IT'S ONLY BEEN a few weeks since Amazon introduced the Amazon Key, a new product that lets courier into your house without all that messing around with being nice to people.
Amazon Key uses a smart lock from Yale or Kwikset, plus an Amazon Cloud Cam security camera. Couriers can enter the property after scanning a barcode, which is checked against Amazon's own records in the cloud to make sure that they're in the right place at the right time. The camera also records the delivery.
However, just weeks after the product was launched it has been broken by security researchers, who managed to hack and freeze the Cloud Cam using a computer (or, the researchers point out, a handheld device built using a Raspberry Pi) within WiFi range.
This means that rogue courier could, in theory, make a delivery and leave the property as normal, but disable the system before the door is re-locked. The frozen camera would not show them returning to the house, and it is up to them to relock the door.
Researchers at Rhino Labs discovered the vulnerability. Founder Ben Caudill told Wired: "Disabling that camera on command is a pretty powerful capability when you're talking about environments where you're relying heavily on that being a critical safety mechanism."
The technique, known as deauth (because it sends a series of deauthorisation commands to the Cloud Cam), is an issue for most WiFi devices. An attacker can spoof commands from a router that can kick a device off of a WiFi network temporarily. The danger comes from the complete lack of alert from the Amazon Key: the camera doesn't go dark or send a warning to the homeowner, but only shows the last frame from when it was connected.
In a statement, Amazon said: "We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery."
Malwarebytes published a warning about Amazon's Key service just after it was announced, specifically mentioning the vulnerability of WiFi compared to alternatives like Bluetooth LE. µ
Lawyers, start your engines
Classic clumsy cloud configuration creates cryptojacking challenge
And it's not even Alexa enabled
Expect Snapdragon 845, bezel-free screens and, er, no headphone jack