Slashdot Mirror

← Back to Stories (view on slashdot.org)

Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera (wired.com)

Posted by msmash on from the how-about-that dept.

Security researchers claim to have discovered a flaw in Amazon's Key Service, which if exploited, could let a driver re-enter your house after dropping off a delivery. From a report: When Amazon launched its Amazon Key service last month, it also offered a remedy for anyone who might be creeped out that the service gives random strangers unfettered access to your home. That security antidote? An internet-enabled camera called Cloud Cam, designed to sit opposite your door and reassuringly record every Amazon Key delivery. Security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that camera can be not only disabled, but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened and someone slips inside. That attack would potentially enable rogue delivery people to stealthily steal from Amazon customers, or otherwise invade their inner sanctum. And while the threat of a camera-hacking courier seems an unlikely way for your house to be burgled, the researchers argue it potentially strips away a key safeguard in Amazon's security system. When WIRED brought the research to Amazon's attention, the company responded that it plans to send out an automatic software update to address the issue later this week.

18 of 106 comments (clear)

  1. So what? by Anonymous Coward · · Score: 3, Interesting

    If you're dumb enough to let random delivery workers into your house without you being present, you're asking for trouble. Security flaws or not, you're an idiot if you allow this. You're asking for trouble.

    1. Re:So what? by ClickOnThis · · Score: 4, Insightful

      People already allow housekeepers and babysitters into their homes. How is this different?

      You get to interview them first?

      --
      If it weren't for deadlines, nothing would be late.
    2. Re:So what? by DickBreath · · Score: 2

      Some people only allow in housekeepers while they are home. Others may interview housekeepers first before giving them a key, and insisting on the housekeeper being insured and/or bonded. The housekeeper probably has access to a very limited number of homes compared to an Amazon / FedEd / UPS / etc delivery boy. Having some kind of "master key" to a large number of homes gives the feeling of being less likely to get caught.

      As for babysitters, you are entrusting them with the care of another human(s), which is a much higher level of trust than with your home. Interviews. Background checks. Etc.

      With a housekeeper / babysitter, if you are burglarized, it is easier for police to investigate a very small pool of potential burglars. With an Amazon Key, how many people potentially had access to that key?

      With a known babysitter / housekeeper, hacking is probably not a likely way to get into your home. With an Amazon key, you are less sure about how many people have or can gain access to your home. (No matter what Amazon says.)

      --

      I'll see your senator, and I'll raise you two judges.
    3. Re: So what? by DontBeAMoran · · Score: 2

      4A. This only works if the thief is Winnie the Pooh.

      --
      #DeleteFacebook
    4. Re: So what? by EvilSS · · Score: 2

      4. Put a honeypot Amazon box on the doorstep and wait across the street in a tree with a sniper rifle.

      I actually did this after getting some packages stolen. Filled some old amazon boxes with garbage and set them on the porch. Well minus the sniper rifle, and plus some new security cameras. Unfortunately no one tried to steal it (or even checked it out before noticing the cameras.)

      --
      I browse on +1 so AC's need not respond, I won't see it.
    5. Re: So what? by gnick · · Score: 2

      ...if you are dumb enough to accept a whole home burglary to prevent e-mailing a Amazon customer service rep...

      It's not accepting a break-in. It's accepting a chance of a burglary. Guess what? There's already a chance that your house might be burgled. This (might) slightly increase that risk.

      It's not:
      (Cost of home burglary) > (Cost of porch burglary)
      It's:
      (Change in chance of home burglary)*(Cost of home burglary) ? (Chance of porch burglary)*(Cost of porch burglary)

      --
      He's getting rather old, but he's a good mouse.
    6. Re: So what? by MoaDweeb · · Score: 2

      It's Ok!

      Amazon will vet the delivery people, just like Uber.

      --
      New Zealanders are well balanced with a chip on each shoulder. One represents Australia, the other the rest of the world
  2. Actually the flaw is pretty bad by 93+Escort+Wagon · · Score: 4, Interesting

    The good: Amazon promises they'll be pushing out a patch this week.

    The bad: It's about as bad a failure mode as is possible: "Most disturbingly, Amazon's camera doesn't respond to that attack by going dark, or alerting the user that the camera is offline. Instead, it continues to show any live viewer—or anyone watching back a recording—the last frame the camera saw when it was connected."

    Okay, maybe there's a worse failure mode possible... if the camera, upon losing connectivity, also spontaneously caught fire and burned your house down.

    --
    #DeleteChrome
    1. Re:Actually the flaw is pretty bad by fluffernutter · · Score: 4, Insightful

      I'd say 'the bad' is that you never really know if every flaw is patched.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    2. Re:Actually the flaw is pretty bad by phantomfive · · Score: 4, Insightful

      I'd say 'the bad' is that you never really know if every flaw is patched

      No, you know the answer. The answer is No, they're not patched.

