Amazon last month introduced Amazon Key: a combination of a smart lock that gives delivery drivers access to your home so they can deliver packages while you monitor them with an internet-enabled camera called Cloud Cam. At least, that’s what happens in the best case – in the worst of all possible scenarios, you could be opening up your home to random strangers.
It was discovered by security researchers at Rhino Security Labs. Ben Caudill, the founder of the Seattle-based security firm, on Wednesday posted a proof-of-concept video that shows the interior of a home; the door unlocking; a deliveryman delivering a parcel as per normal; a screen showing a gush of deauthentication commands; a paralyzed webcam image that’s frozen on the image of a nice, safely closed door; and another screen that shows the delivery guy waltzing in again, undetected and heading for your Christmas goodies.
The camera doesn’t capture the potentially nefarious, second entry; nor does the Key app log it.
The camera is very much something Amazon is relying on in pitching the security of this as a safe solution. Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.
What should happen is that delivery people lock the door with their app. But for this attack, they instead run a program on their laptop or on what Rhino’s researchers suggest could be a simple handheld device anyone can build out of a Raspberry Pi minicomputer and an antenna that sends deauthentication commands – Rhino calls them deauthorization packets – to the home’s Cloud Cam.
As Wired points out, the spoofed commands aren’t a bug in Cloud Cam, per se; rather, it’s something to which practically all Wi-Fi devices are vulnerable.
For example, we saw employees of Marriott, which manages operations at the Gaylord Opryland, own up to using a Wi-Fi monitoring service to contain and/or deauthenticate packets sent to targeted access points and thus to disrupt access to individual hotspots, back in 2015. They got fined $600,000 for it and, after a fight, threw in the towel on the practice.
We also saw a guy who wanted his own, personal cone of silence get charged with a felony for using a jammer to get people on the train to stop talking on their phones during his commute.
Jamming is common, and it’s most definitely illegal: you’re tampering with a public utility. That’s why the Chicago silence-craving guy got charged with a felony (later reduced to a misdemeanor): both the public and emergency services rely on Wi-Fi access.
But while it’s a common attack, it’s unnerving that Amazon’s camera doesn’t have any protocols to respond to going offline. It just keeps showing a user the last frame it recorded before it froze, with no alarms or alerts to flag its paralysis.
As a partially trusted Amazon delivery person, you can compromise the security of anyone’s house you have temporary access to without any logs or entries that would be unusual or suspicious.
Amazon has told news outlets that it currently notifies customers if Cloud Cam is offline for an “extended period”.
According to CBS News, as of Friday, Amazon was planning to put a software update out “later this week,” to “more quickly provide notifications if the camera goes offline during delivery” and to make sure the “service will not unlock the door if the Wi-Fi is disabled and the camera is not online.”
Amazon also said this type of attack is “unlikely.” It’s not a security issue, in their view, and besides, they thoroughly vet their delivery drivers.
Caudill’s take: this attack costs chump change. It’s achievable by anybody within Wi-Fi range – in other words, delivery people. And more to the point, the whole idea of the $249 Amazon Key package is to open people’s doors to people who specifically aren’t burglars or creeps.
Based on the simplicity of the attack, $20 and some really freely available software you can implement this yourself. It’s not a trivial attack.
Let’s hope Amazon gets this sorted soon.