Amazon Key camera feed can be disabled, security firm finds

Image: Amazon

People were understandably a little concerned when Amazon announced its new Amazon Key service, which lets couriers inside their houses in order to deliver packages without worrying that someone will steal them from the porch outside. Critics, though, worried that letting a stranger inside your house may be worse.

Not to worry, Amazon said, as the service works in tandem with the new Cloud Cam (and a new smart lock), so you could check in on your house at the time of delivery and see if anything was amiss. Sounds kinda sorta okay, right?

Naturally, there had to be a catch. Researchers from Rhino Security Labs recently told Wired that it's relatively easy for unscrupulous couriers or random people from the street to use a simple denial-of-service attack program to freeze the Cloud Cam's feed from any computer within Wi-Fi range. 

In other words, the courier or someone who followed him or her could possibly wait until after the package was delivered to freeze the feed and, right afterward, run into the house again before activating the lock. Worse, the Cloud Cam continues to show the last image captured, which makes it look as though nothing is happening onscreen. You can see the attack in action in the video below.

Amazon released a statement to TechRadar asserting that it would soon release an update to provide faster notifications if the camera goes offline, as well as defending other aspects of its Key program.

"Safety and security are built into every aspect of the service," an Amazon spokeswoman said. "Every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time. We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery. The service will not unlock the door if the Wi-Fi is disabled and the camera is not online.”

Poor delivery

Amazon says it believes the findings currently pose little risk for customers, but that it is nevertheless taking action soon. In Amazon's view, the problems lie with Wi-Fi protocols rather than its own software. Amazon also emphasized that their couriers aren't allowed to move on to the next deliveries until the full process has been completed (including locking the door), but that technically doesn't account for the issues described in Rhino's scenario.

Still, if a courier does do these things, Amazon says, it'll know exactly which courier was responsible, presumably due to the delivery schedule involved in the Key service procedures. The company will then notify the customer and take action. And if something does go wrong, Amazon said, it works with the customer to fulfill Amazon's Happiness Guarantee if any products or property are damaged. 

For now, all we can do is wait to see what this patch will look like.

TOPICS