back to article Amazon Key door-entry flaw: No easy fix to stop rogue couriers burgling your place unseen

Amazon has pushed out an emergency security update to its door-unlocking system called Key – which is used by couriers to let themselves into people's homes to drop off packages inside when folks are out. Delivery workers show up at a home, and use a smartphone to temporarily disable the lock on the front door so they can pop …

  1. Daedalus Silver badge

    Oops

    This was a face-plant from the git-go.

  2. FIA

    Delivery workers show up at a home, and use a smartphone to temporarily disable the lock on the front door so they can pop in.

    What?????

    (that's it, after 3 attempts the only other comment I can come up with is a confused face).

    1. Anonymous Coward
      Anonymous Coward

      The idea is that letting the driver in your house (under strict observation!) is less risky than leaving the goods on the stoop all day.

      1. Joe Werner

        That's what we have a post office for in the neighbourhood. And neighbours...

        If it wasn't for them taking care of my deliveries (and we of theirs) we wouldn't meet them ;) (not that often anyway)

      2. Anonymous Coward
        Anonymous Coward

        "The idea is that letting the driver in your house"

        just about as sensible as uploading your naked selfies to Facebook to protect against people blackmailing you.

        1. Anonymous Coward
          Anonymous Coward

          Re: "The idea is that letting the driver in your house"

          My naked selfies would deter a lot of attempts I can tell you.

        2. SVV Silver badge

          Re: "The idea is that letting the driver in your house"

          Really? Letting someone you don't know into your locked home where they could nick anything and everything they wanted of yours is less risky than having them leave a few books or dvds outside where those few books or dvds could be stolen?

          Yet another idea revealed in a flurry of excitable hype before anybody has properly thought about it (or more likely doesn't want to risk the potential career damage of going against the groupthink that will be rife in this part of the company's "ideas factory" or whatever terrible name they've given it).

        3. Smooth Newt
          Meh

          Re: "The idea is that letting the driver in your house"

          just about as sensible as uploading your naked selfies to Facebook to protect against people blackmailing you.

          Which suggests that there is a huge market out there for this product then.

      3. Anonymous Coward
        Anonymous Coward

        The idea is that letting the driver in your house (under strict observation!) is less risky than leaving the goods on the stoop all day.

        Is it though? I live fairly rurally and still have an Amazon Locker nearby we can use. Also when the package won't fit in the locker they leave it round the back of the house, rather than wanting access to my house..

        1. Anonymous Custard Silver badge
          Boffin

          Or the alternate option we use - the cat flap.

          Works fine for almost everything we order (presuming Amazon don't get up to their old tricks of using a stupidly sized box compared to the size of the content), and has the added advantage of allowing the master of the house free access to bring his latest prey in to munch on in some hidden corner somewhere.

          In any case most of the deliveries need to be signed for anyway, which no amount of gadgetry can overcome, at least until they start supplying auto-pen options as well.

          1. joejack

            What? Where do you live? I'm in a city, and my house/front porch sits right on a well-trafficked sidewalk.

            Aside: Zigbee is crap. Its only advantage is less setup required, meaning lower costs for Amazon to support, versus something like Z-Wave.

      4. FuzzyWuzzys

        "The idea is that letting the driver in your house (under strict observation!) is less risky than leaving the goods on the stoop all day."

        If you deliver a parcel and I'm not there to accept it, then it's still your responsibility. If you have no proof I accepted it, then tough, you made the decision to step on my property and leave an item there, it's your fault if it gets stolen.

        I may moan about the local Post Office and their daft 24 hour collection rule but I'd rather they took the parcel into their safe keeping as they usually do than leave it laying about like some of these crap couriers do. I once ordered a sweatsheet for my daughter, it never arrived. The courier said they'd dropped it off and it had been signed for. 2 days to get a copy of the signature and it was nothing like my wife's or mine. 3 days later the parcel was found 4 doors up in the neighbour's recycling bin!!! A round of applause for Yodel, the world's worst courier service! How the hell they stay in business I'll never know, I have yet to have a delivery from them that arrived correctly or on time.

      5. Smooth Newt
        Happy

        Risky idea

        The idea is that letting the driver in your house (under strict observation!) is less risky than leaving the goods on the stoop all day.

        A parcel safe works well enough for me.

        1. Anonymous Coward
          Anonymous Coward

          Re: Risky idea

          The funny thing is, I moved to a small city in southern Utah 7 years ago, and petty crime seems not to happen here at all. It's the LDS influence I guess. The FedEx guy just dumps stuff against our front door and leaves. He does that to everybody! And no one complains because stuff just stays where it's put.

          It's uncanny, but I like it! :)

      6. JohnFen Silver badge

        If that's the idea, it's a plainly idiotic one that ignores a fundamental aspect of risk assessment -- what is at risk?

        Leaving a package on my doorstep risks the package being stolen, but my loss is limited to the value of the package. Allowing strangers to unlock my door risks everything inside my house. May the likelihood of the latter is a fraction of the likelihood of the former, but the amount of loss if it happens is much, much higher.

        The "strict observation" and "vetted delivery people" doesn't really impact that equation much.

  3. Wade Burchette

    What if ...

    What if I am an Amazon approved courier. And what if I have a friend who is a thief. I deliver the package but conveniently leave the door slightly ajar so that it does not lock. Some time later, my friend comes by with gloves and a mask on and robs the place while I continue to deliver packages. My face will be on another camera at another location so you know I wasn't there. And how can you prove that I made an honest mistake?

