Amazon Key Raises Security Fears Across the Spectrum

Amazon has raised eyebrows with the launch of a service called Amazon Key: A delivery kit that gives couriers the ability to unlock people’s homes to deliver packages inside.

The $249 kit consists of a smart-lock and a just-launched Amazon security camera called the Cloud Cam (which comes with a subscription). The camera must be mounted inside a consumer’s home, within 25 feet of the door. Once everything’s installed, Amazon Prime members can choose the “in-home” delivery option. When a delivery arrives, Amazon will authorize the delivery and unlock the door via the cloud—and turn on the camera. Users can watch the delivery live in the Amazon Key App or see a video of it later.

Users can also schedule permanent access for family members or give temporary access to recurring visitors like dog walkers, house cleaners or out-of-town guests-—and be notified any time a guest locks or unlocks the door. Eventually, Amazon Key will offer integrated unattended access options for professional service providers including the Merry Maids and pet sitters and dog walkers from, as well as over 1,200 services from Amazon Home Services.

Whether warranted or not, security fears were quick to surface among consumers and infosecurity pros alike.

While smart locks that are controlled remotely via an app are not new—and neither of course are smart surveillance cameras—what’s different about this is the fact that Amazon controls these devices, locking and unlocking the door at will and having the ability to turn on and off a camera installed inside a person’s home. This has a certain Big Brother, corporate overlord aspect that perturbs some.

Also, while individually owned smart locks require hacking one-by-one, Amazon will hold the keys—literally of course—for thousands if not millions of homes, meaning that one successful hack could deliver a big payoff.  

“Amazon’s latest service—which looks set to revolutionize the delivery market—feels like a huge test of consumer trust,” Adam Maskatiya, UK and Eire GM at Kaspersky Lab, in an emailed comment. “What makes the issue particularly dangerous is its potential reach: If a hacker can access the database of door codes, they can gain entry to a whole street’s worth of homes. That is what users need to be aware of; not how Amazon will use their information, but how hackers could potentially exploit it.”

Amazon hasn’t detailed the specific IoT security measures that may have been built into the scheme, (beyond Amazon’s stated general approach), leaving the door open, as it were, to speculation. Much of that speculation has to do with the fact that IoT’s track record for security leaves something to be desired.  

“Developers of smart devices do little to secure them, rarely release firmware updates and don’t explain to users that they should change their passwords,” Maskatiya said. “This makes IoT devices perfect targets for cyber-criminals. By successfully hacking IoT devices, criminals are able to spy on people, blackmail them and even discreetly make them their partners in crime.”

Amazon Key is also drawing concern over physical security. For many consumers, using a smart lock to let people that one knows and trusts into one’s home is one thing—but delivery truck drivers usually aren’t considered part of that trusted group, even if they’re licensed and bonded with a background check. The socialverse weighed in on this aspect: In the last day, nearly 62,000 Twitter posts mention “Amazon Key” according to international social media analytics firm Talkwalker. The firm said that the overwhelming majority of the posts are negative—mainly reflecting fears about physical security. Presumably the Amazon-controlled camera would pick up any illicit activity, but there are of course ways around that.

“Amazon Key is a new service that allows strangers to enter your home, hide in your closet, and kill you in your sleep. Free with Prime!” tweeted @MikeH5856.

@kevinplantz had a similar take: “*Calls Customer Service* Hi. I used the Amazon Key service and now my Xbox is missing. Also, they let my cat out. I’d like to cancel.”

Iftach Ian Amit, senior manager of security engineering with Amazon's AWS cloud division, appeared to discount the concerns when he tweeted, “Only in InfoSec you see people commenting about a product/service without knowing anything about it. Keep it up. #AmazonKey.”

Official responses to the criticisms/fears have yet to be released. 

What’s Hot on Infosecurity Magazine?