Last month, Amazon announced its unusual new scheme that allows couriers to enter its customer’s homes in order to deliver parcels. While the company managed to quell many security concerns with Amazon Key, it turns out there’s one fatal flaw that could allow the same courier to re-enter your home unbeknown to you.
The system itself relies on communication of apps and Amazon’s Cloud Cam to ensure enough precautions are taken that customers feel safe enough to use the service. Specifically, the user will get email notifications when the parcel is on the way, when the driver has arrived and as the driver enters the code to unlock your door. The cam will be prompted on that second step, making sure to record the driver as they unload the delivery until they leave the premises entirely.
It all sounds safe and secure, until security researchers came across an exploit that allows the camera to be disabled and frozen by a third party application. The Wire reports that this program can be opened from a device within WiFi range, giving video footage of a closed door despite that not being the case.
“The camera is very much something Amazon is relying on in pitching the security of this as a safe solution,” Rhino Labs founder Benjamin Caudill told Wired. “Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.”
Caudill replicated the DoS attack to showcase exactly what could happen with such a vulnerable security flaw. The parcel is delivered as expected, so as to not raise any suspicion, however once the program is run, the courier has the ability to re-enter the home without notifying the Cloud Cam or the history of authorised unlocks.
This exploit isn’t just in the hands of Amazon couriers, mind you, as anyone that knows about the exploit could spot or wait for a delivery to then execute the deauthorisation command.
Amazon has directly responded to this vulnerability, stating that Amazon Key users will be notified if the Cloud Cam goes offline for a prolonged period of time. “Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery,” read a statement made to Wired. “Every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time.”
KitGuru Says: It will be hard to quell security concerns when this system relies so heavily on trusting strangers and digital systems. Still, Amazon is thinking outside the box (pun intended) and this is early days for such an experiment. Would you employ a system like Amazon Key?
The most surprising part of the video is how noisy the lock is….