    Or what if I have a friend and we work in tandem. My friend finds the cable and phone lines on the side of the house. We time it out so that I deliver the package and begin to walk out the door. But my friend disconnects the cable and phone lines so that the internet dies, whether it is DSL or cable. Then we rob the place. As we leave, we break a window from the outside so that it looks like a neighborhood robbery and reconnect the internet. How can you prove it wasn't just a random outage or glitch in the equipment?

    Trusting people to be honest is about as smart as trusting Apple, Microsoft, Facebook, Google, et al with your privacy. Yet millions upon millions of people are naive and do so. Letting people in your house to deliver a package is a bad bad idea. Far better to leave it an approved drop center where you can pick it up.

    1. Sampler

      Re: What if ...

      What if you know someone is stupid enough to have one of these, you know there work hours or they're away. You order something crap off amazon, next day, to their address.

      Wait for the delivery dude to rock up, flood the network let him leave, let yourself in.

      1. Triggerfish

        Re: What if ...

        They have your record for the payment though.

        1. kain preacher Silver badge

          Re: What if ...

          Pre paid credit cards.

        2. Kiwi Silver badge

          Re: What if ...

          Re: What if ...

          They have your record for the payment though.

          Here we have pre-pay "credit" cards, that you can buy with cash (currently).

    2. 2+2=5 Silver badge

      Re: What if ...

      > What if I am an Amazon approved courier. And what if I have a friend who is a thief. I deliver the package but conveniently leave the door slightly ajar so that it does not lock. Some time later, my friend comes by with gloves and a mask on and robs the place while I continue to deliver packages. My face will be on another camera at another location so you know I wasn't there. And how can you prove that I made an honest mistake?

      Statistics. You would get away with it once. The second and subsequent times it would be rather obvious that the robberies were following you and you would have some explaining to do. If they stopped once the authorities had made their suspicions known to you, you would have more explaining to do. That's if you still had a job with Amazon, of course.

      1. Anonymous Coward
        Anonymous Coward

        Re: What if ...

        "Statistics". Yes statistics deter all but the most stupid criminals and get the stupid ones caught. The incidence of theft by Royal Mail postmen fell from pretty low to a minuscule level once they started correlating missing post with who was doing the delivery that day.

      2. Anonymous Coward
        Anonymous Coward

        (title due for delivery on the 31st November)

        "You would get away with it once. The second and subsequent times it would be rather obvious that the [missing items] were following you and you would have some explaining to do.[...] That's if you still had a job [delivering parcels], of course."

        Yodel (and companies offering a similar customer experience: Hermes, and DPD Local (formerly Interlink Express), and ...) still exist, don't they?

        Is any more evidence needed to prove that your theory doesn't match the real world ?

        If sellers who use these delivery companies made it obvious up front who would be responsible for delivering the goods, then customers would be able to make *informed* decisions on where to buy, and many might choose to shop elsewhere and/or pay a little more for a reliable delivery.

        That way, underperforming delivery companies would fail, if they didn't improve.

        Isn't that the way competitive markets are alleged to work?

    3. Valerion

      Re: What if ...

      All you need to do, as a delivery driver, is call your thief friend after you leave and say "Number 22 Acacia Avenue - lots of nice stuff, camera is on the shelf in the hallway on the left, nobody is home".

      Said thief can then break into the house (which is generally not that difficult) and be sure of nobody being there, and would know where the camera is to avoid it/break it.

    4. Cuddles Silver badge

      Re: What if ...

      "What if I am an Amazon approved courier. And what if I have a friend who is a thief. I deliver the package but conveniently leave the door slightly ajar so that it does not lock."

      As the article makes very clear, since it's important to how this vulnerability works, locking the door is part of the process. If you leave the door open, Amazon know that you have done so. As will the camera which won't stop running until the door is locked. There are all kinds of legitimate reasons to criticise this kind of system, there's no need to invent imaginary ones that are shown to be impossible by simply reading the actual article.

      "As we leave, we break a window from the outside so that it looks like a neighborhood robbery and reconnect the internet. How can you prove it wasn't just a random outage or glitch in the equipment?"

      Or, here's a crazy thought, you could just smash the window and rob the place without worrying about being an Amazon delivery driver. Actually carrying out a regular burglary is not an effective way to disguise your burglary.

  4. Lorribot

    Allowing strangers to enter your home when you arn't there.with just some third rate, built down to a price tech equipment to make sure all is well?

    Someone seriously thought it would end well?

    You have to Amazon 10/10 for trying everything to actually make a profit, but 0/10 for reality awareness.

    1. DougS Silver badge

      Why not have a locked "Amazon box" that they can open and drop stuff into? That way they can't get into your house, and unless you are having something huge delivered it works just as well without the security risk of letting a stranger into your home?

      Such a stupid idea, I can't believe any mouth breathers are dumb enough to sign up for this! No doubt there will be far worse exploits in the future, which will make Amazon deservedly look stupid.

      1. Anonymous Coward
        Anonymous Coward

        An Amazon Box would attach some theft liability to Amazon, which I assume they would rather avoid.

      2. DanceMan
        Thumb Up

        Re: a locked "Amazon box"

        I've had the same idea, if I can ever get around to making one: large box on the front porch that will lock when closed. Currently drivers for the delivery services are just leaving parcels out front, generally without even ringing the door bell. Buying online and having things delivered is only going to increase and demands an answer to this issue.

