It seems like Amazon doesn't like it very much when mistakes are brought to their attention after it was revealed that security researcher MG was arrogantly told to provide a Proof of Concept of the Amazon Key crack without any kind of financial reward.
But let's start at the beginning. A few months ago, Amazon launched Key, a system that's supposed to make it easy for homeowners to remotely allow others inside their homes to leave packages, for instance, or to clean up before a party. The system involves pairing up a smart cam and a smart lock for your door. The owner of the home can provide anyone they want with a special digital key on their smartphones so they can enter the home. Once the door opens, the smart cam starts broadcasting what's happening inside the home via an app on the owner's phone. Since the smart cam comes with little to no storage space, the recordings aren't kept for long.
In just a few days, security researchers from Rhino Security Labs proved that a simple attack, which cuts the Internet connection to the smart cam, can allow someone to return to the home, for instance, without the owner knowing.
MG put a twist on this method and made his findings public. In a Medium post, MG reveals that not long after this, he was contacted by a professional researcher who tried to broker a disclosure with Amazon. The response from Amazon was to demand MG to draft a Proof of Concept (PoC) with no financial reward since they have no bug bounty programs set up, or other reward pathways. With bug bounty programs on the rise as a way to deter hackers from going to the "dark side", this seems like a wasted opportunity for Amazon.
I call this the "Break & Enter dropbox" and it pairs well with my Amazon Key (smartlock & smartcam combo).
It's all current software. Amazon downplayed the last attack on this product because it needed an evil delivery driver to execute. This doesn't. pic.twitter.com/35krz46Kab
— MG (@_MG_) February 4, 2018
Despite being put off by Amazon's response, he did the PoC anyway since he wasn't interested in a reward, and helped Amazon understand the attack.
MG used a Raspberry Pi equipped with a battery pack and a wireless dongle for his hack. Once the Pi is placed somewhere on the doorstep, a delivery person can bring a package, open the door with the Amazon Key app, put the package inside the home, and then pretend to lock the door. The sound of the door locking is a fake audio file, so when the delivery man returns, he can just walk in.
The story came under the spotlight everywhere, and Amazon made one huge mistake - the PR team said the hack was nothing to worry about and went into detail about how it all works. What's the problem? Well, they didn't issue a fix before blabbing everything to the media, putting Amazon Key users at risk. Furthermore, the hack really is problematic
For whatever's worth, the company is planning on issuing that update sometime this week.