Security researchers say they have uncovered a flaw that could let couriers re-enter a home after making a delivery by disabling the Amazon Cloud Cam that is part of the new Amazon Key in-home delivery service.
Wired reported on research from Seattle-based security firm Rhino Security Labs that found a program that could be deployed from any computer in WiFi range could disable and freeze the Cloud Cam that sits opposite a door equipped with a smart lock as part of the new service. That could let a rogue courier pop back into the house after making a delivery, while someone watching security footage on the Cloud Cam would just see a closed door.
Rhino released a video detailing how an unwanted intrusion using the Amazon Key program and Cloud Cam could work.
Amazon told GeekWire the issue does not pose a threat to customers. If the camera is offline, the Amazon Key service will not open the door, the company said. Amazon notifies customers when the Cloud Cam is down for an extended period of time, and the company said it will release an update this week to speed up notifications if the camera goes down.
The issue is not with the Amazon device, the company says, but a WiFi problem. Wired reports that the Cloud Cam can be knocked off the network via a series of “de-authorization commands.” These moves, which involve mimicking a command from the WiFi network, can be an issue for practically all WiFi-enabled devices.
Amazon has a strict process for drivers using Amazon Key that includes thorough vetting of drivers and lays out a series of steps couriers must complete before moving into the next delivery. If a rogue courier were to try something malicious, Amazon would immediately know the identity of the driver and the time and location of such an incident.
Amazon also offers a “happiness guarantee” if anything goes wrong with an Amazon Key delivery. Here is Amazon’s full statement on the issue:
Safety and security are built into every aspect of the service. Every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time. We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery. The service will not unlock the door if the Wi-Fi is disabled and the camera is not online.
Whether or not the flaw uncovered by Rhino represents a major risk to customers, it could turn off some potential users for a service that consumers appear to be a bit skeptical of in the early going. Online research company Morning Consult, found in a nationwide poll conducted last month that 68 percent of U.S. adults said they’re not comfortable giving strangers access to their homes. Those strangers could be dropping off an Amazon package or delivering groceries, according to the question posed. The survey also found that 53 percent of respondents said the idea of the virtual key service makes them “very uncomfortable.”
The new $119.99, motion-detecting, 1080p HD camera and virtual key app make Amazon a rival to Google’s Nest Cam, August camera smart locks and other players in home security — demonstrating the tech giant’s ability to quickly extend its reach into new markets. A package that includes both an Amazon Cloud Cam and a compatible smart lock, sells for $249.99.
Cloud Cam works with a subscription service that runs between $6.99/month and $19.99/month for additional features such as person detection, extended cloud storage and the ability to use up to 10 cameras. A free tier lets users download the previous 24 hours of video clips without a paid subscription, with support for up to three cameras.
Here’s how Amazon Key and Cloud Cam work, as explained in Amazon’s help pages.
On delivery day, you will receive a notification in the morning with a 4-hour delivery window for when the delivery driver will arrive at your home. Right before the driver arrives, you will receive an “Arriving Now” notification and can optionally watch the delivery happening live. The driver will knock first, then request to unlock customer’s door via their Amazon handheld scanner. Amazon verifies that the package(s) belong to the address and the driver is near the door, turns on Cloud Cam and unlocks your door. No special codes or keys are given to the driver. The driver will then place the package(s) just inside your door and request to lock the door. Once the delivery is complete and your door is re-locked, your will get a final notification and can watch a video clip of the delivery. You do not need to provide any additional information for the driver, such as keypad codes or remote unlock.