        1. Fortycoats
          Happy

          Re: a locked "Amazon box"

          Erm, don't know about the english-speaking world, but here in the Fatherland, DHL already have stuff like that:

          https://www.dhl.de/en/privatkunden/pakete-empfangen.html

          (the page in in english, don't worry)

          I've used their free Packstation service for about 10 years, maybe longer. Any online retailer worth their salt can accept Packstation addresses. Amazon were one of the first to offer it. In fact, I think I first found out about this on Amazon.

          1. tiggity Silver badge

            Re: a locked "Amazon box"

            There are Amazon specific boxes inside a few large shops near me, so accessible most of the day (and 24/7 in some supermarkets that do not close bar the wuirky Sunday hour limits).

            Plus smaller places e.g. newsagents that allow Amazon drop off/ pickup with goods held in teh shop and you deal with shop staff to pick them up.

            1. DougS Silver badge

              Package pick up services

              When I had my iPhone X delivered a couple weeks ago it was signature required but I wasn't going to be home part of the day. I went on UPS' site and had the delivery changed to a UPS store a few miles away (pretty sure Fedex offers the same service) Just walked in, showed an ID, and was handed the package. Probably be a good idea regardless since even if signatures weren't required having so many small, similar and known to be worth $1000 packages left lying around would be a banner day for porch thieves!

              No reason you can't do the same for Amazon packages that are valuable stuff. Most of the time what I'm getting from them is under $50, so if someone ever stole a package off my front porch I'm not going to be unduly bothered. If I had a TV shipped to me or something else that's both valuable and by the form factor of the box screams "here is something you want to steal" to thieves driving by, I'd either make sure I was home for the delivery or have it redirected somewhere I could pick it up.

              Way better than letting some rando into my house!

          2. This post has been deleted by its author

      3. verno

        Good idea but

        Not so practical for flats / places with limited outdoor space etc.. (I do however think that letting randoms into your house is just plain nuts though!)

        1. AMBxx Silver badge

          Re: Good idea but

          There was a big box like that available in the UK about 20 years ago. Very early days of online ordering. As far as I know, it's no longer available.

          Just no demand at the time. Whether it was just too early of flawed in some other way, who knows?

          1. Martin
            Happy

            Re: Good idea but

            Yep - a parcel safe works for me. Postie bungs item in box, locks it. Seem not to be easily available any more.

            I remember a lot of people said to me "Don't see the point. What if you get two parcels, and the second person can't get into your parcel safe?" I never could persuade them that 95% of my parcels being delivered rather than taken back to the sorting office was significantly better than zero.

            Our main problem with the parcel safe seems to be that our local couriers cannot see a three foot by two foot green metal box on the wall right beside the front door.

    2. Anonymous Coward
      Anonymous Coward

      Locked box

      Agree.

      Large bolted-down box, strong, self-closing hinged lid

      Electronic lock

      One-time key per delivery (white listed)

      Items too large by arrangement.

  5. DNTP

    My favorite part of having a home

    Is that I don't have to let random people just walk in when I'm not there.

    Amazon lockers are way more fun, if you're ordering things that you're not supposed to have you can get a friend or employee to go pick it up for you.

    1. Doctor Syntax Silver badge

      Re: My favorite part of having a home

      "Amazon lockers are way more fun"

      Also much cheaper for next day deliveries and, IME, deliveries tend to be made there earlier than home deliveries.

      1. BongoJoe

        Re: My favorite part of having a home

        If I am not going to be in, I have the courier deliver it to the off-licence down the road or in the next town to where I am travelling.

        That way I can be sure of the security, get a bottle of something nice with a cork in the top and, lastly, give the licencee some trade.

        1. DNTP
          Pint

          Re: deliver to the off license

          Bongo Joe, you're a man of vision. Maybe wobbly, blurry vision but that's more vision than Amazon had coming up with this retarded home invasion idea.

  6. O RLY
    Pirate

    Insurance

    I wonder how insurance companies view claims made by people who deliberately chose to allow strangers into their homes. I haven't read my homeowner's policy in awhile, but I bet my insurer would try to find a way to deny a claim based on some clause in there they feel covers this. Negligence of some sort, I'd wager.

    Not there's any fucking way I'd put such a lock on my house in the first place.

    1. katrinab Silver badge

      Re: Insurance

      Most won’t pay out if there is no evidence of forced entry, which is a problem if someone steals your keys and uses them to get in.

    2. Anonymous Coward
      Anonymous Coward

      Re: Insurance

      "I bet my insurer would try to find a way to deny a claim based on some clause in there they feel covers this."

      Most require you to have and use security deadlocks...

    3. BinkyTheMagicPaperclip Silver badge

      Re: Insurance

      I have quite a decent insurance policy. One of the few things it specifically excludes is damage by people you invite into your house..

      1. I ain't Spartacus Gold badge
        Devil

        Re: Insurance

        One of the few things it specifically excludes is damage by people you invite into your house..

        Otherwise known as the Dracula clause...

  7. John 104

    Flawed

    So Amazon assumes it is just delivery drivers would re-enter? What about someone who waits at a local delivery center, looks for the big package, follows the driver to their destination, waits for them to exit, and then starts the camera jamming process?

    Nice try, Amazon, but your spin is weak.

    1. VinceH Silver badge
      Facepalm

      Re: Flawed

      Exactly my thoughts as I read those bits in the article. Pick a delivery driver, any delivery driver, and while the miscreant might have a wasted day hoping he'll reach a household with this idiotic device installed, if he does get led to one it could make it all worthwhile.

