Researchers Find Security Flaw in Amazon Key Connected Camera

The company says it is working on a fix to prevent unauthorized access to customers' homes.

Amazon cloud cam Amazon

Security researchers have discovered a vulnerability in Amazon’s new Amazon Key service that could allow couriers or other outsiders unauthorized access to the homes of the service’s subscribers.

Amazon introduced Amazon Key in October, which pairs a smart lock with the company’s internet-connected Cloud Cam. Like other similar systems, Amazon Key allows homeowners to remotely unlock their doors to let in dog-walkers, contractors, house cleaners, etc, but the special feature of Key is that it can automatically unlock the door for couriers dropping off Amazon deliveries—a feature the company calls “in-home delivery.”

The flaw, discovered by Seattle-based Rhino Security Labs, was demonstrated in a video the firm posted on YouTube Wednesday. It highlights some of the security concerns that can arise with internet-connected cameras and locks. “As more smart-home devices perform critical home-security functions, it’s essential that they be resistant to attack,” says Maria Rerecich, director of electronics testing at Consumer Reports. “In our research, we’ve seen some connected cameras get compromised by relatively rudimentary techniques.”

Demonstrating the Flaw

Rhino Labs’ video shows a person unlocking the smart lock via the Amazon Key app, dropping off a package, and shutting the door. Instead of immediately locking the door again through the app, Rhino Labs researchers then run a program on a laptop that sends repeated “reauthorization” commands to the Cloud Cam, forcing the camera to stay offline.

However, the customer watching the delivery remotely through the app doesn’t see the screen go dark. Instead, the app displays the last frame shot by the camera before the reauthorization command kicked it offline.

That could allow the courier to re-enter the home, shut the door, and lock it behind them—with the homeowner unaware that someone is still inside the house.

Issuing a Fix

Amazon says that based on its initial findings, it believes the flaw Rhino discovered poses little risk to customers, and that the company currently notifies customers if the Cloud Cam is offline for an extended period. However, the company says it will be deploying an update later this week “to more quickly provide notifications if the camera goes offline during delivery,” noting that the service won’t unlock the door if Wi-Fi is disabled and the camera is offline.

“Safety and security are built into every aspect of the service. Every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time,” Amazon spokeswoman Kristen Kish said in a statement to Consumer Reports.

What About Other Cameras?

Although Amazon is addressing the problem with an update, as we’ve reported previously, any Wi-Fi-connected camera can be knocked offline by a hacker within range of your router—which can extend hundreds of feet. All they need is the name of your Wi-Fi network, the unique address of your router, and the Internet address of your camera, using free software tools available to anyone.

The hacker can then send that camera a “deauthorization” or “deauth” packet, temporarily knocking it offline like in the situation above.

It’s not just cameras, either—such attacks can boot any Wi-Fi device off the network, including motion detectors, sensors that report when a door is opened, and other security devices.

Unfortunately, there’s not much you can do to keep determined hackers at bay in these cases, say experts. It’s up to manufacturers to stay on top of fixing bugs.

“Realistically, there are no real preventative measures that consumers can take,” says Dan Guido, CEO of the cybersecurity firm Trail of Bits. “Consumers should only purchase devices that have a secure update feature so that manufacturers are capable of quickly patching these kinds of issues as they are discovered.”