Analysis

Amazon Key: A backdoor to your front door

0

Amazon Key could be your worst nightmare.

IoT, especially in the consumer space has great potential to transform our world and improve quality of life. But so far it has been nothing more than a security nightmare and invasion of privacy. Lack of regulations, consumer awareness and vendor lock-in, have turned IoT into something to worry about and not to cherish.

I am not talking about Chinese webcams, I am talking about Amazon. When the tech giant announced Amazon Key, it met with skepticism. But just like Amazon Echo, it enjoyed mass adoption. People are installing Amazon Key without taking into consideration serious risks.

“The generalized risk associated with IoT devices is that they take mundane objects, transform them into computers, and connect them to a hostile network. Door locks are a perfect illustration of the risks: with a traditional door, you need physical access and the key or some aptitude with a lock-pick set. In this scenario, a software bug could be the equivalent of total strangers having a key to your house,” James Plouffe, Lead Solutions Architect at MobileIron.

Around two weeks ago, a hacker who goes by the handle “MG”, demonstrated that Amazon Key can be compromised in order to enter your home. Amazon downplayed the hack and said in a statement:

The delivery driver must complete all steps of the in-home delivery on her/his handheld system to move to the next delivery, including physically checking to ensure that the door is locked.

“During a delivery, the customer can see time stamps regarding how long the door is open and Amazon receives an alert if the door is unlocked for more than several minutes. In the extremely rare case Amazon is unable to lock the door after a delivery, we immediately call the customer.

Dismissing such hacks as something customers should not worry about is not the right approach. Bugs are part of the software development process, there will always be bugs. Those bugs can be exploited.

“As technologies like Key become more pervasive, the incentive to seek out and exploit vulnerabilities becomes greater. In this case, the attacker demonstrated their exploit but withheld the details to give Amazon time to patch the software. The next attacker may not be so generous,” said Plouffe.

It has already happened to Amazon Key. Last year Rhino Security Labs demonstrated that by flooding the WiFi network with traffic, an attacker can prevent the door from locking.

To be honest, there are some serious issues that you must consider if you have installed Amazon Key or plan to install one. As a science fiction writer, I can think of dozens of scenarios where Amazon Key could be weaponized to gain access to your house.

Security is never perfect: Security is a process. You continue to play a cat and mouse game with hackers. You may install guards at the gates, but there are thousands of hackers who may look at the cracks in the walls of your fort. Security is a multi-billion dollar business. Security exploits are sold for millions of dollars. There are financial incentives for hackers to keep looking. So installing a device that literally lets anyone walk into your house is a bad idea.

Amazon knows too much about you: By handing over your keys to a stranger, Amazon itself gains direct access to your house. They have the root access to your door lock. They ‘allow’ you to manage it, but they ‘own’ that lock. Why would you hand over your keys to a company that already knows where you live, what you buy, where you shop, what you read, what you watch and what you eat.

Abuse by law enforcement authorities: Amazon Key has also created a venue for law enforcement authorities to gain access to your house without your knowledge or permission. ICE may enter your house, and take away ‘Dreamers’ or your family members.

“Legal experts may see things differently but—strictly speaking—you are granting Amazon permission to enter your home. It’s easy to imagine a scenario where law enforcement may want to be granted access but—so far at least—most legal challenges attempting to compel technology companies to turn over customer information have failed,” said Plouffe.

Backdoor for your front door: Amazon is not known for fighting for your rights. They handed over Amazon Echo data to law enforcement authorities. We have seen how the FBI gained access to an encrypted iPhone. In the case of Amazon, they may ask to create a backdoor so they could enter any premises when they desire.

“Nothing stops agencies from trying to get backdoors. Some attempts (such as Lawful Intercept capabilities) are successful. Whether or not such backdoors should exist will be the subject of considerable controversy for a very long time,” said Plouffe.

We live in an America where surveillance has become part of our lives, Amazon Key makes it even easier for the government to get deeper into our homes.

These are only half a dozen scenarios, I can think of several more. The point is that basically from any perspective, Amazon Key is a bad idea.