      Also, from the article:

      "One potential fix would be for the CloudCam to include extra storage, and cache video locally for some period of time after it is knocked offline. That would then capture footage of any attempted reentry.

      But that approach is not only imperfect – a potential thief could keep the camera offline until the cache was full "

      Yeah... or he could just nick the camera in order to dispose of the evidence.

      1. Swarthy Silver badge

        Re: Flawed

        A better fix would be to have the camera hard-wired to the network. I can't imagine that a de-auth flood could unplug a cable.

      2. kain preacher Silver badge

        Re: Flawed

        Or some tweekers will think the cam is worth some money and steal it. Some idiots did this with a ring door bell. the stupid mugs look right in the cam.

    2. Anonymous Coward
      Anonymous Coward

      Re: Flawed

      The theft would require cooperation (either voluntary or through ignorance) from the deliver driver. An honest driver would stick around outside the door because the app wouldn't let him mark the job done until the Amazon cloud receives the "locked" signal from the camera.

      The average driver would probably already be out of sight and on the way again, frantically clicking the lock button until the thief releases the camera and the door locks again. He'd still be on the hook for not properly locking the door, though.

  8. Doctor Syntax Silver badge

    "the technology's security remains unresolved – and may require a hardware fix."

    https://www.amazon.co.uk/s/ref=nb_sb_noss?url=search-alias%3Ddiy&field-keywords=PM560CH25

    1. Stoneshop Silver badge

      "the technology's security remains unresolved – and may require a hardware fix."

      That, and a length of CAT5.

  9. Anonymous Coward
    Anonymous Coward

    I'll shall never install one of these things.

    I have determined they work using magnetism therefore they can be defeated using a comb.

  10. usbac

    "What I would suggest to Amazon is to incorporate local storage to cache video, and log lock activity, until the [Wi-Fi] signal is restored. It's not a perfect fix – a bad guy can just continue DoS'ing until the storage fills up or cycles through – but it would increase the complexity to exploitation significantly."

    Why wouldn't the thief just take the obvious looking camera with them? I mean if you are set up the jam the wireless, you would be expecting to see a camera mounted somewhere pointing at the door, right?

    These "security researchers" make a suggestion like this, but really didn't think it through, did they. I hope they aren't going to be doing our next security audit!!!

    1. Doctor Syntax Silver badge

      "Why wouldn't the thief just take the obvious looking camera with them?"

      Having already been recorded looking at the camera and reaching up to get it? Maybe because it's out of reach.

      1. sabroni Silver badge
        Facepalm

        Having already been recorded looking at the camera

        No, having jammed it using the exploit we're all talking about.

      2. VinceH Silver badge
        Facepalm

        "Maybe because it's out of reach."

        Wait! Are you suggesting the easiest way to deter thieves is simply to put things up high where they can't reach them?

        THAT MEANS THE ENTIRE LOCK INDUSTRY IS ONE BIG CON!

        1. Stoneshop Silver badge
          Thumb Up

          "Maybe because it's out of reach."

          Wait! Are you suggesting the easiest way to deter thieves is simply to put things up high where they can't reach them?

          You'll also have to put stepladders and chairs and such high up where they're out of reach. And sturdy boxes. Crates. And cupboards that might be moved. Which you'll then need a stepladder for to get things in or out of. And as the stepladder is stored out of reach you'll have to get a new one (from Amazon?) which you afterwards need to store out of reach again. I see this being a recursive problem without an, eh, bottoming-out condition, and you'll sooner or later reach the Stepladder Event Horizon.

          One positive aspect is that it will cause a surge in membership of the Society for Putting Things on top of Other Things.

  11. ma1010 Silver badge
    Stop

    Seriously?

    When I read about this, I thought "Really? Who'd be such a git as to put this on their home?"

    Let's poll other El Reg readers. How many of you would trust this (or just about any other IOT gadget) to protect your home and family? Show of hands. Nope, didn't think so.

  12. Poe

    Wait, the door doesn't re-lock until it's instructed to?

    Is this as simple as:

    1) Wait for door to be unlocked

    2) Switch mains breaker off/pull fuse

    3) Profit

    No fancy jamming equipment needed?

    1. Anonymous Coward
      Anonymous Coward

      Re: Wait, the door doesn't re-lock until it's instructed to?

      "Switch mains breaker off/pull fuse"

      Which would normally be inside the property. Might as well just leave the door open if you got that far...

      1. Joe Werner

        Re: Wait, the door doesn't re-lock until it's instructed to?

        In 2/3 or so of the places I lived in the fuse box was next to the entrance, so that would work. Except the camera would see you doing this...

        1. Anonymous Coward
          Anonymous Coward

          Re: Wait, the door doesn't re-lock until it's instructed to?

          "the fuse box was next to the entrance"

          I would say in 95% of properties it's under the stairs. Unless of course you can't afford a house and live in a flat or bungalow. And even then it's almost always inside the property. It would be pretty stupid to have it outside where anyone could turn it off - and say disable a standard burglar alarm...

          1. The_H

            Re: Wait, the door doesn't re-lock until it's instructed to?

            In our last house the gas was in a box outside... and some wag occasionally came around and turned it off.

            A well-charged capacitor strategically placed put paid to that malarkey ;-)

          2. Anonymous Coward
            Anonymous Coward

            Re: Wait, the door doesn't re-lock until it's instructed to?

