UPDATED 15:52 EST / NOVEMBER 16 2017

EMERGING TECH

Amazon Key vulnerability could let couriers enter your home unseen

Many people were skeptical about Amazon.com Inc.’s new electronic lock system, Amazon Key, which allows deliveries to be dropped inside your home when you are gone, and now it looks like some of those fears might be justified.

According to a report by Wired, network security company Rhino Security Labs discovered a flaw in Amazon Key that could allow hackers to disable Amazon Cloud Cam, which is an integral part of the electronic lock’s security system.

Using a program sent from a computer within Wi-Fi range of an Amazon Key device, Rhino Security Labs was able not only to disable the camera, but also to freeze it so that the video continued displaying a closed door — something straight out of a heist movie. Even worse, the Amazon Key lock itself does not have its own internet connection and instead relies on its link to the Cloud Cam, meaning that when the camera goes down, so does the lock.

“The camera is very much something Amazon is relying on in pitching the security of this as a safe solution,” Rhino Security Labs founder Ben Caudill told Wired. “Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.”

Rhino Security Labs demonstrated in a video (below) that exploiting Amazon Key’s security flaw is surprisingly simple. The deliverer unlocks the door legitimately to deliver the package, and then he runs a program using a simple device that could be recreated with an inexpensive Raspberry Pi mini-computer and an antenna. The program works like a denial-of-service attack, sending multiple deauthorization commands over and over until the target device is overwhelmed and is temporarily booted from its Wi-Fi network.

As long as the program is running, the camera remains frozen and the video feed continues displaying the last frame seen by the camera before the attack began. With the video frozen, homeowners watching on the Amazon Key app would assume that the delivery had been made successfully without realizing that the deliverer reentered their home before their Amazon Key lock was activated.

According to Rhino Security Labs, the camera does not go dark or alert users that it has been deactivated by the attack. An Amazon spokesperson said that users are actually informed when their camera is disabled for extended periods of time, but the company will also release an update later this week that will “more quickly provide notifications if the camera goes offline during delivery.”

The spokesperson added that all of Amazon’s drivers undergo thorough background checks, and deliveries made to Amazon Key systems can only be made by the specific driver assigned to them. However, Rhino Security Labs noted that another attacker could theoretically follow an Amazon driver and wait for them to enter a home before using the program to keep the door open after the driver leaves.

Photo: Rhino Security Labs via YouTube

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU