Amazon will issue a security patch for its “Key”services in an upcoming update shortly after a researcher posted a video demonstration of them claiming to hack the Amazon device using a Raspberry Pi.
The researcher, who goes by the moniker MG, placed a device dubbed a “Break & Enter dropbox” near the Amazon device without any configuration or network access and claimed to execute an attack allowing them gain to access to a door after a fake delivery man simulated a delivery but failed to ensure the door was locked before leaving.
It is unclear what methods were used or what vulnerabilities were allegedly exploited. MG also said he won’t be releasing the full technical details of the attack until Amazon has released a patch but told Forbes the attack involved disrupting Wi-Fi connections used by the Key system, not Amazon software.
An Amazon spokesperson told SC Media the exploit in the video demonstrates an issue with Wi-Fi protocol; not with Amazon software and that it’s important to note this was a simulated attack and that in a real life scenario the device’s security settings would have notified Amazon of a problem with the door not locking. A real delivery driver is trained to ensure the door is locked before leaving the site among other safety protocols, the spokesperson added.
The update addresses what was described as an unlikely scenario in which the user unlocks the door, deauthorization happens, then the user either doesn’t go in, or leaves exactly after the number of seconds predetermined by the person triggering the deauthorization.