            "I would say in 95% of properties [the electric meter] is under the stairs. "

            Where and when did you conduct your survey?

            Pretty much every reasonably recent (or recently modernised) property I have lived in or visited in the UK in the last 20+ years has an externally accessible meter cupboard, which is freely accessible with a cheap plastic key. In that way the electricity supply can be readily disabled.

            "disable a standard burglar alarm..."

            Any fool knows that a sensible burglar alarm will have a backup battery so that it continues to operate even if the incoming mains takes a break. In the days when an external siren/bell was any use, they often used to have a battery in the sounder so it made lots of noise if the connection between sounder and control unit was severed.

            Try again, troll.

            1. Anonymous Coward
              Anonymous Coward

              Re: Wait, the door doesn't re-lock until it's instructed to?

              "has an externally accessible meter cupboard, which is freely accessible with a cheap plastic key. In that way the electricity supply can be readily disabled."

              Which everywhere I ever lived contains only the meter and no way of isolating the power without cutting cables. Fuse boards and breakers are almost always inside.

              1. Kiwi Silver badge

                Re: Wait, the door doesn't re-lock until it's instructed to?

                Which everywhere I ever lived contains only the meter and no way of isolating the power without cutting cables. Fuse boards and breakers are almost always inside.

                Where you live maybe. Much of the rest of the world there has to be a safe way for emergency services to disable the power in an emergency. Bit of a bugger to be trying to resuscitate an electrocution victim and have to ask them where the fuse box is coz the neighbour who called the ambulance doesn't know.

                Every house I've lived in (a dozen or so), every house of family or friends (a few dozen), and every house I've worked in (a few hundred) has had a metre box on the outside with a power switch.

              2. Anonymous Coward
                Anonymous Coward

                Re: Wait, the door doesn't re-lock until it's instructed to?

                "no way of isolating the power without cutting cables."

                Oh wow. These potential criminals will be put off by having to cut cables. That's fantastic, well done, you've saved the world.

            2. Anonymous Coward
              Anonymous Coward

              Re: Wait, the door doesn't re-lock until it's instructed to?

              "Any fool knows that a sensible burglar alarm will have a backup battery so that it continues to operate even if the incoming mains takes a break."

              And anyone who actually knows what they are talking about will tell you that the average system has a 2Ah battery and that PIRs draw maybe 30mA each. So in an average house with 4 PIRs the system will be dead in less than a day after you pull the power! Not exactly hard to take advantage of!

              1. Kiwi Silver badge
                Boffin

                Re: Wait, the door doesn't re-lock until it's instructed to?

                "Any fool knows that a sensible burglar alarm will have a backup battery so that it continues to operate even if the incoming mains takes a break."

                And anyone who actually knows what they are talking about will tell you that the average system has a 2Ah battery and that PIRs draw maybe 30mA each. So in an average house with 4 PIRs the system will be dead in less than a day after you pull the power! Not exactly hard to take advantage of!

                Got a tiny one from a mate's alarm next to me (paper weight now). It's the smallest SLA I've seen and it's a mere 4.5Ah battery. Most alarm batteries I've seen are closer to double the physical size, but I'd have to go digging for an old one (still part of a security system, in a box on a high shelf that looks "interesting" but, well, know what you're doing when you pull it down....) to know what the rating was.

                The 4.5Ah battery at several years old kept the alarm system functional for 12 hours last year - the panel was lit and beeping every few minutes just before the power was restored after the Kaikoura earthquake (power was out for not quite 13 hours in our area). That said, some 6 months later it was completely stuffed.

                It's rare for power cuts to last that long, and in most households someone would be home inside a 12hr period most days. But if the battery had to power a few cameras as well, and keep them online, then even an 8Ah one would struggle to keep up more than a few hours.

              2. Stoneshop Silver badge
                FAIL

                Re: Wait, the door doesn't re-lock until it's instructed to?

                And anyone who actually knows what they are talking about will tell you that the average system has a 2Ah battery

                It's you who doesn't know what they are talking about; the most common SLA battery used for burglar/fire alarms is 7Ah. So you're looking at several days before the battery is exhausted, and usually they'll signal in some way that the battery is running low.

        2. Stoneshop Silver badge

          Re: Wait, the door doesn't re-lock until it's instructed to?

          Except the camera would see you doing this...

          Which has been kicked off the network by the Deauth flood, and it will be nicked or smashed to bits as the burglar knows how to go about in a case like this.

      2. kain preacher Silver badge

        Re: Wait, the door doesn't re-lock until it's instructed to?

        Um no not at least in north America. If you pop the globe ( out side power meter) the power goes off. Also there is an outside emergency disconnect.

    2. rmason Silver badge

      Re: Wait, the door doesn't re-lock until it's instructed to?

      @Poe

      The electricity supply for them is cloud based. AWS naturally.

      Electricity-as-a-service.

  13. tjdennis2

    Had a DLink camera like that

    I have a couple DLink cameras that instantly freeze as soon as any motion happens in front of them. These Amazon cameras seem about as reliable.

    This was a dumb idea from the start. How many people have security systems in place which would prevent this from working? Or pets that could potentially get out of the house if the courier isn't paying attention. Lots more things can happen too.

    I like the other poster's idea of just having a self-locking box outside the door for any packages. Drop them in, close the lid and it's locked.

