Researchers Warn Amazon Key Can Be Hacked
Amazon reportedly said it plans to address the flaw with a software update later this week.

To ease security concerns about its new in home-delivery service, Amazon has stressed that customers can watch the drop off live, right from their phone, thanks to its Cloud Cam.

But just over a week after Amazon Key made its debut, researchers with security firm Rhino Security Labs said they have discovered a way to freeze Amazon's Cloud Cam. According to a report from Wired, a delivery person with bad intentions would be able to execute this attack "with a simple program run from any computer within Wi-Fi range" to make it seem like the customer's door was still closed, even if they were inside doing whatever they please.

"The camera is very much something Amazon is relying on in pitching the security of this as a safe solution," Rhino Security Labs Founder Ben Caudill told Wired. "Disabling that camera on command is a pretty powerful capability when you're talking about environments where you're relying heavily on that being a critical safety mechanism."

For a peek at how the attack works, check out the video below.

As you can see in the video, the attacker would drop off a package like normal, and close the door behind them. After exiting the house, the attacker would then run a script to block the camera's signal, and reenter the home. To an Amazon customer viewing the stream, it would appear as if the door was still closed and locked. Meanwhile, the bad delivery person is inside your home rifling through documents and potentially stealing your credit card or social security details. The customer wouldn't even get a notification on their phone that the camera is offline.

According to Wired, the attack doesn't rely on a flaw in the Cloud Cam itself.

"It's an issue for practically all Wi-Fi devices, one that allows anyone to spoof a command from a Wi-Fi router that temporarily kicks a device off the network," the report notes. "In this case, Rhino's script sends the command again and again, to keep the camera offline as long as the script is running."

Amazon did not immediately respond to PCMag's request for comment, but downplayed this attack in a statement to Wired and said it plans to address the flaw with a software update later this week.

"We currently notify customers if the camera is offline for an extended period," Amazon told the news outlet. "Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery."

The company reportedly went on to say that "every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time."