherman Charge was exactly what one would need to flip the bolt.

            2. defiler

              Re: Hmmm....

              I tried the TV one of the credit card to trip the lever but it was not strong enough.

              It used to work great at one of the Edinburgh University buildings. Perfect for evening project work when you'd forgotten your key... :)

          2. Anonymous Coward
            Anonymous Coward

            Re: Hmmm....

            But does allow the use of the BOFH approved Halon defence system.

  6. Pascal Monett Silver badge
    Windows

    Okay, let's pretend I had an aneurysm and bought one of these IoT lock thingies

    It's like Star Trek : why use ball bearings when magnetic confinement is soo more high-tech ?

    If I ever was stupid enough to splash dough on one of these pseudo-locks, there is one scenario in which I could find a use for it - but that would require more dough. Indeed, I would not replace my trusty mechanical security lock with that piece of tat for protecting my house and belongings, no. I would build a small shack good enough for housing a few Amazon boxes and put the tat lock on that. Delivery guy can put the box(es) in there, and if shitty lock does get hacked, well the only thing to take is the boxes.

    Meanwhile, my house remains properly protected by an actual, honest-to-goodness, proven security lock. One that even works if there is no power for a week. Can you imagine ? A week !

    1. The Specialist

      Re: Okay, let's pretend I had an aneurysm and bought one of these IoT lock thingies

      Sorry to bust your bubble, but do you know how easy to "bump" your (t)rusty mechanical lock?

      1. FlossyThePig

        Re: Okay, let's pretend I had an aneurysm and bought one of these IoT lock thingies

        "Sorry to bust your bubble, but do you know how easy to "bump" your (t)rusty mechanical lock?

        I know about "Yale" locks but how do you bump a 5 lever mortice lock?

        1. Dominion

          Re: Okay, let's pretend I had an aneurysm and bought one of these IoT lock thingies

          The weakest point of the door is probably the frame. A good kicking in the right place will soon smash the door out of the frame - the effectiveness of the the lock is irrelevant.

        2. EnviableOne

          Re: Okay, let's pretend I had an aneurysm and bought one of these IoT lock thingies

          http://www.walkerlocksmiths.co.uk/mortice-picks-tools/try-out-keys/%205-lever-try%20-out-keys

      2. Anonymous Coward
        FAIL

        Re: Okay, let's pretend I had an aneurysm and bought one of these IoT lock thingies

        "Sorry to bust your bubble, but do you know how easy to "bump" your (t)rusty mechanical lock?"

        See that Kite Mark missing on your lock?

        Look mine has one.

      3. Vector
        Facepalm

        Re: Okay, let's pretend I had an aneurysm and bought one of these IoT lock thingies

        "Sorry to bust your bubble, but do you know how easy to "bump" your (t)rusty mechanical lock?"

        Yes, yes...mechanical locks can be compromised as can the doors to which they're attached. So no need worry about how much easier it is to compromise an IoT lock.

  7. John Robson Silver badge

    Still looking for an electronic lock...

    I would like to have a lock that I can *open* from my phone.

    Doesn't need anything IoT about it - it can all be locally handled... I just need a lock that is locked when power is off, but that I can cause to open by application of power.

    Since most similar locks do the opposite (fail open on power failure for fire escape reasons)...

    1. sorry, what?
      Devil

      Re: Still looking for an electronic lock...

      Just tape a key to the back of your phone... there you go... now you have a lock you can open with your phone!

      1. GruntyMcPugh Silver badge

        Re: Still looking for an electronic lock...

        Some people do rather get carried away trying to shoehorn technology as a solution just 'cos, don't they?

        I am reminded of a startup that wanted to help people that lost their house keys, by offering to 3D print a spare on demand,... so you'd have the b*llache of getting your key scanned, then waiting for them to print and drop off the crappy plastic key to your house. Assuming they were open, of course.

        Or, you could, instead of getting your keys scanned, just get a couple of copies made, and leave one with a friend or relative, and perhaps tape one to an old loyalty card, and pop it in your wallet. That way, you aren't waiting for some neckbeard to do fire up the Ultimaker.

        1. MrZoolook

          Re: Still looking for an electronic lock...

          "a startup that wanted to help people that lost their house keys"

          Maybe I'm missing something, or this is the point you're making, but if I lose my house keys, how would I be able to let this company scan my key to get a copy printed at all?

          The company might just be better off scanning keys into a database 'before' customers lost their keys!

      2. John Robson Silver badge

        Re: Still looking for an electronic lock...

        No, I'd have a phone with a key taped to it.

        In this case however it's for a garage door...

        I'd like to be able to open it on approach, particularly in the event of rain.

        When the remote opener on the door used to work it was rather nice to ride straight in without having to get off the bike, open the house, go in and trigger the door opener before coming back out again.

        About to replace the door with something slightly less automatic, but I'd still like to be able to get the door to open for me, particularly when the weather is inclement.

        1. Daniel Gould

          Re: Still looking for an electronic lock...

