This loophole not only suspendedvideoScreen, but also make the electronic lock can not be used normally. However, Amazon underestimated the severity of the vulnerability. Now, an independent security "fan" via Twitter account MG reveals how an attacker (non-delivery person) might use the system. He called the physical hardware "Break & Enter dropbox" and demonstrated the attack in the video with his own Amazon Key settings.
In short, an attacker hides the device near the target door. Hardware will somehow interfere with the locking mechanism, it may be a camera. Dropbox prevents the door from being locked again when the delivery man enters the package and enters with a passcode.
MG did not reveal the details of how the mechanism works, but said it is useful under the current version of Amazon software.
Amazon spokesperson Kristen Kish provided TechSpot with the following statement about hacking:
"This is not a real-world delivery scenario because the built-in security features for delivery applications for indoor delivery are not being used in the demonstration and security measures are in place when using related technologies: Our System Monitor 1) Opens in a short period of time, 2) the communication with the camera and the lock will not be interrupted, 3) the door can be safely re-locked, and the driver will not leave without actually checking the door lock, and every aspect of service is established Security. "
Kish claims that the software used in the MG demo is the client's software, unlike the software used by Amazon's delivery staff. She also noted that the driver took a few steps during delivery, including checking to make sure the delivery back door was locked.
Amazon wants to assure its major customers that they are at little risk of facing such an attack due to their existing countermeasures.