Amazon Key smart lock security integrity called into question by hack

Update: Amazon has responded to claims that the security of its Amazon Key smart lock system can be compromised. Speaking specifically of the steps Amazon takes to protect a customer, an Amazon spokesperson said:

"The delivery driver must complete all steps of the in-home delivery on her/his handheld system to move to the next delivery, including physically checking to ensure that the door is locked.

"During a delivery, the customer can see time stamps regarding how long the door is open and Amazon receives an alert if the door is unlocked for more than several minutes. In the extremely rare case Amazon is unable to lock the door after a delivery, we immediately call the customer."

The original story continues below.

There's no denying that it's an annoyance to miss a delivery – especially one that's been fast tracked by the premium Amazon Prime service you've paid for. But it'd be a whole lot more annoying if a desire for a speedy delivery led to your home being robbed instead.

That's what's alleged to be a potential hazard of using one of the new Amazon Key security systems. To avoid missed deliveries, the web-connected smart lock gives delivery workers temporary access to your property, allowing them to leave your parcel safely indoors without you being present. An included Wi-Fi camera acts as a deterrent for any light-fingered delivery person who may want to make off with your personal items.

However, the integrity of the security system has been called into question by a hacker who has shown that it's possible to manipulate the system so as to give anyone access to an Amazon Key-protected property.

Open-sesame

A hacker known online as "MG" posted the above clip, showing the Amazon Key's security protocols being overriden in a controlled situation.

Though MG is withholding the details of how his hack works until Amazon has had an opportunity to address the issue, the video shows the Amazon Key's lock potentially remaining open even when a delivery driver's access allowance has expired.

It appears to take advantage of what's called a "dropbox" – a mobile computer with Wi-Fi connectivity, which can control the key, either finding a way to prevent it from re-locking itself, or simply unlocking it itself.

Gerald Lynch

Gerald is Editor-in-Chief of iMore.com. Previously he was the Executive Editor for TechRadar, taking care of the site's home cinema, gaming, smart home, entertainment and audio output. He loves gaming, but don't expect him to play with you unless your console is hooked up to a 4K HDR screen and a 7.1 surround system. Before TechRadar, Gerald was Editor of Gizmodo UK. He is also the author of 'Get Technology: Upgrade Your Future', published by Aurum Press.