A few weeks ago, Amazon Key made its controversial debut.
The new service, exclusive to Prime members, allows couriers to unlock your front door to deliver packages, rather than leaving them on your doorstep. Understandably, there was some concern about strangers wandering in and out of the homes of Prime members to leave packages, which is why Amazon introduced the Cloud Cam.
With the Cloud Cam, an Amazon Key user is able to monitor any deliveries to ensure that nothing out of the ordinary happened while the courier was in their home. Not a bad solution, all things considered, but a major flaw discovered by security researchers could give hackers the ability to disable or even freeze the camera.
Although the attack requires work, it could potentially allow a malicious courier to unlock the front door of someone’s home using the barcode they are given as part of the Amazon Key service, drop off the package, leave the house and then reenter once they have frozen the camera. There will be no video evidence that they came back in.
“The camera is very much something Amazon is relying on in pitching the security of this as a safe solution,” says Ben Caudill, the founder of Rhino Security Labs, in an interview with Wired. His security firm discovered the attack and was able to demonstrate it. “Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.”
While the camera flaw itself is frightening enough, Rhino’s researchers also noted that when the Cloud Cam goes offline as a result of the attack, the Amazon Key lock is disconnected as well. With this in mind, a determined hacker could potentially follow an Amazon courier around, wait for them to finish their delivery, and as they’re leaving, trigger the command to prevent the door from locking. They can then sneak in once the courier leaves.
It’s worth noting that this method would require the courier to be careless enough to forget to check and make sure the door locks behind them. Amazon’s delivery people are told not to leave a house until the door is locked. Plus, Amazon will automatically call a customer if their door is left unlocked for an extended period of time.
In response to this report, Amazon explained that it notifies Key users any time the Cloud Cam is offline for too long. But to ensure that an attack like the one Rhino demonstrated in the video above is even less likely to occur, Amazon will roll out a software update later this week “to more quickly provide notifications if the camera goes offline during delivery,” the company told Wired. “Every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time.”