Rhino Security Labs’ researchers have discovered a vulnerability in Amazon’s Key delivery service and Cloud Cam security camera. This vulnerability allows an attacker to manipulate the functioning of the camera to make it go offline due to which it will not be possible to monitor if someone entered a home or not.
It is worth noting that Amazon Key Service is designed especially for homeowners so that they could remotely lock and unlock the front doors for visitors while this service is connected with the Cloud Cam security camera. When a delivery drive arrives at your home, he will send an unlock request to Amazon after which the company will authenticate the driver’s identity, package information, and home address. If the information is correct, the door will unlock automatically, and the package will be left inside the home. Then the driver would send a request to lock the door and Amazon will lock it.
Throughout the process, the Key app will keep homeowner connected and updated while the entire process gets completed in mere seconds. Amazon’s Prime members can allow carriers to verify their identity in order to relock and unlock the door to leave a package inside the home all by themselves.
This shows that the camera and key service is developed to safeguard homeowners from rogue Key delivery persons. However, Rhino Labs researchers discovered that the flaw identified in the camera is shared with all the wireless network based devices and it can bring the camera offline after which a hacker can access your Wi-Fi network and send deauthorization command script to the camera, which is known as the Deauth Attack.
This would enable the camera to stop recording footages. This is contrary to the claims made by Amazon by stating that safety and security are “built into every aspect of the service.” According to Rhino Labs, when Cloud Cam goes offline it sends a snapshot of the last taken footage before going offline to the owner. The whole attack is easily carried out using just a computer or a tiny handheld Raspberry Pi and an antenna add-on.
Deauth attack is not just applicable on Amazon Key because it affects almost every Wi-Fi connected device and makes it go offline. But, the catch in this situation is that the hacker can manipulate the Key app in a way that it won’t inform the homeowner regarding any foul play and will keep showing the last live frame, which might be of a locked door. The driver will have the power to re-lock the door after re-entering it to make sure that homeowner doesn’t suspect anything unusual.
However, Amazon’s spokesperson believes that the issue is not in the camera, but the Wi-Fi network and these findings are not as threatening to the average user of Amazon Key service as it is being touted. Moreover, their drivers are hired after a comprehensive background check and are, therefore, quite reliable.
Having said that, the company assured that it would be releasing a firmware update for the camera and for the time being, Amazon will be notifying users if it finds the camera to be offline for long and the update will be churned out later this week. The company says it will provide notifications quickly if the camera is offline while delivery is taking place and the service won’t unlock the door if Wi-Fi service is disabled or the camera isn’t online.
“We currently notify customers if the camera is offline for an extended period… Later this week, we will deploy an update to more quickly provide notifications if the camera goes offline during delivery.”
It is evident that despite the vulnerability, whether it is in the camera or the network, the technique is rather complex and difficult to pull off. Only the delivery driver or a close acquaintance can unlock the door, but even then they would require sophisticated technical know-how and capability of sending deauthorization command script to the camera. Otherwise, the feat will fall flat, but even if something is stolen, then Amazon will instantly locate the criminal unless the theft is undetectable such as identity theft.
A Separate Attack
Rhino’s researchers also point out that when their attack kicks a Cloud Cam off the network, it also disconnects the Amazon Key lock on the door, too. That’s because the lock doesn’t actually have its own internet connection. Instead, it communicates via the Zigbee wireless protocol to the Cloud Cam, which acts as its connection to the Wi-Fi router and the rest of the internet.
The researchers argue that this could enable a separate attack as well. In that scenario, a hacker follows an Amazon delivery person around and waits for them to make a delivery. Just as they’re closing the door to leave, the hacker triggers the deauth command, knocking Amazon Key offline and preventing the door from locking. When the delivery person leaves, the hacker then breaks into the home through the unlocked door.
But that attack, while open to a far wider collection of potential hackers than the rogue delivery person scenario, is even less likely to succeed. The delivery person would have to be rushed or careless enough to not pull on the door to check that it was locked, and to not notice that their app showed an extended “locking” status message, a spinning icon, and then a timeout error. Amazon notes that its delivery people are told never to leave a house when its door is unlocked and that the company will also call a customer immediately if it sees that their door is left unlocked for more than several minutes.
Rhino Labs researchers developed a proof-of-concept video to validate their findings. In the video, the de-authentication attack has been recorded, and researchers have repeated the attack to prove their point further. Their findings were published in Wired.