Last month, the world was introduced to Amazon Key, a new service from the online shopping juggernaut that allows couriers to unlock your front door to deliver packages. One of the main concerns of the service is the central question of whether Prime customers trust Amazon enough to let the company monitor their homes and determine when it’s okay to unlock the door for someone who is, essentially, a stranger. The service relies on Cloud Cam and a compatible smart lock, and only grants permission for a courier to enter after they scan a barcode, which is checked against information in the cloud. A camera also monitors and records the drop-off so customers can check that nothing suspect happened.
Now security researchers have found that the camera can be disabled and frozen from a program run from any computer within Wi-Fi range, reports Wired. That means a customer watching a delivery will only see a closed door, even if someone opens the door and goes inside — a vulnerability that may allow rogue couriers to rob customers’ homes.
"The camera is very much something Amazon is relying on in pitching the security of this as a safe solution," Ben Caudill, the founder of Rhino Security Labs told Wired. Researchers from the security firm uncovered the Amazon Key attack and replicated it. "Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.”
The video demonstration of the attack shows a man dropping off a parcel inside a house. The Amazon Key app shows the delivery goes as normal and indicates the door is locked as the courier leaves. But once the disabling program is run, and the courier reenters the apartment, the app just shows the door remaining closed.
The demonstration is a proof-of-concept and a deauthorization technique. If the camera is turned off, even manually by the user, you do get a push notification a few minutes later saying it’s offline. Someone wanting to break into a home could follow an Amazon courier and wait for them to make a delivery. They could trigger a deauthorization command as the courier is leaving and cause Amazon Key to go offline, which would stop the door from locking.
But Amazon does have a process in place that’s meant to avoid these scenarios from happening; the courier has to unlock the door, leave, then manually relock, and the customer will get a notification when they do so. If a courier left and the door was not quickly locked again, the customer would know something is off, although an attack like this would prevent them from seeing exactly what happened. The courier also can’t move on to their next delivery, according to Amazon’s procedures, until the door has been locked and that step has been confirmed the cloud.
UPDATE November 16th, 12:41pm ET: A spokesperson from Amazon says: “Safety and security are built into every aspect of the service. Every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time. We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery. The service will not unlock the door if the Wi-Fi is disabled and the camera is not online.”
An earlier version of this story said that Amazon’s camera doesn’t indicate to users that the camera is offline. That is incorrect.