Amazon Key has a flaw that could let hackers knock out the security camera

The service model offered by Amazon Key, which gives the company's delivery corps access to customers' homes via smart lock, sounds kind of sketchy under the best circumstances. Amazon, however, assured potential customers there'd be nothing to worry about with Key — the system offers 24/7 monitoring via the Alexa-enabled Cloud Cam to monitor deliveries.

That security safeguard doesn't look quite so foolproof after a group of researchers from Rhino Security Labs discovered multiple techniques to knock out the Cloud Cam and enter a house equipped with a Key system undetected. The group shared its findings with Wired and in two videos demonstrated the techniques behind the relatively simple hacks, which could allow unscrupulous delivery people to move around Key-enabled homes undetected.

All it takes to knock out the camera is a computer running the right software within range of the home's Wi-Fi network. The first demonstration shows the "delivery person" unlocking the door using the PIN code, entering the room to deliver a package, and closing the door behind them, just like they should.

Instead of locking the door, however, the thief runs a "deauth" program to temporarily kick the Cloud Cam off the Wi-Fi network. The denial of service (DoS) script keeps the camera from coming back online for as long as the intruder requires, as the program loops the last frame recorded before going offline. Any live viewers or homeowners reviewing the recording are none the wiser.

After moving out of the camera's range and locking the door to avoid suspicion, the thief could move around the home as they liked.

The second attack is less likely to be put into practice IRL, but it's still worth highlighting. The same style of DoS is used to knock out the Cloud Cam, but the delivery person isn't the thief.

Instead, an unassociated hacker waits for the courier to drop off a package, then triggers the attack before the door is re-locked. Unfortunately, the Key Lock's Wi-Fi connection is through the Cloud Cam — so when the Cam is knocked offline, the Lock goes with it. Once the delivery person is out of the picture, the thief could access the house unimpeded.

Both of these scenarios depend on other variables to actually work without tipping off the system — the delivery person has to exit through another door in the first, while the second hinges on perfect timing and sloppy delivery work — but the vulnerabilities are worth highlighting.

Amazon is aware of the Rhino researcher's findings, but downplayed the actual threat they might pose if put into practice. The company pointed out to us in an email that All Key deliveries have time-stamped reports detailing how long doors are opened and the company alerts customers if the camera goes offline for extended periods of time.

Amazon also trusts its delivery people. A company rep told us that Amazon verifies all of its drivers with a "comprehensive background check," and emphasized how each assignment is tied to an individual driver, so any funny business would be immediately detected.

Still, Amazon will issue an update to the Key software to notify users more quickly if the camera goes offline during delivery, and the service won't unlock the door if the Wi-Fi is disabled and the camera is not online.