Blog:

May Post

Jan Masters 10 Jun 2019

Tracking Amazon delivery staff devices as a service (ADSDaaS)

TL; DR

  • The Amazon delivery tracking API allows ultra-precise tracking of drivers.
  • Amazon claim that customers can only track the driver for the 10 stops prior to theirs.
  • This isn’t the case – one can track the driver on the entire route and all drops, including their speed on the road.
  • This precise tracking appears to reveal the location of ‘safe spots’ where customers ask for parcels to be left out of sight.

Introduction

Have you ever stood by your window waiting for a delivery because you need to head out to do something, or just out of impatience? I am very impatient, which led me to this finding. I found a strange issue with an Amazon API endpoint that temporarily appears when your package is a few stops away (the thing that gives you a slow-updating map). I created a Ruby script that polls the endpoint to track my delivery driver’s device in real-time, which was overlayed on a Google Map.

Please don’t contact me to create a delivery tracker for your company, it would be rubbish and very paranoid.

The API Endpoint

The below code example is the base request to the Amazon endpoint, which requires a tracking number and some session information, all of which are easily found. This endpoint was initially found by intercepting my network traffic whilst impatiently looking at the Amazon-provided map.

GET /DEANSExternalPackageLocationDetailsProxy/trackingObjectId/QA***/clientName/AMZL HTTP/1.1
Host: securephotostorageservice-eu-external.amazon.co.uk
Cookie: session-id=X-X-X; session-id-time=X; ubid-acbuk=X-X-X; at-acbuk=X; sess-at-acbuk=X
Connection: close
x-amzn-SessionId: X-X-X
Accept: application/json
User-Agent: AGENT

It should be noted that it is not possible to track other users’ parcels unless you have their tracking number and session information. That would be a greater issue for the account.

A successfully request will give you the following response:

Example Response

 

The response gives you plenty of information, but the key points are highlighted within the red boxes. You could just use this information to track your parcel in real-time if you needed to, however, this issue poses a much greater threat if used with malicious intentions. Let me show you.

‘Borrowing’ Amazon’s Third Eye

I polled that endpoint every 15 seconds and saved every response to a file, which was later processed and overlayed onto a Google Map, which gives you a much better map. My personalised map contains every GPS coordinate, which is arranged into an ordered route that could be viewed and investigated.

Google Map Example

 

The below is a snippet of my bespoke map but I will dive deeper into my Map further down this blog.

Here you can see a summary of my route map that shows I have 1075 GPS coordinates.

Number Of GPS Coordinates

 

On closer inspection, you can see that the delivery driver’s portable device is being tracked as you can see the GPS points show a route inside Morrison’s Petrol Station, unless they decided to smash into the station with their van as walking is overrated.

Morrison’s Petrol Station

 

This is where things start to get interesting as it raises a few points. Are Amazon delivery staff aware they are being tracked to this level (by users or Amazon)? Does Amazon track their staff like this? Does this pose a threat to Amazon’s customers? Figure 1 – Example Response shows that ‘transporterIdentity’ is ‘nill’ (empty), do Amazon admin staff get to see this information?

Tracking a portable device that is held by delivery staff renders customers vulnerable to a host of attacks such as theft or social engineering attacks. I could identify who has recently received a parcel, I could intercept a delivery, or I could identify where your designated safe spot or neighbour is. I could (if I were a criminal) pay your neighbour or safe spot a visit to claim a few goodies. I should clearly state that I have not invaded any safe spots or robbed your Amazon driver… Here are a few examples.

Potential Safe Spot #1

 

Potential Safe Spot #2

 

On the surface it sounds like a minor issue with no or little impact but seeing the evidence changes the perspective. It makes it real and a bit creepy when you stick the GPS coordinates and delivery number to a real address. This could also be leveraged by social engineers to test run an intrusion by sending a parcel to their target’s building to monitor the driver in real-time to establish if couriers get special treatment.

This could have massive repercussions in the right hands or the right environment. America already has a large issue with doorstep thefts from opportunistic passer-bys, imagine how this could worsen the current issue.

Disclosure & Amazon’s Response

I disclosed this vulnerability with plenty of resources (screenshots and my script) to Amazon via their HackerOne Vulnerability Research Program,  however, it did not go as expected. I chased, chased some more, and chased a little more for the report to be closed without a final discussion. I will include a snippet of the discussion below.

Disclosure Timeline

  • Initial Discovery: 5th March 2021
  • Belated disclosure time as research was being conducted into the risk, impact and data analysis.
  • Disclosed via HackerOne: 23rd March 2021
  • First Response (Amazon): 25th March 2021
  • Second Response (Amazon): 30th March 2021
  • Last Response (Amazon): 5th April 2021

Conclusion

We don’t understand why Amazon made the claim about ’10 prior stops’ then failed to address it when challenged.

Such precise tracking simply isn’t necessary for customers to track their deliveries. A much lower position sampling rate would mitigate the problem.

I think everyone expects Amazon to precisely track their staff, but we didn’t expect customers to be able to do so too.

Whilst we are limited to only tracking the driver on the route they take to deliver a parcel to us, it wouldn’t take much to place multiple orders to multiple locations and start to build a significant picture of Amazon driver patterns of behaviour. Are they speeding through pressure to make too many drops in a day? Are they being forced to jeopardise their safety, perhaps by running across busy roads (read the Amazon FLEX story)? Are drivers struggling to take ‘comfort’ breaks or take suitable rest breaks to ensure they are alert and not excessively tired when driving?

Or are Amazon ‘all over it’ as a result of the precise tracking?