Amazon Key hacked: Tech-savvy couriers could exploit cameras and sneak into homes
"Amazon Key" smart lock system could be exploited by tech-savvy delivery drivers.
Amazon has pledged to release a security patch after a team of cybersecurity researchers showed its delivery service, which lets couriers inside homes, could be hacked.
Security wise, the proposition of dropping off packages inside houses was always going to be a tough sell. And according to US firm Rhino Security Labs, issues in camera software linked to the "Amazon Key" smart lock system could be exploited by tech-savvy delivery drivers.
The new approach to drop-offs, announced on 25 October, is built upon a mobile application and a camera known as the Cloud Cam, which lets users watch the delivery as it's happening in real-time.
Upon arrival, couriers scan a barcode to confirm their identity and the details of the order, after which the camera automatically starts recording.
The smart lock opens the door and, while under the watchful eye of the home-owner, the application will later ping when the entrance is closed again.
Updates and notifications are provided at every step.
But according to Rhino Security Labs, a Wi-Fi cyberattack could disable the camera – essentially freezing the image on the application to make it look like the front door is shut, and locked. It does this with a technique known as "deauthorisation".
"The camera is very much something Amazon is relying on in pitching the security of this as a safe solution," Ben Caudill, the founder Rhino Security Labs, told Wired.
"Disabling that camera on command is a pretty powerful capability when you're talking about environments, where you're relying heavily on that being a critical safety mechanism."
The company has also uploaded the proof-of-concept demo of the hack in action to YouTube.
In response, Amazon has confirmed a fix is on the way "later this week" that will give users a notification if the camera is tampered with or offline for an extended period of time. It stressed that all of its drivers go through "comprehensive" background checks.
"Safety and security are built into every aspect of the service," a spokesperson said, adding: "The service will not unlock the door if the Wi-Fi is disabled and the camera is not online."