A Seattle-based group of cybersecurity researchers has demonstrated a way to knock Amazon’s new security camera offline, a capability that could enable malicious delivery drivers for the online retailer’s new in-home delivery service to snoop around a house undetected.
Amazon Key, which became available to customers last week, gives Amazon delivery drivers one-time access to a residence to drop off a package. The program, designed to eliminate the theft of packages left outside a home and to open up the potential for remote authorization of other home services, is a test of whether consumers trust Amazon enough to give the online retailer access to the front door.
It relies on two pieces of hardware: a smart lock, and Cloud Cam, which communicates with Amazon’s servers to authorize the driver to unlock the door, and then records the delivery, beaming live or recorded video to a smartphone app to give the homeowner peace of mind.
Rhino Security Labs, a security research outfit based in Capitol Hill, showed that it could exploit a weakness in the Wi-Fi protocol that Cloud Cam and many other devices use to communicate with their router. A savvy hacker within Wi-Fi range can send a series of “deauthorization” commands to a specific device, temporarily severing its link to the internet.
In the case of Amazon’s Cloud Cam, that means the camera would stop recording and sending images to Amazon’s servers. A delivery driver who had already received approval to unlock the front door could, before exiting and locking the door, roam inside without being recorded. Or, as demonstrated in a video posted by Rhino, leave the home and re-enter undetected.
Part of the problem, Rhino Chief Executive Benjamin Caudill said, is that during such internet interruptions, Cloud Cam doesn’t immediately go dark or tell the user it is offline. The company’s test…