The concept of Amazon Key is a bit weird and requires a lot of trust. Allow a delivery person into your home to drop off an Amazon package and pray they don"t ransack the place. A Cloud Cam was supposed to help ease your apprehension, but a new security flaw has been uncovered that could allow someone to disable the camera without anyone knowing.
Rhino Security Labs found that the cam could be disabled through a simple program run on a computer within Wi-Fi range. The program will freeze the camera so that someone can reenter without the camera recording the image. The way the program works is to send a "deauthorization" command to the camera that basically kicks it off the network. The command is continually sent until the perpetrator is inside the home again. The problem is that the cam does not go black, but instead shows the last frame before it was kicked off the network, in this case, a closed door.
Once inside, the delivery person/hacker then stops sending the command once beyond camera range, allowing the camera to reconnect and start streaming the closed door again. The person would then lock the door to make it appear everything is normal. Once inside, the perpetrator could do any number of things, but would then need to find a different way out of the home.
"The camera is very much something Amazon is relying on in pitching the security of this as a safe solution," Ben Caudill, the founder of the Rhino Security Labs, told Wired. "Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism."
Wired alerted Amazon to the issue and the company has said it will be sending out an automatic update later this week. "We currently notify customers if the camera is offline for an extended period," Amazon said in a statement. "Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery."
Amazon did downplay the issue as unlikely, saying it thoroughly checks its delivery people, and only those authorized to be delivering a package to that address can unlock the Amazon Key.
"Every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time," the company said.
Even if a fix is coming, it is just another reason to have an unsettling feeling about having a lock on your door that people you don"t know can access. And with hackers becoming more and more adept at breaking any type of security, the Amazon Key still seems to have a way to go, despite the company"s assurances.
Source: Wired