          I think you answered your own requirement there - a garage door opener, something that has been around for a long time and does the job it's designed for. Of course, those are still seriously lacking in security, but it does what you need in a way that doesn't require an IoT device.

          You could even add your own device to it to open it across t'internet if you really wanted - plenty of Raspberry Pi / Arduino projects out there for that.

          1. John Robson Silver badge

            Re: Still looking for an electronic lock...

            >> I think you answered your own requirement there - a garage door opener, something that has been around for a long time and does the job it's designed for. Of course, those are still seriously lacking in security, but it does what you need in a way that doesn't require an IoT device.

            There is of course the slight issue that I'm replacing the door due to failure of said device - and the way in which I installed it wasn't particularly conducive to replacement (Oops)...

            I am indeed looking for something that I can control via an RPi - as I said, no IoT connectivity wanted/needed. But I could of course access it over my own VPN.

      3. Sgt_Oddball
        Trollface

        Re: Still looking for an electronic lock...

        Just get an old Nokia..... I'm pretty sure you could use one of them to take out the door, job done.

    2. Stoneshop

      Re: Still looking for an electronic lock...

      I just need a lock that is locked when power is off,

      Apartment buildings tend to have this; the simplest one is an electromagnet pulling on the day latch of what is apparently called a rim lock: a door lock that sits exposed on the inside of the front door. The loop on the handle of the lock in the picture is exactly for such a magnet.

      You may want to add a switch sensing if the door is properly closed, and a mechanism to close the door if it isn't.

    3. SImon Hobson Bronze badge

      Re: Still looking for an electronic lock...

      Since most similar locks do the opposite (fail open on power failure for fire escape reasons)...

      All you need is any type of latch, and a magnetically controlled striker plate. The latch could be a cylinder rim night latch (often called a yale lock) or a regular door catch with no outside handle.

      If the striker is configured to lock when not powered, then the latch will work just as though there is a fixed striker - just like a normal door latch. When electrically released, the flat can be pushed open allowing the latch to pass.

    4. sisk

      Re: Still looking for an electronic lock...

      I think that would violate building codes in most places. There is, after all, a reason that all the commercially available ones fail open. It'd be fairly easy to build though. Just a simple always-locked, spring loaded, key operated bolt coupled with an electromagnet and an 8266 based micro-controller. You want to keep the key so you could still open it if you lost power.

      That said I would never trust such a thing. If it sends some sort of signal (Bluetooth, RF, infrared, whatever) it can me captured and replicated. If it communicates over your WiFi network...Well I've never seen a consumer grade WiFi network that I'd consider secure enough to trust with the lock to my front door. Including mine, and the security on my WiFi network is downright paranoid by any rational standard.

      1. SImon Hobson Bronze badge

        Re: Still looking for an electronic lock...

        I think that would violate building codes in most places. There is, after all, a reason that all the commercially available ones fail open.

        The requirement is that people can get out, not that the door unlocks - there's a difference.

        I have a flat in a block of four, with a door intercom and entry system. It has a striker plate like the one I posted a link to, and the flap on that is unlocked by the entry system to allow the door to be opened to visitors.

        Occupiers can use a key from the outside to retract the latch bolt, or from the inside use the thumb turn to do it.

        So the door can be released by releasing the striker plate, or by retracting the latch bolt manually - the latter not being affected by the striker plate failing locked.

    5. This post has been deleted by its author

  8. spold Silver badge

    Just part of the neighbourhood

    Obviously to catch up with Google we can expect a smart neighbourhood soon...

    It will....

    Track the delivery driver turn by turn...

    Run a background check on them...

    Text them to them to hurry up...

    Notify you when they run over the cat...

    Lock the dog in the kennel...

    Put the kettle on...and order more milk...

    Open the door...

    Put the telly on...

    Notify them when the owner is on their way back...

    Deploy the Roomba to clean up...

    Lock the door, switch the lights off, play some music, and turn the heating up...

    Post a 5 star review on Amazon

    1. Patched Out

      Re: Just part of the neighbourhood

      The creepiest sensation I ever had was when I was on travel last year and I entered a hotel room for the first time after checking in. I heard music emanating from the bedroom space. I thought maybe the front desk accidentally booked me into an occupied room. I approached cautiously and found the room to be empty, but the TV was on, playing the music and displaying a personalized message to me as a welcome from the hotel chain.

      Shudder.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just part of the neighbourhood

        They turned it on from reception. Nothing new.

        Did you spot the webcam? You know, to check that you were happy with the bedding? It's usually behind the mirror.

  9. Anonymous Coward
    Anonymous Coward

    Amazon you can keep your IoT lock.

    I want a RoboCop Ninja IPS (Intrusion Prevention System).

    https://m.youtube.com/watch?v=yWKIU28_nkI

  10. sisk

    This! This is why.

    As both a lock picking hobbyist* and an IT security professional I don't trust smart locks. And considering just how poor 95% of all residential locks are in the US that's really saying something. Generally speaking any entry method that leaves a criminal on a standing porch for more than a minute - such as picking a lock - is only going to be used by people who don't have nefarious purposes. But smart locks, including not only this but every other smart lock design I've seen, can be opened by means that don't require a criminal to expose themselves for more than a few seconds.

