Amazon security camera could be remotely disabled by rogue couriers

Amazon debuts $199.99 Cloud Cam intelligent indoor camera

Amazon Key hack disables Cloud Cam while courier is inside

Just three weeks after it was announced, an Amazon security camera and door lock created to let courier drivers drop packages in your house when you are away has been hacked and compromised. Although a fix is forthcoming, it just goes to show you that there's always a payoff between convenience and security, even in meatspace.

That so-called deauth technique isn't exactly a software bug in Cloud Cam. A team led by Ben Caudill, the founder of Seattle-based security firm Rhino Security Labs, discovered the vulnerability and posted a video on YouTube demonstrating the hack.

"An attacker can walk in and leave and you won't be able to see anything, and there won't be a record", said Chris Lakin, an engagement manager at Rhino.

Camera functionality is a critical part of Amazon's security pitch for Key.

Now available in 37 metropolitan markets, Amazon Key can also be used to allow entry for cleaners, dog walkers, fix technicians and visiting relatives, the company announced. The Cloud Cam communicates directly with the smart lock. Whether you trust the company enough or not to let it inside your house is one question. The driver drops off the package, steps outside and tells Amazon to lock the door. Both live viewing of the camera's stream, and its recordings, would be impacted. Once the delivery is complete and your door is re-locked, your will get a final notification and can watch a video clip of the delivery. Wired reports that the Cloud Cam can be knocked off the network via a series of "de-authorization commands". An attacker can spoof commands from a router that can kick a device off of a WiFi network temporarily. It's a known flaw that abuses a feature of the Wi-Fi protocol, but the Cloud Cam does not presently have any countermeasures against it. This permits two different but related attacks, one involving a malicious delivery person, the other a stranger.

To be fair, the likelihood of such a security lapse being used to burgle a house is probably quite low. A deliveryman opens the door, drops a package, then closes the door. The driver then sends a lock request and leaves. The service will also not unlock the door if Wi-Fi is disabled and the camera is offline. We now notify customers if the camera is offline for an extended period.

South Carolina's Dawn Staley issues official statement declining White House invitation
However, Staley told The Associated Press in September that the SC squad had yet to receive an invitation. Staley said at the time she wasn't sure her team, which won the title in April, would go now if invited.

The smartphone app still freezes on an image of the closed door, but the door remains unlocked until the deauthorization script stops transmitting. No logs of either the camera's hacking nor the activity of the lock would be kept.

The second attack in particular relies on an unusually implacable criminal, since the attacker would probably not be a deliveryman himself, but rather someone following him around.

This exploit isn't just in the hands of Amazon couriers, mind you, as anyone that knows about the exploit could spot or wait for a delivery to then execute the deauthorisation command. It's a lot of moving pieces - and in broad daylight, too.

A high tech solution that gives Amazon delivery drivers access to your home could be exploited by criminals, computer security experts have warned.

We've reached out to Amazon for comment, and will update this story when we receive a reply.

Latest News