amazon key in-home delivery

Screengrab via amazon/YouTube

Amazon Key flaw lets couriers stay in your home unnoticed

Couriers could freeze the video feed without customers noticing.


Phillip Tracy


Published Nov 16, 2017   Updated May 22, 2021, 10:53 am CDT

Security experts and Amazon Prime members unsurprisingly expressed their concerns following the announcement of Amazon Key, a new service where couriers deliver items inside your home. Amazon reassured customers, explaining the service can only be used once customers point the internet-connected Cloud Cam camera at their door. With it, customers can ensure the stranger delivering their package doesn’t step out of line.

Problem solved, right? Well, it turns out the camera only makes matters worse.

Security researchers discovered a critical vulnerability in Cloud Cam that would allow a courier to disable or freeze the video feed using any computer in Wi-Fi range, reports Wired. The hack would open a window for a rogue courier to enter a home and steal from Amazon customers. All a customer would see as their home is being ransacked is the frozen image of their closed front door.

Ben Caudill, the founder of security firm Rhino Security Labs, which discovered the Amazon Key flaw, uploaded a video demonstrating how it works.

The clip first shows how the service should work, before demoing the attack. First, a courier opens the door, delivers a package inside the home, then closes and locks the door while the Cloud Cam tracks the entire process without any problems. The second part shows what happens when the denial-of-service software is applied. This time, the man opens the door but the video feed shows it’s still closed. Once inside, all he’d need to do is move out of the camera’s view, stop the malicious software so the camera reconnects, and lock the door via the app.

Hackers wouldn’t even need a computer to break in. Rhino Security Labs’ researchers say it can all be done on a handheld device made with a Raspberry Pi and antenna that sends “deauthorization” commands to the camera.

“The camera is very much something Amazon is relying on in pitching the security of this as a safe solution,” Caudill told Wired. “Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.”

That isn’t the only vulnerability plaguing Amazon’s new delivery service. Rhino researchers say a hacker could follow a courier and enable the Wi-Fi deauthorization software as they are leaving someone’s home. Because the camera connects to a smart lock on the front door via Zigbee, the hack would prevent the door from locking.

Amazon told Wired it would release an update later this week to partially fix these security flaws.

“We currently notify customers if the camera is offline for an extended period,” Amazon said in a statement. “Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery.”

Rhino explains a complete fix could potentially undermine the new Key service. Caudill’s suggestion for protecting yourself from Key? Don’t use it at all. If you want to give it a try anyway, do yourself a favor and install a separate camera.

Share this article
*First Published: Nov 16, 2017, 3:00 pm CST