  14. IglooDude
    Facepalm

    It could be worse

    I'll give Amazon one bit of credit - this "deliver packages inside your front door" concept is less stupid than a recent Walmart trial-balloon of "deliver groceries to your kitchen refrigerator", with the same sort of delivery-unlocking feature. While everyone is noting the problem in the Amazon system due to underlying wifi weakness, at least when it works correctly it does not feature an unknown person actually walking through your house to get to the kitchen. The mind boggles.

  15. Walter Bishop Silver badge
    Facepalm

    Rogue couriers and Amazon Key door-entry flaw

    How about giving the courier a one-time-code that way the above method won't work. Besides if losing communication with the 'cloud' prevents the door from being locked. What's stopping the perp from placing a jammer near the door and waiting for the occupant to exit the building. you could place a webcam on a nearby tree and watch from a block away in your car.

  16. Palpy

    Ah, human desire for convenience.

    I already have an outside box for UPS, FedEx, and postal service deliveries. It's not locked, because, well, location, location, location... and good neighbours.

    One of the things about consumer-indoctrinated culture is, I guess, that we are conditioned to expect increasing convenience. Me mum did the whole knead-rise-punchdown-rise-bake thing to get lovely home-baked bread; I pop it in a bread machine. Coffee machine on a timer to brew as I awaken. Used to record on tape, take pictures on film -- digital is so much easier (with the caveat about colour depth and resolution on film).

    Damned if I'll connect any of it to the cloud, though.

    Nor will I connect my locks. Or lox. (Mmmm, salmon.) Amazon deliveries will have to trudge through wet leaves, pop the box in the blue plastic bin on my porch, and trudge away. And mind the squirrels, mate, they bite.

    On a separate note: splell chex on this window appears to flag non-Brit splellings: neighbor is flagged, neighbour is not. Color and colour likewise. Is this new? Has El Reg gone all King George III on us poor cross-pondians?

    1. VinceH Silver badge

      Re: Ah, human desire for convenience.

      "On a separate note: splell chex on this window appears to flag non-Brit splellings: neighbor is flagged, neighbour is not. Color and colour likewise. Is this new? Has El Reg gone all King George III on us poor cross-pondians?"

      I would imagine your browser is doing the spell checking - so if you are in Overpuddle and it's flagging up spellings that are right for you, and wrong for us, that suggests the browser's language is set up wrongly.

      Or as an afterthought, what with a significant new version of Firefox having been released very recently, is it possible the developers have tried to be super clever (and in so doing, possibly given themselves need of a facepalm) and are trying to base the language on the site/TLD?

      1. Palpy

        Re: Ah, human desire for <s>convenience</s>.

        Ah, of course. New FireFox. Half a mo', checking with Chromium... Right, then. Colour is flagged in Chromium, color is not. How odd! Quick peak at FF preferences reveals English US as language, etc. So it might be site-specific?

        (Of course it's the browser, as usual I was not thinking straight.) Rather charming behaviour/behavior, I think I like it. Have a beer, share it with a Mozilla dev...

    2. JohnFen Silver badge

      Re: Ah, human desire for convenience.

      "Me mum did the whole knead-rise-punchdown-rise-bake thing to get lovely home-baked bread; I pop it in a bread machine."

      A bread machine is what got me into baking bread. Mine broke, and I realized that the bread machine was actually saving me almost no time and effort whatsoever -- it only takes a few minutes to mix up a batch of dough, and the rest of the time spent is just waiting. So I started doing it all by hand, and still do. It takes me about 10 minutes longer to do it this way as opposed to the machine.

      Bonus: the bread machine produces better bread than store-bought, but still not as good as hand-mixed. The amount of water you need for good bread varies according to environmental conditions and the particular batch of flour you're using, so for best results you need to actually feel the dough and adjust accordingly.

  17. Kev99

    Well, DUH!! Anyone with an ounce of brains knows the cloud is just a bunch of holes held together with vapor and the net is a bunch of holes held together by string.

  18. JeffyPoooh Silver badge
    Pint

    The Axis of Time is my very favorite axis

    Courier drivers have to deliver, for example, 147 packages in 8 hours. After driving to your address, they're then got about 12 seconds to dump the package and get back on the road to deliver the next package.

    If they're going to be wasting time browsing through your wife's panties or committing other petty crimes during working hours, then they'll be fired that very evening. Because they failed to deliver 53 of those 147 packages on time.

    So it won't happen a second time.

    Still, valid point about System Design 101.

  19. InvalidArgument

    Couldn't they just have something like - only open the lock while specific "open" signal is being continuously received? Then if the condition fails, it locks.

  20. ThatOne Silver badge
    Thumb Down

    Courier drivers won't be doing it. As others already stated, their friends (or complete strangers) will.

    Wait till the courier unlocks the door, then you jam the house's toys (courier won't notice, how could he), then you wait till the courier leaves and you do your thing. Take your time.

    Amazon would need to set up an obligation for couriers to check if the door is well closed, that's the only valid solution, but it's still an imperfect one, because what will those couriers do if the door refuses to lock? What if they forget or are distracted by someone? I wouldn't bet my valuables on this (but then again I would never put my door locks "in the cloud" to start with).

  21. jdoe.700101

    Why doesn't the device automatically lock the door if it loses network connectivity?

    1. Anonymous Coward
      Anonymous Coward

      " Why doesn't the device automatically lock the door if it loses network connectivity?"

      Because of safety? Would you want to be locked in your house every time there was a powercut / internet outage?

