Amazon’s services have become a big part of many people’s lives, both online and off. Do you trust Amazon enough to let it unlock your doors, though? That’s the pitch for the newly launched Amazon Key service, which allows delivery people set your packages inside under the watchful eye of the Amazon Cloud Cam. However, researchers from Rhino Security Labs have shown it’s possible for a courier to knock your camera offline and sneak back into your home unseen.
The Amazon Key system consists of an Amazon Cloud Cam with smart home add-on and one of several compatible smart locks. The idea is that when a delivery is made by one of Amazon’s in-house drivers, they can access the Key system to unlock your door. The package is placed inside, and the door re-locks. Throughout this process, the Key app lets you know what’s going on with a live video feed. Amazon really sells the camera as peace of mind, but that’s where the weak link is, according to Rhino Security Labs.
In a proof-of-concept hack, researchers showed it’s possible to disable the camera and gain entry to the home without generating any alerts or warnings. You can see the attack carried out in real time below. The courier first opens the door via the Key app and drops off the package. He closes the door, and everything appears to be going normally. Then, a computer is used to send de-authorization commands to the camera over Wi-Fi that spoof signals from the router. This temporarily disconnects the camera, allowing the delivery driver to walk back inside without being on camera.
The deauth attack is not unique to Amazon Key — almost all Wi-Fi devices can be knocked offline temporarily by such a method. However, the Key app doesn’t let the homeowner know something is amiss. The video feed simply shows the last live frame (a closed door). The driver can even re-lock the door after re-entering the home to ensure nothing looks suspicious in the app.
Rhino Security Labs says this attack is extremely easy, noting all you need is a computer or a small handheld Raspberry Pi with an antenna add-on. Amazon has responded to point out all its drivers must pass a background check before making Key deliveries. To address this hack, Amazon says it will push out a Key update that alerts users more quickly to camera disconnections. So, at least you’d know if something suspicious was going on.
Published at Thu, 16 Nov 2017 17:40:55 +0000