    *Yes, I pick locks for fun, but rule #1 is you never pick a lock that isn't yours without permission.

  11. Down not across

    Amazon delivery staff is supposed to...

    Amazon, in a statement, has downplayed the attack, saying its systems should be able to detect if a door is left unlocked for too long, and that delivery staff should check the front door is locked before leaving.

    Just like they're not supposed to just leave the parcel on the doorstep in plain view?

  12. andavis

    Locks! What are they good for?

    The original purpose of a physical door lock is to keep out innocent but silly people.

    Your key doesn't work? You're at the wrong house!

    Not to defend amazon but their lock does exactly the same thing, you'll always struggle to keep out determined thieves / thugs, no matter how many security features you have on your house.

    1. sisk

      Re: Locks! What are they good for?

      you'll always struggle to keep out determined thieves / thugs, no matter how many security features you have on your house.

      That's not true. With enough time and money it's possible to make a house utterly impenetrable by anything less than explosives. A steel security door with a Protec2 lock on a double bolt - one bolt going into the floor and one into the top of the frame - would do the trick for the door. Then you'd have to replace the windows with some sort of unbreakable composite material. And make sure your siding can't be removed.

      Ask any locksmith about this. Cheap locks keep honest people honest. Good locks keep criminals out.

  13. Anonymous Coward
    Anonymous Coward

    Security - One of the great weasel words of our time....

    1. My office (in an office block) had a "secure" door. The bad guys brought a chain saw and cut a huge hole in the (drywall constructed) wall BESIDE the door. They took anything that wasn't bolted down.

    2. Should I mention T J Maxx, or Equifax, or any of the other organisations who have had millions of personal details stolen.

    3. ...... could go on.....but won't.

    Signed: Dinosaur

    1. Anonymous Coward
      Anonymous Coward

      Re: Security - One of the great weasel words of our time....

      A previous place of work had this on 3 separate occasions....

      They went through the roof, though the breeze block walls and finally through an armored fire exit after cutting the cctv and phone lines (security turn up... took a look around and didn't spot any so went home. Despite the premise being hit before and now not having any cctv or telephones... thus showing that given enough time and the average mind of security guards you can steal just about anything).

      Anon because they know who are. No need to rub it in.

  14. Uberior

    Over complicated as always

    It just needs a mechanism that will open upon receiving a secure electronic instruction, but will lock mechanically when the door is closed.

  15. Nimby
    Facepalm

    Home security is already laughable, who cares about Hack-azon?

    Even a dumb criminal can quietly warp most door frames with a simple lever in 5 seconds or less, bypassing the locking mechanism entirely. Only slightly longer to use a car jack to take out security door frames. (They can lift vehicles weighing tons after all.) Not to mention windows, which can easily be broken silently if you know how. Or as even stated, attack the structure anywhere outside of the door frame where it will be much weaker. Homes are designed to keep weather and animals out, not people. Humans are tool users. Criminals don't return to the scene of the crime, so they aren't concerned about causing permanent damage. And if they have a getaway plan, they won't even care about making noise because they will be gone before police/security can respond, even if a security alarm goes off. So who cares if Amazon's IoT crapware is insecure? It'd take a lot more effort / time to attack their lock than it would to break in using traditional methods. The only person who might bother would be a security researcher. Too many other faster, easier, better alternatives to bother with hacking.

    1. sisk

      Re: Home security is already laughable, who cares about Hack-azon?

      While I agree with the basis of the thought (it is along the same lines as my oft-repeated "criminals don't pick locks because it takes too long"), I disagree with the idea that we shouldn't strive for the best possible security.

      There's no such thing as perfect security. Entry is always possible, even if it requires an angle grinder or C4. But if a criminal needs to fetch a car jack to warp the frame on your security door and can't break your Plexiglas windows, he'll move on to the next house and leave yours alone.

      Just like picking locks, odds are anyone actually able to do this isn't trying to break into your house. However, just like any decent locksmith will tell you that you should invest in a lock with high pick resistance anyway, this is still a security hole that needs to be closed.

  16. Ben Bonsall

    Why does it not have a latch that closes as soon as the door is opened, you know, like pretty much every normal outside door?

    1. TomPhan

      The locks used for Amazon Key can be set to automatically lock so many minutes after being opened, and that's separate from any of the Amazon interaction.

  17. A new version of lemmings?

    "and that delivery staff should check the front door is locked before leaving"

    Well that has allayed my fears considering they don't even bother seeing if I'm even in the house these days when they leave parcels on my doorstep.

  18. vincent himpe

    really ? 2 second fix ...

    if door closes -> lock.

    These doorlocks have a magnetic sensor to detect they are closed. So the moment you exit the door and mechanically close it the lock will sense the doorjamb and engage the locking pin. no need for RF , wifi bluetooth or other wireless stuff.

    my samsung doorlock works that way. close the door and it locks itself.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon