Hackers can freeze the camera that lets you know whether your "Amazon Key" equipped door is locked and who is using it

Security researchers from Rhino Security Labs have shown that it is trivial to disable the Amazon Cloud Cam that is a crucial component of the Amazon Key product — a connected home door-lock that allows delivery personnel to open your locked front door and leave your purchases inside — and have demonstrated attacks that would allow thieves to exploit this weakness to rob your home.

The vulnerability involves a simple, devastating attack on the camera, in which overwhelming its wifi connection with trivial-to-generate junk traffic causes it to lock up, so that all you see is the last image it transmitted before the attack — thus a well-timed attack would show your door to be closed and locked when it was open.

The camera itself serves as the internet gateway for Amazon Lock, with which it communicates via the notoriously insecure Zigbee protocol. Knocking the camera offline also disconnects your door-lock.

This could allow unscrupulous delivery people to let themselves into your home without your knowledge, though the audit trail left behind by the system would make it easy to tell who was the last person the system authorized to enter your home.

More dangerously, a thief who trailed a delivery person could take advantage of the situation by timing their attack to coincide with the unlock, while simultaneously disabling the camera — though they would have to trick the delivery person into leaving the door unlocked behind them.

Amazon is promising to patch its systems, but the Rhino recommendation is "Don't use Amazon Key."

That so-called deauth technique isn't exactly a software bug in Cloud Cam. It's an issue for practically all Wi-Fi devices, one that allows anyone to spoof a command from a Wi-Fi router that temporarily kicks a device off the network. In this case, Rhino's script sends the command again and again, to keep the camera offline as long as the script is running. Most disturbingly, Amazon's camera doesn't respond to that attack by going dark, or alerting the user that the camera is offline. Instead, it continues to show any live viewer—or anyone watching back a recording—the last frame the camera saw when it was connected.

That means the deauth command sent by the delivery-person-turned-hacker standing just outside your door can freeze the camera on the image of a closed door, while he then waltzes in a second time and closes the door behind them. Once inside, the intruder can simply move beyond the view of the Cloud Cam, stop sending the deauth command to allow the camera to reconnect, and hit the lock button on their app. Neither the lock's logs nor the video record would appear amiss to the Amazon Key user, even as a stranger runs amok inside their house.


[Andy Greenberg/Wired]