Just one week after Amazon unveiled Amazon Key, a concept that would enable couriers to let themselves in to people's homes in order to make deliveries, security specialists have warned of security flaws that could enable rogue couriers to clean out people's homes instead.
Amazon Key uses a smart lock from Yale or Kwikset, plus an Amazon Cloud Cam security camera. Couriers can enter the property after scanning a barcode, which is checked against Amazon's own records in the cloud to make sure that they're in the right place at the right time.
The camera also records the delivery, providing reassurance that the courier will only leave a package behind and not have a nose around people's houses.
However, security researchers claim to have been able to hack and freeze the Cloud Cam using a computer (or, the researchers point out, a handheld device built using a Raspberry Pi) within WiFi range.
A rogue courier could make a delivery and leave the property as normal, but disable the system before the door is re-locked. The frozen camera would not show them returning to the house, and it is up to them to relock the door.
Researchers at Rhino Labs discovered the vulnerability. Founder Ben Caudill told Wired, "Disabling that camera on command is a pretty powerful capability when you're talking about environments where you're relying heavily on that being a critical safety mechanism."
The technique, known as deauth (because it sends a series of deauthorisation commands to the Cloud Cam), is an issue for most WiFi devices. An attacker can spoof commands from a router that can kick a device off of a WiFi network temporarily.
The danger comes from the complete lack of alert from the Amazon Key: the camera doesn't go dark or send a warning to the homeowner, but only shows the last frame from when it was connected.
In a statement, Amazon said: "We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery."
Malwarebytes published a warning about Amazon's Key service just after it was announced, specifically mentioning the vulnerability of WiFi compared to alternatives like Bluetooth LE.
Claims to have "the most competitive logic density" in the industry
Dell's high-end mobile workstations upgraded with Intel Coffee Lake CPUs
Webstresser admins were also arrested in the UK, Croatia, Canada and Serbia
Security firm claims that 117,638 sites out of 135,035 analysed contain serious security flaws