Just one week after Amazon unveiled Amazon Key, a concept that would enable couriers to let themselves in to people's homes in order to make deliveries, security specialists have warned of security flaws that could enable rogue couriers to clean out people's homes instead.
Amazon Key uses a smart lock from Yale or Kwikset, plus an Amazon Cloud Cam security camera. Couriers can enter the property after scanning a barcode, which is checked against Amazon's own records in the cloud to make sure that they're in the right place at the right time.
The camera also records the delivery, providing reassurance that the courier will only leave a package behind and not have a nose around people's houses.
However, security researchers claim to have been able to hack and freeze the Cloud Cam using a computer (or, the researchers point out, a handheld device built using a Raspberry Pi) within WiFi range.
A rogue courier could make a delivery and leave the property as normal, but disable the system before the door is re-locked. The frozen camera would not show them returning to the house, and it is up to them to relock the door.
Researchers at Rhino Labs discovered the vulnerability. Founder Ben Caudill told Wired, "Disabling that camera on command is a pretty powerful capability when you're talking about environments where you're relying heavily on that being a critical safety mechanism."
The technique, known as deauth (because it sends a series of deauthorisation commands to the Cloud Cam), is an issue for most WiFi devices. An attacker can spoof commands from a router that can kick a device off of a WiFi network temporarily.
The danger comes from the complete lack of alert from the Amazon Key: the camera doesn't go dark or send a warning to the homeowner, but only shows the last frame from when it was connected.
In a statement, Amazon said: "We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery."
Malwarebytes published a warning about Amazon's Key service just after it was announced, specifically mentioning the vulnerability of WiFi compared to alternatives like Bluetooth LE.
Molybdenum ditelluride is a two-dimensional material that can be easily stacked into multiple layers to create a memory cell
New light-guiding nanoscale device can control and monitor a nanoparticle trapped in a laser beam with high sensitivity
Optical traps are scientific instruments in which a focused laser beam is used to exert an attractive or repulsive force on a microscopic object to hold it in place
Scientists estimate that the exoplanet has already lost up to 35 per cent of its mass over its lifetime
The observations were made using the Atacama Array in the Chilean desert