Security researchers claim to have discovered a flaw in Amazon’s Key Service could let a driver re-enter your home after dropping off a delivery.
Amazon Keyallows you to order goods from Amazon and have them delivered inside of your home instead of on the doorstep. It consists of a smart lock and a camera that’s always supposed to be connected to Wi-Fi.
Rhino Security Labs found that by launching a distributed denial of service attack against the camera — that is, flooding it with random information requests — they could disable the camera temporarily. This let them drop off a package, leave the house, and then sneak back in without the camera detecting their presence a second time. This could leave an Amazon Key household open to theft. The flaw was first covered by Wired.
Amazon says that based on an initial review of the security research, the company believes the findings pose little risk to consumers, but they are taking quick action. The security update will alert users immediately if Wi-Fi latency issues result in a lag of the Cloud Cam.
“Safety and security are built into every aspect of the service,” Amazon told CNBC. “Every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time. We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery. The service will not unlock the door if the WiFi is disabled and the camera is not online.”
Rhino Security Labs published the following video online, purporting to show the attack in action:
Security researchers say that a flaw in Amazon camera could let driver re-enter your house unnoticed