Last month we reported on Amazon’s upcoming delivery service called Amazon Key. It is an electronic lock and camera combo that will allow deliveries to be placed just inside the door rather than on the porch. The lock will let delivery drivers inside with a temporary code; the camera, which is focused on the door, records to ensure the drivers only make the delivery rather than doing a little home shopping of their own.
The service officially launched on November 8 and researchers at Seattle’s Rhino Security Labs have already discovered an exploit that critically damages confidence in the system.
It seems that the camera can be relatively quickly disabled using a DoS attack from any computer that is within Wi-Fi range. What’s worse is that the camera is not just disabled but the picture is frozen. Anyone watching it live or recorded only sees the closed door and not the delivery driver making off with the TV or other household items.
Oh, but it gets worse. Once the camera is kicked off the network, it disables the lock as well because it does not operate on its own connection — it piggybacks on the camera’s Wi-Fi connection. The driver can just enter the code, drop off the package and leave, then disable the whole system and reenter for as long as he wishes.
This flaw completely hobbles Amazon's new delivery program and undermines any confidence that consumers might have had with what seems like a sketchy idea in the first place.
“The camera is very much something Amazon is relying on in pitching the security of this as a safe solution,” Ben Caudill, the founder of Rhino Security Labs told Wired. “Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.”
A delivery driver with the skills and guts to execute the attack is probably relatively rare but that is no defense for the flaw. That would be like saying it’s okay if your lock is broken because most of your neighbors are honest.
After being presented with the findings, Amazon stated that it plans to send out an automatic update later this week that will plug the security hole. Whether that will be enough to restore confidence in Amazon Key remains to be seen.