Skip to main content

Amazon Key and Security Hypocrisy

People who work in security, particularly in computer security, get a bad reputation for paranoia and for always saying no. Some of those reasons are deserved, and some aren't. Security people tend to be more aware than most of the people around them of the potential consequences of omitting some security controls. They also tend to be more aware of how often security problems cause bigger problems like lost money, lost customer information, etc.

But, the accusations against security people are also often true. Security people do have a paranoid streak. Sometimes, they get so caught up in what could go wrong that they neglect the advantages if things go right. "This could cost us a million dollars!" is a concern, but if it's something that will make billions of dollars, that might just be okay.

To deal with this conflict, most organizations have come to rely on some sort of threat modeling. I've talked about it before, but in a nutshell, you think about ways that things could go wrong, and then you think about the likelihood and impact of those things. It's the model that shows you whether the concern is likely or trivial. It's the model that shows you whether to carry on or step away.

Today, The Amazon Key was released, and this article about it was all over social media with security people making shocked, knee-jerk reactions. Obviously, this was a terrible thing that no right-minded person would ever consider. Obviously, Amazon was creating a massive legal and liability problem for themselves. Obviously, no good could come of this. 

And, obviously, nobody was thinking about the threat model. It was precisely the sort of pure knee-jerk paranoia that gives security people their bad reputation.

What is the Amazon Key? It's a combination of home security camera (that you aim at your front door from inside the house) and internet-connected door lock. You can use it to remotely let people into your house, whether those people are friends, maids, dog walkers, or Amazon delivery people. It was that last one that had people particularly worked up: "What if the delivery person steals stuff? What if they're a vampire ax murderer?"

So, let's think about this more carefully. How does the system work after it's set up?
  1. You tell Amazon to allow a specific person or a service provider (Amazon, Merry Maids, etc.) to use Amazon Key to unlock your door.
  2. When the person you've allowed shows up at your house, they use their phone to send an unlock request to Amazon.
  3. If you've allowed it, Amazon turns on the security camera and sends an unlock request to your lock.
  4. When the person leaves, they tell the system that they've left, and the door locks.

What are some scenarios where this system might be useful? What are the advantages? Here are a few that I can think of:
  1. Busy people in questionable neighborhoods or apartment buildings. (Basically, the scenario in the Amazon introductory video.) I've lived in apartment buildings where packages tended to disappear while I was at work. I would absolutely trust a random delivery guy more than I trusted my shifty neighbors.
  2. People who can't get to the door quickly. I know a few people who can't navigate stairs very well. They always miss packages, even when they're at home, because they just can't get to the door in time. There are also people who work odd hours (night shifts, etc.) who don't want to be woken up or, if they're woken, they'd rather not get out of bed.
  3. People on vacation, or people with vacation or rental homes (including airbnb). If you're not nearby, it could be really handy to let people in remotely. It would also be nice if there was a way to not leave packages on the porch for days until you returned.
What could go wrong? There are a bunch of specific scenarios, but they fall into one of these groups:
  1. Abuse: The person who you allowed into your home could mis-use their access by stealing something or harming you.
  2. Mistakes: The person who you allowed into your home might not close the door properly when they leave, allowing someone else into your home to do bad things.
  3. Technical problems: What if the door won't close properly? What if the network goes down in the middle of the process? 
  4. Hacking: This is all hooked up to the internet. A random bad guy could discover a way to send an "unlock the door" and/or "disable the camera" message to the system.

