The security behind Amazon’s Key device has been called into question again.
A researcher discovered a way to break into a home that’s protected by Amazon Key, a device that lets deliverymen enter your property, using an app to unlock your door, while the delivery is recorded via a web-connected camera, called the Cloud Cam.
The hack involves placing a Raspberry Pi minicomputer near the person’s door so that it interferes with the Amazon Key’s WiFi connection, according to MG, the pseudonymous researcher who discovered the hack.
When deliverymen arrive at a house using Amazon Key, they press a button inside the app that unlocks the door. After they deposit a parcel, they press the button to lock the user’s door
MG automated an attack into the Raspberry Pi that detects Amazon Key hardware and attacks when a door event occurs, i.e. when a deliveryman drops off a package.
The hacker then creates a flood of frames on the Key’s Cloud Cam, which disconnects the camera.
‘If the timing is right, you prevent a response from the lock informing the consumer app from knowing that the lock event was successful,’ MG wrote in a blog post.
‘For whatever reason, the app was not created to handle this error condition,’ he added.
It tricks the user into thinking that the door has been locked, when in reality, the door remains open and vulnerable to burglars.
‘The user interface is also nonresponsive, which opens up the opportunity for an inattentive user to believe they actually pressed the button requesting a re-lock,’ MG noted.
What’s more, MG included a sound of the lock motor re-locking at the appropriate time, ‘for added deception.’
A researcher claims to have found a way to disable the Amazon Key app by placing a minicomputer nearby that can interfere with the WiFi connection. After a deliveryman drops off a package and attempts to lock the door, the door still remains open
The Raspberry Pi can also send a notification alerting the attacker that the house is open.
MG explained how the attack works in a video posted to Twitter on Sunday.
Amazon has since responded to MG’s theorized hack and said the vulnerability isn’t really worth worrying about.
To start, Amazon noted that the vulnerability described doesn’t involve a ‘real-life delivery scenario.’
‘The driver does not leave without physically checking that the door is locked, Kristen Kish, an Amazon spokesperson, told Motherboard.
‘This is not a real-life delivery scenario as the security features built into the delivery application technology used for in-home delivery are not being used in the demonstration,’ she said.
The hacker creates a flood of frames on Amazon’s Cloud Cam (pictured), disconnecting the camera. ‘If the timing is right,’ it prevents the app from notifying the user that the door locked
Amazon added that the driver’s app is different from the consumer-facing version, MG noted.
The Key app also has a variety of safeguards in place to prevent these kinds of things from happening, including a system that tracks how long the door is open, monitors communication to the camera and makes sure the lock is not interrupted.
It also makes sure that the door is securely locked, the firm said.
Still, MG told Motherboard that Amazon plans to issue a software patch to fix the issue, despite the fact that it may not be a major threat.
This isn’t the first time a researcher has discovered a security flaw with the Amazon Key.
A bug in the software was exposed in November 2017, shortly after the service’s launch.
This could let hackers freeze images shown on your camera of your door being closed, while criminals are really making off with your prized possessions.
Researchers from Seattle based network vulnerability firm Rhino Labs discovered the flaw, which utilises a common issue with many WiFi connected gadgets.
This lets nearby attackers overload them with a series of ‘deauthorisation’ commands.
This takes the camera temporarily offline, for as long as the attacker keeps sending the command.
Amazon’s Cloud Cam responds by freezing on the last frame filmed.
If this was a shot of the door closed and appearing secure, everything would appear normal to anyone watching the live or recorded feed.