A malicious courier could easily freeze the key’s cloud camera and roam a customer’s home unattended.
Amazon is fixing a solution to a bug in the surveillance camera that is used to monitor couriers delivering packages to key customers’ homes.
Amazon Key is the recently launched service that allows Amazon couriers to place goods in the homes of Prime customers. The service works in tandem with Amazon’s new Cloud Cam security camera, a smart door lock, and the key app that remotely unlocks the door and displays a live video feed.
However, as Wired reports, Seattle-based security company Rhino Security Labs has discovered a bug in the process that would allow a devious courier to freeze the camera. This ability undermines the key component that gives customers security when they let a stranger into an unattended home.
The attack can be launched within Wi-Fi range, exactly where a hacker courier would be positioned. Using a computer, the attacker sends a volley of “deauthorization” packets to the target cloud camera, preventing them from using an access point when trying to authenticate again. It is a well known technique for wifi signal jammer and not specific to Cloud Cam.
Even though the Amazon camera is offline, it will still display the last image the camera took when it was connected, so the homeowner will not know that the view on their app is not live.
Rhino’s demo video shows a delivery man delivering a package as expected, but after freezing the camera on a picture with the door closed, he re-enters the house. The camera does not record the second entry and the Key app does not log the second entry.
An Amazon spokeswoman told the ZDNet sister site CNET that they are currently notifying customers when Cloud Cam is offline for a “longer period”.
An update released later this week will inform users when the camera goes offline during a delivery. The service will also not unlock the door if Wi-Fi is disabled and the camera is offline.
All major couriers undergo a comprehensive background check that Amazon checks before they can deliver at home, the spokeswoman said. In addition, Amazon links each delivery to a specific driver and verifies that it is the right driver at the right address.