Amazon: We're fixing flaw that leaves Key security camera open to Wi-Fi jamming

A malicious courier could easily freeze the Key's Cloud Cam and roam a customer's house unmonitored.
Written by Liam Tung, Contributing Writer

Amazon Key lets Amazon couriers place goods inside Prime customers' homes securely, using Amazon's new Cloud Cam security camera, a smart door lock and the Key app.

Image: Sarah Tew/CNET

Amazon is rushing out a fix for a flaw in the security camera that monitors couriers delivering parcels into the homes of Key customers.

Amazon Key is the recently launched service that allows Amazon couriers to place goods inside Prime customers' homes. The service works alongside Amazon's new Cloud Cam security camera, a smart door lock and the Key app that remotely unlocks the door and displays a live video feed.

But, as Wired reports, Seattle-based security firm Rhino Security Labs has discovered a flaw in the procedure that would allow a devious courier to freeze the camera. That ability undermines the key component that gives customers peace of mind when letting a stranger into an unattended house.

The attack can be launched within Wi-Fi range, which is exactly where a hacker courier would be positioned. Using a computer, the attacker sends a volley of 'deauthorization' packets to the target Cloud Cam, which stops it from using an access point as it attempts to reauthenticate. It's a well-known technique for Wi-Fi jamming and is not specific to Cloud Cam.

Though the Amazon camera is offline, it continues to display the last frame the camera captured when it was connected, leaving the home owner unaware that the view in their app is not live.

Rhino's demo video shows a delivery man delivering a parcel as expected but then, after freezing the camera on a closed-door image, he re-enters the house. The camera doesn't capture the second entry, and the Key app doesn't log the second entry.

An Amazon spokeswoman told ZDNet sister site CNET that it currently notifies customers if Cloud Cam is offline for an "extended period".

An update coming later this week will provide users notifications if the camera goes offline during a delivery. The service will also not unlock the door if Wi-Fi is disabled and the camera is offline.

All Key couriers undergo a comprehensive background check that Amazon verifies before they can make in-home deliveries, the spokeswoman said. Additionally, Amazon links each delivery to a specific driver and checks that it is the right driver at the right address.

Rhino Security Labs' video show how an attack could take place.

Rhino Security Labs/YouTube

Previous and related coverage

Amazon unveils in-home delivery service Amazon Key

The Amazon Key system is sold as a kit that includes the Amazon Cloud Cam, the Amazon Key app and one of several compatible smart locks.

Google Home and Amazon Echo hit by big bad Bluetooth flaws

Google and Amazon patch 20 million smart speakers that were vulnerable to serious Bluetooth attack.

Amazon Cloud Cam review, CNET

Amazon's Cloud Cam is affordable, reliable and easy to use, but it's the free storage that ultimately makes it more appealing than Nest security cameras and many other home security competitors.

Editorial standards