Security researchers discover Amazon Key exploit

Exploit highlights the dangers of IoT tech

Security researchers discover Amazon Key exploit

Cyber

By Lyle Adriano

Amazon Key, a service which allows Amazon’s delivery personnel to enter customers’ homes to deliver packages, could be exploited by hackers to gain unauthorized entry into properties, security researchers have discovered.

The home delivery service involves the use of a smart lock, Amazon’s own Cloud Cam, and the Amazon Key app. The idea is that customers who want their packages delivered inside their homes can enable the smart lock to allow Amazon’s couriers to enter. As a safety precaution, the Cloud Cam monitors delivery personnel as they go about their jobs, feeding real-time footage to the customer through the Key app.

Celebrate excellence in insurance. Join us at the Insurance Business Awards in Chicago.

However, Seattle-based security firm Rhino Security Labs has demonstrated that the system could be exploited. Using a simple program that could be run from any computer in Wi-Fi range, the Cloud Cam can be frozen; customers might see a closed door on their end of the footage, while hackers gain entry to the house unnoticed.

“The camera is very much something Amazon is relying on in pitching the security of this as a safe solution,” Rhino Security Labs founder Ben Caudill told WIRED. “Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.”

In its demonstration of the exploit, Rhino Security Labs explained that hackers can use a laptop or a simple handheld device such as a Raspberry Pi minicomputer to run a series of “deauthorization” commands to the home’s Cloud Cam. This technique is not a software bug in the camera, but rather an issue for all Wi-Fi devices. The deauthorization technique allows anyone to spoof a command from a Wi-Fi router that temporarily removes a device from the network.

In the Amazon Key’s case, this deauthorization script keeps the camera offline. Unfortunately, Amazon’s camera does not respond to the attack by turning off or alerting the user that it is offline, but instead shows the viewer the last frame the camera saw when it connected.

When WIRED brought the exploit to Amazon’s attention, the company said that it plans to send out an automatic software update to address the issue.

“We currently notify customers if the camera is offline for an extended period,” Amazon said in a statement.


Related stories:
This area of cyber coverage could be the next frontier
Why things are getting personal in cyber insurance
 

Keep up with the latest news and events

Join our mailing list, it’s free!