      1. jdoe.700101

        If the Amazon door key requires power, internet and an app, to let you, or anyone else, open it from the inside, then I'd classify it as a death trap. It's bad enough that some insurance companies in some countries require deadlocks to be installed, but at least with deadlocks, you can leave a key in them when inside.

    2. Timbo

      "Why doesn't the device automatically lock the door if it loses network connectivity?"

      It could - but if the door is still open or only partly closed (when the "lock" command is issued) then unless you have a motorised door closer, then the part of the lock (in the door frame) that allows the door to open, will try to "lock" a door that isn't in the right position...

      So, the door is now permanently unlocked, allowing anyone to enter, but the "sensor" in the door lock says it's locked.

      I think more people would be better off using the AmazonLocker facility...or if you are in an apartment block or even in combination with some neighbours, one could get a "secure box"m into which delivery drivers can "post" items into, but cannot then remove any other items inside.

      If a sig is required then a code could be written on the box (that is changed each day) that the driver can record and then courier firm and addressee can be sure the item has been taken to the delivery address.

  22. Anonymous Coward
    Anonymous Coward

    No

    See title

  23. the Jim bloke Silver badge

    This implementation stretches the bounds of stupid

    Yet the converging juggernauts of online shopping replacing 'high street', and impending decrepitude, mean some kind of solution should be found.

    The idea I currently favour is having a security antechamber, with the external door using a programmable keypad, and the interior door somewhat similar to a bank vault. Furnish with secure containers including insulated ones for groceries, salt liberally with cameras, add electrified floors/rotating blades/spiked pits as taste and architecture allow, and relax.

    Being an engineering solution it would cost real money, as opposed to the few hundred bucks amazon would be flogging their lock/camera/software (guessing, not going to look).

    There will probably be a market for ugly cages people can bolt onto their front doors to achieve this effect.

    1. TheTor

      Re: This implementation stretches the bounds of stupid

      There will probably be a market for ugly cages people can bolt onto their front doors to achieve this effect.

      I think they are called 'porches'...

      1. Stoneshop Silver badge
        Facepalm

        Re: This implementation stretches the bounds of stupid

        I think they are called 'porches'...

        I know of streets where the passage of the next car fractionally larger than a Fiat Topolino would require you to fit a new porch.

    2. Kiwi Silver badge

      Re: This implementation stretches the bounds of stupid

      Yet the converging juggernauts of online shopping replacing 'high street', and impending decrepitude, mean some kind of solution should be found.

      It'll probably be self-solving anyway. More people buying online means less spend at bricks&mortar. Less spend at bricks&mortar means stores close, jobs are lost. More jobs are lost, less people have to spend elsewhere. Less spent elsewhere means even more jobs are lost.

      More jobs are lost, more people are at home. More people at home, less need for systems like this since no one will be able to afford to leave home anyway.

  24. Danny 5

    wait wait wait wait

    So you're telling me that people have remote controlled locks on their doors and are allowing 3rd party access?

    That's it, the world has finally gone insane. I'm going to strip naked, run into the woods (conveniently located just outside my home mind you!) and will live out my life as a hermit!

    The movie idiocracy is becoming a documentary, people really are getting dumber by the day.

  25. Will Godfrey Silver badge
    FAIL

    Duh!

    So not only was it a crap idea to start with, it was crap implementation as well.

    So, Amazon. Get stuffed.

  26. Anonymous Coward
    Anonymous Coward

    Background check

    > The web giant has also stressed that all drivers undergo a background check

    Hah. "Do you have a driver's license?"

    1. Jess--

      Re: Background check

      more like "can you hire a van"

  27. msknight Silver badge

    Simples...

    With regards locally stored footage...

    Steal the bloody camera.

  28. msknight Silver badge

    Flooding the network

    I imagine that anyone from outside the building can flood the Wi-Fi frequencies to stop communication. We have wireless microphone systems and when they're switched on, no wi-fi devices can communicate on the 2.4ghz band. So I don't believe that blame can always be laid at the drivers door.

  29. tiggity Silver badge

    Delayed gratification

    Assuming building also has some "normal" key operated entry points.

    When delivering item.if (stupid but it happens) customer has left keys around (or obvious key locker on wall) to other doors and has no internal CCTV, a bit of plasticine will grab you key imprints, a quick photo of alarm system to record the brand (maybe use UV to spot most used keys).

    These can be passed to burglar mates to create keys and break in, weeks / months later at a time when you have alibi of being elsewhere (assuming your mates know how to defeat the alarm, or they will gamble on key combo based on UV data)

    If you allow a random to access a building unsupervised, don't be surprised if something "odd" happens a while later (where "a while" is sufficiently later to make it seem unrelated to that event)

  30. Prosthetic Conscience
    Meh

    Well that was quick

    Less than a month since the 1st article right here?

  31. jb99

    Wait...

    I read about these a week or two ago and assumed they were a spoof. You mean they are real??

    1. Kiwi Silver badge
      Pint

      Re: Wait...

      Wait...

      I read about these a week or two ago and assumed they were a spoof. You mean they are real??

      I know. I had the same feeling when I learned about "selfie sticks".

      The world will never be the same :(

  32. wolfetone Silver badge

    The only thing more surprising that it could be that easy to disrupt the webcam like this, is that people are daft enough to actually have it installed in their homes right now!

    They might as well leave the key in the door with a note saying "Hey courier, please let yourself in. But don't take anything! That's not nice!"

