Researchers at Rhino Security Labs identified a flaw in Amazon’s Key delivery service and Cloud Cam security camera that allows a rogue courier to tamper with the camera and knock it offline, making it appear no one is entering home, when that’s not the case.
Amazon Key service allows homeowners to remotely unlock and lock their front door for visitors. The service works in conjunction with Amazon’s Cloud Cam security camera. And if a user is a Prime member, they can permit Amazon couriers authenticate themselves in order to unlock and relock the door to leave a package inside a home on their own.
Remote homeowners use the Amazon Key app to monitor their front door via a video feed and receive Amazon delivery alerts. Amazon Prime delivery people also use a version of the Amazon Key app to unlock and lock a customer door.
Rhino Labs researchers developed a program that can forge a request from the Wi-Fi router the Cloud Cam device is connected with that tells the camera to stop working. The byproduct of that action is a frozen image displayed on the video feed of the Amazon Key app making it appear the user’s front door is securely shut.
In a proof of concept of the flaw, demonstrated by Rhino Labs in a video, researchers created what they call a de-authentication attack. After a courier unlocks the front door using the Amazon Key app, the attacker sends a de-authorization command to the Cloud Cam, temporarily turning the camera off.
The Rhino PoC attack doesn’t just block the Wi-Fi signal once, it does it repeatedly. By doing so, the image viewed on the Amazon Key app freezes until the Wi-Fi jamming ceases. Next, a rogue delivery person could unlock the door and surreptitiously enter the house without being seen on the Cloud Cam feed.
According to a write-up published in Wired, Rhino Labs researchers point out the hack is not a vulnerability, but a shortcoming of Wi-Fi devices that allows anyone to fake a command from a Wi-Fi router and temporarily knock a device off the Wi-Fi network.
On Thursday Amazon released a statement saying “We currently notify customers if the camera is offline for an extended period… Later this week, we will deploy an update to more quickly provide notifications if the camera goes offline during delivery.”
Amazon added, “The service will not unlock the door if the Wi-Fi is disabled and the camera is not online.”
Amazon maintains the Rhino Labs PoC hack poses little risk to customers because of the technical nature of the attack. It also emphasizes the root of the problem is tied to an issues with the Wi-Fi protocol, not its hardware. Additionally, Amazon points out its delivery drivers actions are recorded and if a house was broken into the driver would be quickly identified.
But, Rhino Labs researchers said it’s possible for a malicious third-party to follow around an Amazon delivery person and send a de-authorization signal just as the door was shutting preventing the remote wireless Amazon Key lock from locking.
Amazon responded and said that type of attack is even less likely to succeed, because it’s policy to double-check a door is locked after every delivery. Additionally, Amazon said, a driver would likely find it suspicious during a “extended locking” message that would eventually time-out with an error on its Amazon Key app.
Rhino Labs said a fix that immediately notifies Amazon Key users their services is being tampered with is a good first step toward thwarting the hack. A better solution would be local offline storage of video from the Cloud Cam for post-intrusion analysis.