Skip to Content
Computing

Amazon Key Lets Delivery People into Your House—and It Just Got Hacked

November 16, 2017

A hardware safeguard in Amazon’s recently launched while-you’re-out delivery service turns out to have a big hole. And, well—let’s just say you probably should have seen this coming.

Amazon Key uses a smart lock and cloud-based security camera in order to allow delivery staff to drop parcels inside a home while a customer is out. The driver requests access via Amazon, but the customer can watch footage from Amazon’s Cloud Cam to keep a watchful eye over the proceedings—a nice way of inspiring confidence that said driver won’t steal all your stuff. All that convenience, for a mere $250!

There’s just one problem: as Wired reports, researchers from Rhino Security Labs have demonstrated that it’s possible for someone in Wi-Fi range of the Cloud Cam to send it commands that knock it offline. That’s discomforting, but not awful—because at least you’d see that the camera was offline and do something about it, right?

Nope! Like something out of Ocean’s Eleven, the camera doesn’t show the customer that it’s offline: it just shows the last frame, frozen, so the scene looks totally normal. Meanwhile, someone could be rifling through your cupboards, eating your Cheerios, or (more likely) stealing your TV.

It’s worth noting that Amazon only allows authorized staff to open the smart lock that forms part of the system, so it would require a rogue employee for this to happen. The firm also provides insurance if anything does go wrong. And it now says it will update its software so that users are alerted if the camera goes offline during delivery.

But the news should be a warning call, if one were needed, that the intersection of smart devices, home security, while-you’re-out deliveries, and Big Tech is a combination people should be genuinely nervous about. Not least because, currently, smart devices are about as secure as the Democratic National Committee’s servers, and breaking into homes remains an attractive proposition for any sane criminal.

An opinion piece titled “Amazon Key is Silicon Valley at its most out-of-touch,” published in the Washington Post shortly after the service’s launch, puts one line of thinking nicely:

The thought processes of Silicon Valley innovators are a curious thing. Many observers have noted that the most common proposals seem to fall into the category of “things that I, a 25-year-old man, wish that I could still get my mother to do for me.” … It may come as a surprise to those who are willing to live in Google’s parking lot and drink Soylent meal replacement instead of eating real food, but some of us care about more than just convenience.

With Key, there is a very clear trade-off. You can have convenience, or you can maintain the security and privacy that your regular front door affords. You simply cannot have both.

Smart locks, when directly controlled by a homeowner, are one thing: you can vet callers and allow entry on the basis of your own desires, gut instincts, prejudices, or whatever. With Amazon Key, that autonomy is handed over to a big tech firm that cares, mostly, about turning a buck by fueling your consumerist desires.

We are, of course, all different creatures, with varying appetites for risk and convenience. But if you’re at all precious about the security of your home, Key was always going to be a bad idea. Today, it looks like a truly awful one.

Deep Dive

Computing

Erik Prince wants to sell you a “secure” smartphone that’s too good to be true

MIT Technology Review obtained Prince’s investor presentation for the “RedPill Phone,” which promises more than it could possibly deliver.

Corruption is sending shock waves through China’s chipmaking industry

The arrests of several top semiconductor fund executives could force the government to rethink how it invests in the sector.

Inside the software that will become the next battle front in US-China chip war

The US has moved to restrict export of EDA software. What is it, and how will the move affect China?

Hackers linked to China have been targeting human rights groups for years

In a new report shared exclusively with MIT Technology Review, researchers expose a cyber-espionage campaign on “a tight budget” that proves simple can still be effective.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.