The idea of a delivery person entering your home when you aren’t there is new and unsettling. Which is why when Amazon announced its in-home Key delivery service last month, it went to great lengths to reassure potential customers that it had their security in mind. But a new story from WIRED about a successful hack of Amazon Key may keep nervous nellies away.
First, a quick recap of Amazon Key, a new service from the retail giant that lets its delivery people enter your home to drop off packages when you aren’t there. The service uses a combination of phone notifications, specific cloud locks and — most important for this story — cloud cameras that let you monitor the delivery as it happens or watch it after the fact.
But research firm, Rhino Security Labs, uncovered a flaw in the system that would allow a delivery person to hack the connected camera and create a freeze frame of the door shut after they leave. A homeowner watching remotely would see the shut door and assume everything’s fine, but the delivery person could actually be back in the house without the viewer seeing it. You can see it in action in this video:
As WIRED points out, this isn’t an Amazon-specific issue, “It’s an issue for practically all Wi-Fi devices, one that allows anyone to spoof a command from a Wi-Fi router that temporarily kicks a device off the network.” The problem, they write, is that rather than shutting off or going dark, the camera continues to show the last frame it saw.
Right now, this attack on Amazon Key is a proof-of-concept and does require a specific set of conditions in order to be successfully achieved. In response to the WIRED piece, Amazon said that it’s drivers go through a thorough background check, and that the company was issuing an update to the software to provide faster notifications if the camera goes offline.
“The type of attack used to turn off the Amazon Cloud Cam is not esoteric, nor is it difficult to execute although it would be only available to rogue delivery drivers,” said Stacey Higginbotham, creator of the Internet of Things Podcast, “The bigger question here is whether or not consumers are ready to trust a company like Amazon inside their home and whether the insurance industry is ready to stand behind this type of access technology when people are inevitably hurt by those misusing the system. I think only then will the mainstream feel comfortable adopting it.”
And getting the mainstream comfortable is crucial for Amazon as it looks to expand further into grocery delivery, a huge reason it spent $13.7 billion to acquire Whole Foods. Additionally, as Mike pointed out today, the company is integrating with AllRecipes to create what amounts to an on demand meal kit service. Having all the ingredients delivered on the day you want to make a particular meal, even when you aren’t home, is critical for that type of same day service to work.