Amazon launched, at the end of October 2017, a new service that did not fail to make the buzz: Amazon Key. With this new system being tested in the United States, it is possible to have it delivered directly inside the house by Amazon. To do this, the Seattle giant uses a camera and a lock connected, to give access to your home to the deliveryman.
If Amazon has planned several safeguards to prevent this system turns into a nightmare for homeowners, it seems that computer scientists have already managed to hack.
An attack on Amazon Key’s camera
The Amazon Key system works like this: a given delivery person goes to the location and tells Amazon where he is at the delivery point. Amazon then sends him a unique key, allowing him to open the door of the house through the lock connected. Once the door is closed, in theory, the lock closes thanks to the application of the deliveryman and the house is secured. Everything is also done under the watchful eye of the connected surveillance camera placed at the door: thus, no one can enter or leave without being filmed and the driver can not steal anything.
Amazon further states that deliverymen chosen for this service are handpicked and ordered not to leave home without verifying that the door has closed properly. In short, everything seems studied to avoid problems.
That was not counting on the researchers at the firm Rhino Labs, who discovered a flaw: it is possible to bypass the security of Amazon Key by launching an attack against the connected camera.
The image of the camera blocked just like the lock
The researchers at Rhino Labs, as reported by Wired on November 16, 2017, have discovered that it is possible to attack the connected camera of Amazon: just launch, when closing the lock and therefore the house, a fairly simple program. The latter will simulate a Wi-Fi command in the direction of the connected camera, which will make it buggy. But it will not go out: it will continue to show the last recorded image.
This “authorization” command will also block the connected lock, since the latter does not have its own Wi-Fi connection but connects to the Wi-Fi of the surveillance camera. The lock cannot be closed: thus, the delivery man has plenty of time to go back to the house, steal business and restart the camera and lock and leave. At Amazon, all the camera will show is a closed door.
The attack, according to Rhino Labs, can also be initiated by a third party who is not the delivery person, but it is more complicated: he should know where and when there is an expected delivery, then launch the program before the deliveryman do not close the door behind him; the hacker could then enter the house once he is gone except that the deliverymen are, in theory, prohibited from leaving the premises if the door is not locked.
Amazon, who has been contacted by Wired about this research, is reassuring: the probability that one of its deliverymen will become a hacker is very low because of the sorting upstream. But the group takes this hacking seriously and said a software update to prevent the attack will be deployed on all of its connected cameras before the end of November 2017.