Researchers Find Security Flaw in Amazon Key Connected Camera

A demonstration of Amazon Key at a Brooklyn bed and breakfast.                  Sarah Tew  CNET

Couriers can enter the property after scanning a barcode, which is checked against Amazon's own records in the cloud to make sure that they're in the right place at the right time.

Earlier this month, Amazon announced a new idea that would stop those pesky sidewalk thieves from stealing your packages: Amazon Key.

How Amazon Key works is a delivery driver comes to your house and sends an unlock request to Amazon. At the same time, a courier with access to the home could use the unexpected absence of monitoring to steal items or otherwise act nefariously.

According to Wired, security researchers demonstrated that a tech-savvy burglar could use software to freeze the Cloud Cam and make it look like the door is still closed while he enters the home.

The camera is very much something Amazon is relying on in pitching the security of this as a safe solution.

A week after Amazon announced Amazon Key would be made available to Prime members in 37 US cities, researchers found that the company's internet-connected security camera and smart lock can be hacked to let burglars into your home. A vulnerability found by Rhino Labs and reported on by Wired, however, may call into doubt the ability for the camera to protect your house.

The hack exploits a bug in WiFi devices, that lets nearby attackers overload them with a series of "deauthorisation" commands.

Part of the problem, Rhino Chief Executive Benjamin Caudill said, is that during such internet interruptions, Cloud Cam doesn't immediately go dark or tell the user it is offline. The denial of service (DoS) script keeps the camera from coming back online for as long as the intruder requires, as the program loops the last frame recorded before going offline.

It's not just cameras, either-such attacks can boot any Wi-Fi device off the network, including motion detectors, sensors that report when a door is opened, and other security devices. "Disabling that camera on command is a pretty powerful capability when you're talking about environments where you're relying heavily on that being a critical safety mechanism.As a partially trusted Amazon delivery person, you can compromise the security of anyone's house you have temporary access to without any logs or entries that would be unusual or suspicious".

Amazon says it believes the findings now pose little risk for customers, but that it is nevertheless taking action soon. "Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery".

Research firm Morning Consult found that 68 percent of US adults it surveyed said they were not comfortable letting delivery drivers have access to their home.

According to Wired, the attack doesn't rely on a flaw in the Cloud Cam itself.

Related News: