Amazon’s recently launched in-home delivery service, Amazon Key, has a flaw which could allow couriers to cause the camera to disable or freeze, allowing them to re-enter a home without being recorded.
The flaw found in the recently launched Key service was discovered by security firm Rhino Security Labs, and detailed by Wired. In the proof-of-concept attack, a delivery person would enter the home as normal when delivering a package. But instead of locking the door with their app upon leaving, they would run a simple program on their laptop — or a different type of handheld device — that could send a string of “deauthorization commands” to the Amazon Cloud Cam inside the home.
The Cloud Cam only shows the last frame of video it recorded before being disconnected, which could allow a rogue delivery person to re-enter the home’s unlocked door without being recorded. The door can be re-locked once that delivery person is out of view, so nothing out of the ordinary would show up on the log of lock entries. (After that, the delivery person in the home could simply exit through another door.)
Fix Coming ASAP
Amazon notes that they’ll be issuing an update this week which will “more quickly provide notifications if the camera goes offline during delivery.” Currently, Cloud Cam users are notified if the camera goes offline for “an extended period.”
The company was sure to downplay the possibility of such an attack, noting that couriers are only authorized to enter at a certain time, regardless of the Cloud Cam’s current status. Amazon also noted that it has the names of all verified couriers (who must complete a background check), and the company claims that any rogue couriers could be quickly identified.
While the attack does seem unlikely — the number of couriers who would even think to do this, or have the know-how, would be a small percentage — it does raise a number of other questions regarding Amazon’s Key service.
More couriers will be allowed to enter homes as Amazon integrates with more services in the future, and one wonders if any future techniques could make it easy for couriers — or other hackers — to enter a Amazon Key home with criminal intentions.
Rhino Security Labs founder Ben Caudill told Wired that his solution to the problem would be, simply: “Don’t use Amazon Key.” If you do have interest in Amazon Key, at the very least, we think there are certainly enough reasons to wait and see if there are any further issues with the service — or any new service of this nature — before making a commitment. For more choices, check out our review of the best home security cameras.