Amazon Key’s Camera Can Be Disabled By a Third Party, Allowing Couriers to Reenter Your House
Last month, the world was introduced to Amazon Key, a new service from the online shopping juggernaut that allows couriers to unlock your front door to deliver packages. One of the main concerns of the service is the central question of whether Prime customers trust Amazon enough to let the company monitor their homes and determine when it’s okay to unlock the door for someone who is, essentially, a stranger. The service relies on Cloud Cam and a compatible smart lock, and only grants permission for a courier to enter after they scan a barcode, which is checked against information in the cloud. A camera also monitors and records the drop-off so customers can check that nothing suspect happened.
Now security researchers have found that the camera can be disabled and frozen from a program run from any computer within Wi-Fi range, reports Wired. That means a customer watching a delivery will only see a closed door, even if someone opens the door and goes inside — a vulnerability that may allow rogue couriers to rob customers’ homes.
"The camera is very much something Amazon is relying on in pitching the security of this as a safe solution," Ben Caudill, the founder of Rhino Labs told Wired. Researchers from the security firm uncovered Amazon Key attack and replicated it. "Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.”
The video demonstration of the attack shows a man dropping off a parcel inside a house. The Amazon Key app shows the delivery goes as normal and indicates the door is locked as the courier leaves. But once the disabling program is run, and the courier reenters the apartment, the app just shows the door remaining closed.
The demonstration is a proof-of-concept and a deauthorization technique. Amazon’s camera doesn’t indicate to users that the camera is offline, but only maintains a live feed of the last frame the camera recorded while it was still online. To further rub salt into the wound, the Amazon Key system also has another weakness. Someone wanting to break into a home could follow an Amazon courier and wait for them to make a delivery. They could trigger a deauthorization command as the courier is leaving and cause Amazon Key to go offline, which would stop the door from locking.
Amazon has responded to the issues, saying it will notify customers when the camera is offline for an extended period. “Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery,” it said in a statement to Wired. “Every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time.”