Amazon Key delivery driver could knock out security camera, demo reveals
SEATTLE — A Seattle-based group of cybersecurity researchers has demonstrated a way to knock Amazon.com’s new security camera off-line, a capability that could enable malicious delivery drivers for the online retailer’s new inhome delivery service to snoop around a house undetected.
Amazon Key, which became available to customers this month, gives Amazon delivery drivers one-time access to a residence to drop off a package.
The program, designed to eliminate the theft of packages left outside a home and to open up the potential for remote authorization of other home services, is a test of whether consumers trust Amazon enough to give it access to their front doors.
It relies on two pieces of hardware: a smart lock, and Cloud Cam, which communicates with Amazon’s servers to authorize the driver to unlock the door, and then records the delivery, beaming live or recorded video to a smartphone app to give the homeowner peace of mind.
Rhino Security Labs, a security research company, showed that it could exploit a weakness in the Wi-Fi protocol that Cloud Cam and many other devices use to communicate with their routers. A savvy hacker within Wi-Fi range can send a series of “deauthorization” commands to a specific device, temporarily severing its link to the internet.
In the case of Amazon’s Cloud Cam, that means the camera would stop recording and sending images to Amazon’s servers. A delivery driver who had already received approval to unlock the front door could, before exiting and locking the door, roam inside without being recorded. Or, as demonstrated in a video posted by Rhino, leave the home and re-enter undetected.
Part of the problem, Rhino CEO Benjamin Caudill said, is that during such internet interruptions, Cloud Cam doesn’t immediately go dark or tell the user it is off-line. The company’s test instead shows that the Cloud Cam smartphone app displays a still frame of the last image the camera saw before losing its connection, which could give the impression the device was functioning properly.
“You can do this multiple times over without any sort of alert or log at all,” Caudill said. “Now I, as a bad guy, have blocked the signal and blocked your camera, and, unless you are specifically thinking this is an attack, there’s no way for you to verify that this had happened,” he said.
Amazon said in a statement that safety and security “are built into every aspect of the service,” and reiterated that Amazon Key’s delivery drivers, employed by contracting firms, have to pass comprehensive background checks.
Still, Amazon said it planned to issue a software update that will notify customers sooner if the camera goes off-line during a delivery.