- Video of Blueface teaching Obama lookalike to dance is turning heads Wednesday 5:58 PM
- ‘No one has the range’ for this meme Wednesday 5:21 PM
- Mom confronts man who followed daughter through grocery store in viral video Wednesday 5:05 PM
- Major study linking vaping to heart attacks gets retracted Wednesday 4:36 PM
- George Zimmerman is suing Pete Buttigieg, Elizabeth Warren Wednesday 2:55 PM
- Netflix’s ‘Horse Girl’ accused of ripping off 2017 indie film Wednesday 2:52 PM
- The Genyus Network is a safe social space for stroke survivors Wednesday 2:20 PM
- MAGA hat-wearing dog finishes last in ‘Today Show’ fan vote—still named winner Wednesday 2:03 PM
- Reddit users share stories of the worst things guests have done in their homes Wednesday 1:25 PM
- WikiLeaks lawyer says Trump offered Assange a pardon—if he’d deny Russian hack Wednesday 1:16 PM
- 6-year-old placed in psychiatric facility for ‘trantrum’ is seen acting calm in body cam footage Wednesday 1:05 PM
- Amy Klobuchar devouring Ivanka Trump is the 2020 vore crossover no one wanted Wednesday 12:32 PM
- Review: Hulu’s ‘Devs’ is a brilliant work of near-future science fiction Wednesday 11:53 AM
- Rapper Pop Smoke dead at 20 Wednesday 11:42 AM
- KSI says he will back Team YouTube if Logan Paul fights Antonio Brown Wednesday 11:29 AM
Security experts and Amazon Prime members unsurprisingly expressed their concerns following the announcement of Amazon Key, a new service where couriers deliver items inside your home. Amazon reassured customers, explaining the service can only be used once customers point the internet-connected Cloud Cam camera at their door. With it, customers can ensure the stranger delivering their package doesn’t step out of line.
Problem solved, right? Well, it turns out the camera only makes matters worse.
Security researchers discovered a critical vulnerability in Cloud Cam that would allow a courier to disable or freeze the video feed using any computer in Wi-Fi range, reports Wired. The hack would open a window for a rogue courier to enter a home and steal from Amazon customers. All a customer would see as their home is being ransacked is the frozen image of their closed front door.
Ben Caudill, the founder of security firm Rhino Security Labs, which discovered the Amazon Key flaw, uploaded a video demonstrating how it works.
The clip first shows how the service should work, before demoing the attack. First, a courier opens the door, delivers a package inside the home, then closes and locks the door while the Cloud Cam tracks the entire process without any problems. The second part shows what happens when the denial-of-service software is applied. This time, the man opens the door but the video feed shows it’s still closed. Once inside, all he’d need to do is move out of the camera’s view, stop the malicious software so the camera reconnects, and lock the door via the app.
Hackers wouldn’t even need a computer to break in. Rhino Security Labs’ researchers say it can all be done on a handheld device made with a Raspberry Pi and antenna that sends “deauthorization” commands to the camera.
“The camera is very much something Amazon is relying on in pitching the security of this as a safe solution,” Caudill told Wired. “Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.”
That isn’t the only vulnerability plaguing Amazon’s new delivery service. Rhino researchers say a hacker could follow a courier and enable the Wi-Fi deauthorization software as they are leaving someone’s home. Because the camera connects to a smart lock on the front door via Zigbee, the hack would prevent the door from locking.
Amazon told Wired it would release an update later this week to partially fix these security flaws.
“We currently notify customers if the camera is offline for an extended period,” Amazon said in a statement. “Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery.”
Rhino explains a complete fix could potentially undermine the new Key service. Caudill’s suggestion for protecting yourself from Key? Don’t use it at all. If you want to give it a try anyway, do yourself a favor and install a separate camera.
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.