Researchers from Rhino Labs, a Seattle-based network vulnerability firm, have discovered a flaw with the Amazon Key that could potentially be taken advantage of by criminals.
Rhino Labs produced a demonstration video showing how things can be exploited
The issue comes from Amazon Key’s way of granting drivers access to a client’s home, using an app to unlock doors, while recording the whole scene with a web-connected camera. A bug in the software, however, could allow hackers to freeze the image shown on the door while being securely closed, which can allow things to be taken without being recorded.
This comes out because temporarily taking the camera offline, which can be as long as the hacker keeps sending their command, causes Amazon’s Cloud Cam responds by freezing on the final frame that had been filmed. Reportedly, the freezing flaw is a common issue among gadgets that make use of WiFi.
The product, which costs around $249.99, is only available in 37 cities, with surrounding areas, across the United States. Although it is believed that Amazon hopes to expand the service’s reach, it is currently unknown if the program would be expanded upon outside of the country.
Amazon’s response: ‘We will deploy an update to more quickly provide notifications’
Rhino Labs founder Ben Caudill explained that,
“The camera is very much something Amazon is relying on in pitching the security of this as a safe solution.
Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.
As a partially trusted Amazon delivery person, you can compromise the security of anyone’s house you have temporary access to without any logs or entries that would be unusual or suspicious.”
According to Wired, a spokesperson for Amazon has stated that the company has been made aware of the issue and explained how they planned to address it.
“We currently notify customers if the camera is offline for an extended period.
Later this week, we will deploy an update to more quickly provide notifications if the camera goes offline during delivery.”