What's the likelihood? Are there compensating controls? Let's think about those scenarios again.
  1. Abuse: You have access logs and video of the person coming and going. That doesn't mean that a bad person couldn't do something bad, but with name and video, it would be an open and shut case. Amazon could make it even more secure by requiring background check information in requests or by requiring organizations that have access (maids, delivery services, etc.) to be insured or bonded for this kind of situation.
  2. Mistakes: Again, you have logs and live video. What we don't know is exactly how the person leaving and the door locking is validated. Can you lock the door without closing it? Is there a timeout after which an alarm sounds (5 minutes for a package, 4 hours for maid service, etc.)? Humans are prone to making mistakes, so you need an idiot-resistant system. We don't have that information yet, but we know that you can get a notification and watch the camera.
  3. Technical problems: What happens if the lock fails? What happens if it's an older door that doesn't close well when it's wet or cold? What happens if the power fails or the network goes down halfway through the lock process? There are a lot of pieces involved, and it's not clear how fail-safe the system is.
  4. Hacking: Amazon is big and their focus is on shopping and on internet-connected servers. While that's no guarantee, they're one of the few companies out there who's likely to put a lot of thought into security. Actually, my guess would be that when network-based flaws are found, they're found with the APIs that are made by other companies like Kwikset or Yale. No system is hack-proof, but I'm guessing that breaking in via one of these systems is trickier than you'd think.

So, are there ways to use this safely? Yes. You'd want to do the following, though:
  1. Have a "dumb" deadbolt that you can lock. If you're not expecting packages, just lock the deadbolt, and you won't have to worry about any of the smartlock failure modes.
  2. Have a way to detect and deal with problems. A timeout notification would help ("Your door has been open for 5 minutes since your package was delivered!"). If you're on vacation or have a rental home, it might be worth making arrangements with a neighbor to check on things if you call. It might even make sense for Amazon to offer a "trusted neighbor" feature where neighbors are notified when certain things happen.
  3. Ask Amazon to talk about failure modes. What happens if the power fails or the network goes down? What happens if the delivery person fails to lock the door properly when they leave?
All in all, it's not something that I need, but I can imagine situations where it would be really useful. For some people, this is a product that would absolutely be worth the trade-offs. Immediately writing it off as a terrible idea is short-sighted.

Comments

Post a Comment

Popular posts from this blog

Stinky cheese, man

I'm living in a place that's known for it's cheese. There are hundreds of kinds of cheese at my local grocery store. I try something different every time I go shopping, and I've still barely scratched the surface of what's available. There's one kind of cheese that deserves special mention: Raclette . Raclette is strange for a few different reasons. Most notably, it's almost always served cooked, and there's a bit of a ritual around cooking it. You will never be offered raw raclette. Why? Raw raclette is pungent stuff. It's hard to describe the smell, but I've heard it described as a cross between sweat socks, vomit, and curdled milk. To say that it stinks is a polite understatement. So, why on earth would anyone eat it? Because when you cook it, you somehow cook the stink out of it, and what's left is sublime. It's a sort of oily cheese, and you get something like the best pizza or nacho cheese you've ever had. I've hea...
3 comments
Read more

Sometimes, things work as intended

A small computer success story: I have a Synology NAS at home. For those who aren't familiar with them, they're small computers that are set up to make storing and sharing files easy. They keep your data across multiple hard drives so that if a hard drive fails, no data is lost. Or, at least, that's the theory. After we moved last year, I set up the NAS and ran all of the status checks. It reported that one drive was still working but starting to have problems. I bought another drive, plugged it in, and set it as a "hot spare" (basically, the system knew about it, but it wasn't being used). I also turned on monthly disk checks. Months passed with no more problems. ...until last Tuesday. On Tuesday night, the system automatically sent us mail to tell us that The troubled disk had finally failed. Since we had a hot spare, it would be used as a replacement disk and our data would be copied to it. When everything was finished, the system would let us k...
2 comments
Read more

Actual Size

I get a lot of questions about Switzerland's size. So, I put together a spreadsheet showing Switzerland's size relative to each US State. You can view the full spreadsheet on Google Sheets , but here are some highlights: The two states that are closest in size to Switzerland are Maryland and West Virginia. Maryland is 61% (about 2/3x) of the size of Switzerland. West Virginia is 151% (about 1 and 1/2x) of the size of Switzerland. Pennsylvania is 281% (about 3x) of the size of Switzerland. One of the nice things about living in a small country is the short distance to the borders. I can be in Germany in an hour. France, Lichtenstein, or Austria in 2 hours, or Italy in 4 hours (less when full service through t he Gotthard Tunnel opens later this year). This weekend, we're going to visit... somewhere, and "do you want to go to Milan or Munich" is about as difficult as "Do you want to go to Columbus or Buffalo?"
2 comments
Read more