  33. Anonymous Coward
    Anonymous Coward

    Perhaps this Key better go on my Shed?

    I wouldn't trust the Amazon Key with opening my house, but maybe I can put it on the side gate or shed and get deliveries left there.

  34. rmason Silver badge

    Key thing

    The 'key' thing to take away from this article is not that this happened. It was inevitable. Not that they are patching. Nor that it's a bad idea. We knew all that. was always going to happen.

    The key thing here is that this implies they actually *sold* some of these things.

    Lunatics.

  35. Milton Silver badge

    But everything is hackable

    Why would anyone in their right mind allow any third party to remotely open their front door?

    Because you trust an internet giant? Because you trust their security to guarantee their system is never hacked? That some wiseacre won't unlock 5,000 front doors in West London for the hell of it (or because he's got 50 very busy friends with large vans)?

    I'd point out that pretty much all the risk is borne by the consumer, and for what? So that Amazon saves a few pence per item in delivery time?

    The privacy and security that people are prepared to give away in the name of trifling, often illusory convenience leaves me dumbstruck.

    People say we live in the Age of Stupid, mostly a phrase that's come into relevance since the US presidential election. But I wonder if it's more accurate to call it the Age of the Lemming.

  36. EnviableOne Bronze badge

    simple solution

    Wire the camera, or send the lock command over Zigbee, if you lose wifi

  37. JohnFen Silver badge
    FAIL

    What??

    These things are connected via WiFi?? I understand that ordinary people like to live under the illusion that WiFi is secure, but experts are believing that nonsense too?

    WiFi has its place, but using it for security-related communications is a fail right out of the gate.

  38. kain preacher Silver badge

    Well that was fast.

  39. Marty McFly
    FAIL

    I fired Amazon

    The web giant has also stressed that all drivers undergo a background check, that carrying out the exploit would require a decent level of technical knowledge, and a time stamp is kept of all openings and closings, so it is not an easy job.

    Amazon does not have to worry about their drivers having the technical knowledge to exploit this attack. I live in an area with no cell service. Amazon drivers take six days to deliver a two day Prime delivery because their device cannot provide them with a map. When they finally show up they get really confused because the device has no cell service and won't let them release the package. When I explained the nearest cell service is 10 miles away, they walked in a circle and waved the device in the air trying to pick up service.

    I ended up firing them. Every time Amazon was the shipper I called and canceled the order. Finally after the third time of canceling the order and talking to Amazon Logistics (just ask to be transferred), they "de-prioritized" Amazon as the shipper for my address.

  40. Jamie Jones Silver badge

    Proper engineers

    Software and computer product 'engineers' need to understand the principle of failsafe, like proper engineers do.

    Over the years many of us have critisiced the shoddy way many programmers work, and how they write code in a way that bugs can be catestrophic. (Everyone makes mistakes, but code shouldn't be written impersonating a house of cards)

    Many of you will recall some of those "funny jokes" going around years ago, saying "what if microsoft made cars.... Your brakes failed? Have you tried stopping and restarting your car?"

    Many of us despaired at programming quality, but could at least have a laugh about it.

    Well now with more computer controls in cars, internet-of-shite on our toasters/lightbulbs/webcams/locks, this same development mentality is hitting the real world.

    Many of the designs of the hardware 'IT' in these devices is dictated by the software rather than the other way around, and we're now seeing the sort of cockups time and time again when people try to use this "have you tried switching it on and off?" software design mentality in the design of these 'IOT' devices.

    These people need to start thinking like real engineers, starting with learning the term FAILSAFE. It isn't actually a PR term, it's meaning in the engineering world is literal - if something fails, it fails into a safe position.

    Overlooking the stupid idea in the first place, there is simply no excuse for a door locking process to fail like this. There should have been numerous safeguards and "failsafes".

    And this is just one example amongst many. It isn't the first, and won't be the last..

  41. smartroad

    What happened to 'porches' you know, having two doors separated by a couple of feet?

    They were great as firstly you could get wet clothes off without going into the main building. But as the second door could also be locked that way the delivery driver only has access to the first door. They can just drop off the parcel in there and voila no security worries.

    Shame lots of buildings don't have them anymore.

    1. Stoneshop Silver badge

      What happened to 'porches' you know, having two doors separated by a couple of feet?

      In Scandinavia they're called 'vindfang' ('windcatch', 'förstuga': 'front room' in Swedish). No problem using those as 'paketfang' too.

  42. Kiwi Silver badge
    Boffin

    Not so hard..

    Ok, the tech side will probably take me a few days to grab everything I need from various howtos (assuming they exist and I can find them - fairly likely) and get installed, but aside from that not to bad.

    So step 1 is to get the device to the house. Maybe place it there late one night, depending on the property may not be too hard. If I can pretend to have legitimate reason to be on the property (even the common "Does Albert still live here?") I can scope out places to hide a jamming device.

    Step 2 is to start knocking their camera off at random times. Like tripping house or car alarms, this leads to the "alarm" being disabled or ignored.

    Step 3 is to order something for that address via Amazon (maybe as a gift?) Would be really hard to fake my id, like a stolen credit card or a "Prezzy card" (prepay visa that can be brought with cash).

    Step 4 is when the courier arrives, be waiting nearby, jam the system and slip in.

    The one thing that could be a reasonable counter to this would be something with the app on the courier's phone that also alerts them if it cannot send the lock signal. But few app writers seem to go to that level of security. Not like it's Amazon's money if people get ripped off...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019