Amazon is rushing out a fix for a flaw in the security camera that monitors couriers delivering parcels into the homes of Key customers.
Amazon Key is the recently launched service that allows Amazon couriers to place goods inside Prime customers' homes. The service works alongside Amazon's new Cloud Cam security camera, a smart door lock and the Key app that remotely unlocks the door and displays a live video feed.
But, as Wired reports, Seattle-based security firm Rhino Security Labs has discovered a flaw in the procedure that would allow a devious courier to freeze the camera. That ability undermines the key component that gives customers peace of mind when letting a stranger into an unattended house.
The attack can be launched within Wi-Fi range, which is exactly where a hacker courier would be positioned. Using a computer, the attacker sends a volley of 'deauthorization' packets to the target Cloud Cam, which stops it from using an access point as it attempts to reauthenticate. It's a well-known technique for Wi-Fi jamming and is not specific to Cloud Cam.
Though the Amazon camera is offline, it continues to display the last frame the camera captured when it was connected, leaving the home owner unaware that the view in their app is not live.
Rhino's demo video shows a delivery man delivering a parcel as expected but then, after freezing the camera on a closed-door image, he re-enters the house. The camera doesn't capture the second entry, and the Key app doesn't log the second entry.
An Amazon spokeswoman told ZDNet sister site CNET that it currently notifies customers if Cloud Cam is offline for an "extended period".
An update coming later this week will provide users notifications if the camera goes offline during a delivery. The service will also not unlock the door if Wi-Fi is disabled and the camera is offline.
All Key couriers undergo a comprehensive background check that Amazon verifies before they can make in-home deliveries, the spokeswoman said. Additionally, Amazon links each delivery to a specific driver and checks that it is the right driver at the right address.
Rhino Security Labs' video show how an attack could take place.