Amazon Key’s camera may need a better lock.
The camera is meant to be the safeguard against any potential bad conduct by Key delivery persons, who are able to place packages in your house through the program. A vulnerability found by Rhino Labs and reported on by Wired, however, may call into doubt the ability for the camera to protect your house.
How Amazon Key works is a delivery driver comes to your house and sends an unlock request to Amazon. The company verifies the driver, package, and address is correct. The door then unlocks, and the driver places a package just inside the home’s threshold. The driver then sends a lock request and leaves. The whole process is meant to take seconds.
A vulnerability that the camera shares with all Wi-fi-based devices, however, can knock the camera offline, according to Rhino. If a hacker can get onto your Wi-fi network, and then send a deauthorization command script to your camera, it will stop recording. Rhino found that if a Cloud Cam goes offline, it sends its owner a snapshot of the last image it took when it was still online.
An Amazon spokesperson told Business Insider that “safety and security are built into every aspect of the service.”
The company said that even though it believes the findings pose little threat to the average Amazon Key user, it announced it would release a firmware update for the camera.
“We currently notify customers if the camera is offline for an extended period,” an Amazon spokesperson told Business Insider. “Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery. The service will not unlock the door if the Wi-fi is disabled and the camera is not online.”
Amazon notes that the issue is not with Amazon’s products, but the Wi-fi protocol itself. A disabled camera does not immediately give access to a customer’s house.
Overall, this theft technique seems extremely difficult to pull off. It could only be performed by a delivery driver, or close associate working in conjunction, as that’s the only way the door would unlock in the first place. That driver would need to have both the technical skills and desire to hack into the Wi-fi network, and then be able to send the deauthorization command script to the camera.
In the unlikely event something stolen, it would be incredibly easy for Amazon to instantly identify the perpetrator. The theft would have to be something undetectable, like identity theft. Even then, the thief would need to somehow make it out of the house a way other than the way they came in as Amazon Key automatically alerts customers if the door remains unlocked after a few minutes.
Amazon also offers a Happiness Guarantee for Amazon Key, and promises that if anything should go wrong, the company will make it right.
The company also notes that it vets its delivery people thoroughly, with background checks.