Amazon Key flaw could let a courier disable your Cloud Cam

A new attack disables a crucial part of Amazon's Key security.

Amazon recently weirded out much of the internet when it unveiled its Key delivery service that lets its couriers open your home and deliver packages while you're away. A key part of that is the Cloud Cam security camera that confirms deliveries and shows that your house remains un-ransacked. Now, researchers from Rhino Security Labs have shown that it's possible, under rare circumstances, to hack the camera so that everything looks fine while someone takes all your stuff.

The attack would work like this. A courier unlocks your door with their Key app, drops off the package and closes the door behind them. Rather than re-locking it, they then run a program on a custom-built device or laptop that spoofs the home's router and disconnects the Cloud Cam from the network. The device keeps sending the command to prevent the camera from reconnecting.

Unfortunately, the system doesn't alert you that the Cloud Cam is disconnected -- instead, the camera keeps sending the last image it recorded, a normal shot of your door. In the meantime, the hacker can re-enter the house, move out of camera range, lock the door behind them using the Key app, and stop the jamming app, as shown below. They're then free to rummage around your home, and neither you nor Amazon are any the wiser.

This type of hack can work with any WiFi device, to be fair, but most WiFi devices aren't an integral part of a secure delivery system like the Cloud Cam is. "Disabling that camera on command is a pretty powerful capability when you're talking about environments where you're relying heavily on that being a critical safety mechanism," Rhino's Ben Caudill told Wired. The fact that the camera continues to show what looks like a normal image is perhaps the most significant flaw.

Amazon told Wired that it's extremely unlikely such an attack would work, however. Its couriers must pass comprehensive background checks, deliveries are connected to specific drivers, and the company "verifies that the correct driver is at the right address, at the right time."

So it would be pretty risky for a courier to steal something, and furthermore, they'd have to exit via another door or window as the front door would now be locked. It would be even tougher for a third-party to exploit the hack, as they'd have no way to open a door unless the courier was careless -- and if so, Amazon would contact the homeowner within minutes.

Nevertheless, Amazon has promised to address the issue. "Later this week, we will deploy an update to more quickly provide notifications if the camera goes offline during delivery," it said in a statement. In other words, Amazon should thank the hackers for helping them fix the hole, and hope that someone less forthright doesn't find another -- its Key service is a pretty tempting target.