A month after Amazon launched Amazon Key, security experts have already identified a flaw in the device's mode of operation that could allow rogue deliverymen to re-enter customer homes without being recorded.
The flaw is specific to Amazon Key, a product that is made up from the Amazon Cloud Cam smart security camera and compatible smart door locks.
Amazon launched Amazon Key at the end of October. The company said Amazon Key will work as a classic home surveillance system, but will also allow authorized deliverymen to open doors while the homeowner is away and drop off packages the user has ordered from Amazon.
Amazon Key susceptible to WiFi deauth attacks
The device raised some privacy concerns right from the start, but it only got worse today when Rhino Security published research showing how they could exploit a simple bug in Amazon Key's WiFi connection to hide re-entries into user's apartments.
The bug is not even that complex, being a simple deauth attack on the Amazon Key's WiFi system. Wi-Fi deauthentication attacks make a device disconnect from its WiFi network, and they've been known for years. There are also tens of toolkits for automating such attacks.
Rhino researchers say that a rogue deliveryman could enter a home protected by an Amazon Key service, deliver his package, and on his way out trigger a simple WiFi deauth attack that makes the Key's Cloud Cam go offline.
Design issues make attack invisible to homeowners
Because of the way the Cloud Cam was designed, it won't show an error to the user watching a live video feed, but show a previously recorded image and a buffering icon. This previously recorded image is usually a closed door as the deliveryman has just exited the apartment. Because the Cloud Cam is offline and also functions as its own access point, it will also affect the smart door lock, which will fail to lock the door.
While the home owner's screen is locked in this state, the deliveryman can re-enter a home, stop the deauth attack, and allow the feed to refresh, and the smart door lock to lock the door and send a lock message to the homeowner's phone app. Only the door unlock and door lock events will appear in the app, making the user think everything has gone according to plan and the delivery man has left his home.
After this, the rogue deliveryman can move around the house unimpeded, and after the user has stopped watching the live feed, he can launch subsequent deauth attacks to mask leaving the home with stolen goods.
Rhino Security argues that Amazon is now faced with two possible solutions. One is to provide a software patch that notifies the user when the camera goes offline because of a WiFi issue, while the other is a hardware-related fix that implies upgrading the Cloud Cam with more storage space to cache video streams while the camera is offline and until it reconnects to the WiFi network.
A video of the Amazon Key attack carried out by Rhino Security experts is available below.
Comments
Occasional - 6 years ago
Maybe Amazon was thinking "Don't worry about vulnerabilities; with all the class action lawsuits generated by the cybersecurity failures in 2017 already, it will be years before there'll be room on the court docket for this one. The important thing is to get it out in time for Black Friday."