      --
      "First they came for the slanderers and i said nothing."
  3. Milk boxes, Ice boxes by WillAffleckUW · · Score: 2

    Look, stop trying to invent new tech.

    Most homes built until the 1980s had a box built into the porch next to the door, or a door built into the house next to the front door, that revealed a 2x2x2 area (sometimes larger) in which you could place things.

    It was opened by a key the delivery people had. And inside by a key the owner had (different door).

    It was used for ice deliveries, package deliveries, milk deliveries.

    Do that. Add a camera or sensor to that.

    Don't make the door to your house be open to delivery people. Give them a place, OUT OF SIGHT, to store things in that only you can pick up.

    SERIOUSLY!

    --
    -- Tigger warning: This post may contain tiggers! --
  4. Re:Another problem with the Internet of Things by ctilsie242 · · Score: 2

    Shoulders are overrated. A boot is usually the best way, next to a door ram.

    Here in the US, front door physical security is piss-poor across the board, be it easily bumpable five-pin tumbler locks, doors that will fall to a stout kick because it only locks one point, doors with large windows, and so on. At best, if you want better, you buy a security screen door.

    The average European door has at least 3-4 point locking, cylinders that resist snapping, punching, and drilling, deadlocking, and a solid door jamb. A lot of Eastern European doors use an Italian brand of door lock, which uses lever locking, at least four rods near the door handle, and a number of points around the door for added security.

  5. Unencrypted Video foolishness by charliemerritt03 · · Score: 2

    I just got and am returning an Arlo camera system from Net Gear. Good hardware HORRIBLE implementation -- like most IOT. It doesn't come with a package that unlocks the door... But is is another example of (video and sound!) sensitive data being sent out over the Internet without the average consumer even having an idea that they have just 'bugged' their own home. If products have warnings about kids suffocating on the wrapper, why don't these IOT gadgets have warnings like: Caution Do not point camera at potentially embarrassing situations or rely on it to perform alarm services when most needed ? As a bonus there is an Internet inserted 10 second delay using it as a simple video doorbell.

  6. Re:I'd like to order two prostitutes please. by DickBreath · · Score: 2

    Your unsecured Amazon camera is probably already accessible to people who really want to access it.

    --

    I'll see your senator, and I'll raise you two judges.
  7. Other way around please by Anonymous Coward · · Score: 2, Insightful

    Why not give everyone a key to the Amazon warehouse. I'm sure if Amazon has good enough security and tracking, it's users can be trusted.

    Amazon wants me to trust them, why doesn't Amazon trust me?

    Why can't Amazon ship me stuff while awaiting payment, why don't they take cheques? promissory notes? trades?

  8. Re:I'm shocked by AntronArgaiv · · Score: 2

    Oh, I'm absolutely positive that Amazon takes no responsibility for the actions of the deliveryperson, who is an independent contractor, employed by a company not associated with Amazon. If they lift something from your house, Amazon will express their regrets, and that's about all you'll ever get from them.

    Heck, they've started using Amazon Logistics in my area now, and when the guy can't find my house, the order gets "lost". Then Amazon informs me that I'll need to re-place the order and they'll issue me a refund for the lost package in their own sweet time. Now, THAT's service!

  9. Just unplug it by JDShewey · · Score: 2

    I don't see how this is different than the delivery man simply reaching over and unplugging the Camera's data or power cable. Not sure how Amazon is going to patch that...

  10. Re:One time code? by RhettLivingston · · Score: 2

    Smart locks are almost always dead-bolts and know whether or not the bolt was thrown. It should not report closed and locked if it isn't.

    Also, if you burgle the place on the same day, you're caught. It is extremely unlikely that the police won't be able to find further evidence given that they will know exactly who to look at. In addition, if they ever got away with it once, they won't get away with it again. They'd likely be fired just on the possibility that they committed the crime - firing does not require proof beyond reasonable doubt nor even weight of the evidence. And "reasonable doubt" is a much lower standard than what TV leads us to believe.

    Your other replier really has the only point that needs to be made, and the reason I'd never use this service. The concern with letting people into your home is not what they can steal that day, it is in the notes that they take and perhaps even sell to someone else for future use. Breaking into a home is trivially easy - so much so that having a key is of little extra value to the process. Knowing which home to break into is not so easy. Things have gotten so cheap today, that breaking into homes is almost a worthless endeavor. Few people have anything worth stealing. The pawn value on electronics is next to nothing. So, spotting the needle in the haystack is valuable.