In addition, you are trusting a stranger to enter your house. Amazon is not known for European style strong labor laws. As Gizmodo said, they probably treat their employees like shit. Can you truly trust an employee who is working 2 or 3 jobs just to make ends meet? There have been cases where Amazon delivery employees were accused of stealing boxes from people’s porches. We don’t know what kind of background checks Amazon performs. Who has higher standards for security clearances:, Amazon delivery drivers or the assistant to the President of The United States?

Why do you need Amazon Key?

There has to be a reason why you are willing to hand over your keys to Amazon to someone random. One major possible reason is that you ordered something expensive from Amazon and fear that it might be stolen from your porch. In cases of expensive items, Amazon requires a signature. Or you can always choose Amazon Locker. In terms of smaller inexpensive items, if you don’t get the item, it’s Amazon’s fault and not yours. It’s Amazon who will have to pay $12 for a lost box of cat food can and not you. It’s _their_ problem, not yours. Why should _you_ give them access to your house so they avoid potential losses, which actually is part of any business.

But here, Amazon Key asks way too much in return of way too little. Amazon Key is another example of how consumer IoT continues to invade user’s privacy without any concrete framework for safeguarding.

“Until technologies provide fine-grain capability-based authentication and authorization, we will continue to see more “keys to the castle” incidents such the Amazon Key hack,” said John Callahan, PhD, Chief Technology Officer at Veridium.

We also don’t know what Amazon’s endgame is with Key. We don’t know what other data Amazon is collecting as they also install a webcam as part of the Amazon Key kit. There are way too many variables here to trust Amazon Key, “Cybersecurity is everyone’s responsibility.  The security of our data is just as important as the security of our physical property.”

I am not saying that Amazon will do something evil, but IoT is such a new field that we have no idea about it’s potential risks. “The best approach is healthy skepticism. Companies should assume their devices will be attacked continuously and forever, while users should strongly consider the risk vs. reward of using these new technologies. I live in what is considered a very high crime area and, in 17 years, I have never had a package stolen off my doorstep so it’s hard for me to see how I am better served by letting total strangers open my door (and virtually all of my packages are insured, anyway). Consumers should definitely ask themselves if the problem they think is being solved is actually a problem,” said Plouffe.

As these invasive IoT devices are finding such new use-cases, there are new questions popping up regarding ethics and morals. What other kinds of data Amazon may be collecting through Key? “The biggest issue for data is the general lack of transparency and unilateral nature of most privacy policies. In the case of Key, it’s unclear what Amazon could learn that they wouldn’t already know through different means: they are, after all, tracking their shipments so they already have a reasonably accurate picture of when deliveries are made. It will be interesting to see how they handle data for other access via Key. What is of concern is the fact it’s unclear what is being collected and how it is being used. It’s also problematic that companies can update their privacy policies at any time for any reason and user consent is implied,” Plouffe.

Possible solutions: There are three possible solutions:

Customer awareness: be aware of what you are trading for a little bit of convenience. Also bear in mind who is actually in control. Would you really hand over the keys to your house to a random person?

Regulation: We need strong regulations around IoT devices. But we can’t expect that from the Trump administration and the current congress. Trump will eliminate 2 IoT related regulations before creating a new one.

Transparency: Companies must be very transparent about what data they collect and how they use it. In addition, customers must have complete control over what data can be accessed by that vendor.

All of the three will take time. But you don’t have to wait that long. Start by removing Amazon Key from your home and start using Amazon locker.

Alexa, get out of my house!

 

Swapnil Bhartiya
I have more than 12 years of experience covering Enterprise Open Source, Cloud, Containers, IoT, Machine Learning and general tech. My stories cover a very broad spectrum - traditional Linux, data center and Free Software to contemporary emerging technologies like 'serverless'. Widely Read: My stories have appeared in a multitude of leading publications including CIO, InfoWorld, Network World, The New Stack, Linux Pro Magazine, ADMIN Magazine, HPE Insights, Raspberry Pi Geek Magazine, SweetCode, Linux For You, Electronics For You and more.