Amazon Key service always seemed like a bad idea, at least to me. The more control you hand over to a company’s software for vital security functions, such as locking your front door, the more a threat actor has potential access to you. The service, which works in conjunction with the Cloud Cam security camera, is used most notably to allow Amazon couriers to leave packages within your home rather than on the front porch. This sounded like a recipe for a cybersecurity nightmare, and as researchers have recently discovered, it turns out that this isn’t far from the truth.
A report by the Seattle penetration testing firm Rhino Security Labs is making waves in technology news as it shows an attack that can allow anyone to access your front door. The proof-of-concept attack, which is demonstrated in this video, shows how a technologically savvy individual can turn off the Cloud Cam and override the Amazon Key. What is being dubbed a “de-authentication attack” is made possible through WiFi weaknesses that allow a criminal to repeatedly block the signal, which causes the camera to freeze on the last shown feed image. In that time-space, the individual can go into the home (pending they block the signal before the Key allows for a relocking of the door) and then reactivate the Cloud Cam once they are done with the intrusion.
Amazon has tried to downplay the issue, stating it isn’t the Key service or Cloud Cam that is vulnerable, but rather the WiFi. They are technically correct in this regard, however, the fact remains that this is still an attack that relies on a core function of the Cloud Cam (i.e. WiFi connection). Amazon also stated that their employees are trained to recognize lock malfunctions, but as we all know, there is always room for human error even with “training.”
To remedy this issue, Amazon stated that it will “deploy an update to more quickly provide notifications if the camera goes offline during delivery.” Rhino Security Labs acknowledged that this is a good first step, but their recommendation was to push the security further and “local offline storage of video from the Cloud Cam for post-intrusion analysis.” I would even add a further step that involves law enforcement much like a regular security system does. If there is any suspicious activity detected, a law enforcement officer can be sent to the location to investigate at the press of a button.
Amazon is trying to revolutionize delivery, but whether it will be for the better remains to be seen.
Photo credit: Flickr / Mike Seyfang