Was it just the other week when we were talking about Amazon Key and how our convenience is becoming more important than our privacy if we start allowing delivery guys to enter our homes when we’re not there? Well, it seems that those safety concerns everyone had aren’t without cause, as security experts have managed to identify a flaw in the way the device works that could allow anyone to re-enter a customer’s home without being recorded.
As a reminder, the Amazon Key system works by pairing a smart lock and a smart security cam. Every time a delivery is scheduled, they’ll get an authorization key that grants them access to your home. Once this happens, the smart cam captures the footage and allows you to see it from anywhere you are, on your smartphone. You can replay the video anytime you want. The system is supposed to work not only with Amazon deliveries but also other services that might require access to your home when you’re not there, like a cleaning crew.
There are about a million privacy concerns that come with this type of system, especially since our homes are the last places where we know we can be ourselves completely, without keeping any kind of secrets. After all, it’s bad enough to know that in just a few years 75% of our cybersecrets will be out in the open because we just won’t be able to keep them hidden anymore. And yet, this type of technology is exactly what we’ll see in the future at every corner, because we will put our convenience above our privacy as the sheer notion of privacy shifts once more.
Now, with the discoveries made by researchers, we can add security issues to the list of concerns too. The bug found by Rhino Security isn’t extremely complex, but it can, nonetheless, be exploited in order to hide re-entries into users’ home.
In short, the bug allows a WiFi deauthentication attack which disconnects the smart door lock from the WiFi network. This type of attack isn’t anything new, and they’ve been known for years. The new part is how it can be applied to Amazon Key.
Researchers from Rhino Security paint a picture where a rogue deliveryman brings a package, puts it in the hallway with the help of Amazon Key, and on his way out he triggers a WiFi deauth attack, putting the Cloud Cam offline.
The design of the Cloud Came makes it so that users won’t even get an error when watching the live feed; instead, they’ll get to see a previously recorded image and a buffering icon.
“To summarize the security flaw, an attacker sends a command to de-authenticate the Cloud Cam device from the wireless network. The camera is then considered offline and it attempts to reconnect to the wireless network. This simple action renders the camera useless while it recovers its connection. What makes the Amazon Key case interesting is that the Amazon Cloud Cam itself functions as the router for Amazon Key. The cam will route commands to the door deadbolt, record deliveries, and give a real-time view of events. Because the Cloud Cam is necessary to send Amazon Key instructions to lock the door, an attack on the Cloud Cam can be considered an attack on the Amazon Key because it affects Key’s functionality,” the blog post reads.
Therefore, this is a pretty big problem that can’t be easily fixed as it’s something ingrained in the way the system work. Researchers suggest Amazon can either provide a software patch that notifies the user when the camera goes offline due to WiFi connectivity issues, or upgrade the hardware of the Cloud Cam with more storage space to cache video streams even if the connection to the Internet is lost.
That being said, as the Hyponnen law states, “whenever an appliance is described as being “smart”, it’s vulnerable,” and that’s obviously the case here.