A brand new service launched in October, Amazon Key, offers deliveries inside the Amazon Prime members’ homes. A security camera, Cloud Cam, records and allows Amazon customers to track and watch the delivery process live or recorded for viewing later.
However, researchers at Rhino Security Labs detected a vulnerability in this brand new service and the Cloud Cam security camera. Thus, a rogue courier could potentially damage the camera and make it appear that no one is entering a home.
The new Amazon Key service provides homeowners opportunity to remotely unlock their home and works together with Amazon Cloud Cam security camera. The customers are able to permit couriers to authenticate themselves in order to allow them to leave a package inside their house.
Amazon Key customers use the Amazon Key app to unlock and lock their front door, monitor them, and receive delivery alerts.
Security researchers at Rhino Security Labs detected the flaw and provided an overview:
To summarize the security flaw, an attacker sends a command to de-authenticate the Cloud Cam device from the wireless network. The camera is then considered offline and it attempts to reconnect to the wireless network. This simple action renders the camera useless while it recovers its connection.
In order to prove of concept of the flaw, researchers at Rhino also established a program that is able to send a request from the Wi-Fi router which stops the Cloud Cam camera from working. In addition, the demonstration of DoC Attack PoC is also provided.
The video introduced a de-authentication attack and illustrates a courier that unlocks the door via Amazon Key mobile app while the attacker transmits a de-authorization command which turns off the Cloud Cam temporarily.
Amazon responded to the security concerns and indicated that “We currently notify customers if the camera is offline for an extended period… Later this week, we will deploy an update to more quickly provide notifications if the camera goes offline during delivery. The service will not unlock the door if the Wi-Fi is disabled and the camera is not online.”
Amazon also noted that the Rhino Labs PoC attack illustrates the technical nature of the attack and reveals that the basics of the threat are related to the Wi-Fi protocol and not Amazon hardware. In addition, it is important that Amazon couriers are monitored and recorded and even if they broke into a house all criminals would be quickly identified and found.