In case you haven’t heard, Amazon recently rolled out “Amazon Key.” This service allows delivery persons to leave packages inside your home. I’m sure I’m largely preaching to the choir here, but I can’t let this one go unanswered. I want to talk about Amazon Key security, and some of the problems it creates.
How Amazon Key Works
Amazon Key works like this: a delivery person shows up at your house. He or she opens the app, which contacts an Amazon server. The server contacts your lock and opens it. The delivery person opens your door, drops off your package, and leaves. The lock is re-locked and your home is once again “secure.” You are notified the morning of your delivery, and immediately before and after it. The Amazon Key kit includes a security camera, so you can watch the delivery occur, in real-time or retroactively.
This is especially undesirable in the case of Amazon.com. Unlike just a few years ago, all (or even most) of Amazon’s “last mile” deliveries aren’t done by (relatively) trustworthy UPS drivers. Thanks to Amazon Flex, many deliveries are now done by plainclothes “contractors.” According to Gizmodo, who recently did an investigative story about this practice, Amazon Flex ___ (employees? contractors? freelancers?) have done little more than download an app and watch a couple of videos. Hardly the vetted, trusted individuals you want to allow entry into your home.
It turns out Amazon isn’t the only company to offer in-home deliver. WalMart is testing a similar service. In Walmart’s version, delivery people will actually enter your home and put your groceries away for you.
Amazon Key Security Problems
Large-scale problem: persistent access. By enrolling in Amazon Key, you are giving a corporation access to your home. A glitch in Amazon’s system could unlock your home in the middle of the night. Or, in the middle of the day when you aren’t there. You’re also letting Amazon watch your home, through the Amazon Cloud Cam (and you give them pretty much all rights to “recordings” per the terms of service). You’re telling Amazon when you’re at work, when you’re at home, and what time you go to bed.
This means that Amazon can watch your home, decide when no one is there, turn off the camera, and unlock the lock. Is this likely? No, I don’t think it’s very likely. Is it possible? It is definitely possible. Likely or not, I’m not willing to give that control to a corporation. And you shouldn’t be either. Oh, and I should have mentioned – the Amazon Cloud Cam also has two-way audio, so everything you say is heard by Amazon, too.
Small-scale problem: Focused attackers and the ease of becoming an Amazon “Flex” worker. An attacker could do something as simple as hack your Amazon account (which probably isn’t that hard), place an order, and then be the Flex worker who delivers that order. Even less intrusively, an attacker could simply take a job as a flex worker in your area and wait for for the opportunity to deliver a package to your home. This probably isn’t very likely, but it would basically pay for itself. Though this would taken an exceptionally focused and motivated attacker, such people exist.
Amazon Key Security vs. Real Security
Amazon Key costs $250 dollars. For that amount of money you could actually improve your security. You could purchase a high-security deadbolt (or several of very good non-high-security deadbolts). And you’ve probably already guessed my position on this: don’t do it! And for that matter, stay away from locks that can be unlocked by Alexa, too.