Major Amazon Key security flaw could let rogue deliverymen disable your camera and sneak into your home

  • Amazon Key lets staff from the retail firm enter your property to drop off a parcel 
  • They use an app to unlock your door while a Cloud Cam records the delivery
  • A bug lets hackers freeze the recording on an image of your closed front door
  • This would allow them to steal your belongings while everything appears normal 

A high tech solution that gives Amazon delivery drivers access to your home could be exploited by criminals, computer security experts have warned.

Amazon Key lets staff from the retail firm enter your property, using an app to unlock your door, while the delivery is recorded via a web-connected camera.

A bug in the software could enable hackers to freeze the images shown on your door being closed securely, while they are really making off with your prized possessions. 

A high tech solution that gives Amazon delivery drivers access to your home could be exploited by criminals. A bug in the software could let hackers freeze images shown of your door being closed securely, while they are really making off with your prized possessions

A high tech solution that gives Amazon delivery drivers access to your home could be exploited by criminals. A bug in the software could let hackers freeze images shown of your door being closed securely, while they are really making off with your prized possessions

HOW DOES IT WORK? 

The hack exploits a bug in WiFi devices, that lets nearby attackers overload them with a series of 'deauthorisation' commands. 

This takes the camera temporarily offline, for as long as the attacker keeps sending the command.

Amazon's Cloud Cam responds by freezing on the last frame filmed.

If this was a shot of the door closed and appearing secure, everything would appear normal to anyone watching the live or recorded feed.

Advertisement

Researchers from Seattle based network vulnerability firm Rhino Labs discovered the flaw, which utilises a common issue with many WiFi connected gadgets.

Their demonstration shows a delivery person unlocking the front door to a property with the Amazon Key app.

They open the door, deliver the parcel, and then close the door behind them.

Amazon's delivery drivers would then lock the door via the app.

For the purposes of the demonstration, however, experts show how a simple device composed of a Raspberry Pi minicomputer and a WiFi antenna can be used to freeze the camera on a frame of the locked door.

This would allow a thief to re-enter your home and steal your belongings, while the camera would show that everything was normal. 

The service is currently available in 37 cities and their surrounding areas across the US, with more locations expected to be added.

It is not yet known if the firm plans to expand Key globally.

Speaking to Wired, Rhino Labs founder Ben Caudill said: 'The camera is very much something Amazon is relying on in pitching the security of this as a safe solution.

'Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.

'As a partially trusted Amazon delivery person, you can compromise the security of anyone's house you have temporary access to without any logs or entries that would be unusual or suspicious.' 

The hack exploits a bug in WiFi devices, that lets nearby attackers overload them with a series of 'deauthorisation' commands. 

The hack exploits a bug in WiFi devices, that lets nearby attackers overload them with a series of 'deauthorisation' commands. This takes the camera temporarily offline, for as long as the attacker keeps sending the command

The hack exploits a bug in WiFi devices, that lets nearby attackers overload them with a series of 'deauthorisation' commands. This takes the camera temporarily offline, for as long as the attacker keeps sending the command

This takes the camera temporarily offline, for as long as the attacker keeps sending the command.

Amazon's Cloud Cam responds by freezing on the last frame filmed.

If this was a shot of the door closed and appearing secure, everything would appear normal to anyone watching the live or recorded feed.

Amazon announced in October that Prime members can pay $249.99 (£190) and up for the cloud-controlled camera and lock, which the company offers to install.

The hacker creates a flood of frames on Amazon's Cloud Cam (pictured), disconnecting the camera. 'If the timing is right,' it prevents the app from notifying the user that the door locked

Amazon's Cloud Cam responds by freezing on the last frame filmed. If this was a shot of the door closed and appearing secure, everything would appear normal to anyone watching the live or recorded feed

Delivery associates are told to ring a doorbell or knock when they arrive at someone's house. 

If no one greets them, they press 'unlock' in a mobile app, and Amazon checks its systems in an instant to make sure the right associate and package are present.

The camera then streams video to the customer who remotely can watch the in-home delivery take place. 

The associate cannot proceed with other trips until the home is again locked.

About the flaw, a spokesman for Amazon said: 'We currently notify customers if the camera is offline for an extended period.

'Later this week, we will deploy an update to more quickly provide notifications if the camera goes offline during delivery.'