Security researchers found some glaring Amazon Key vulnerabilities
The service model offered by Amazon Key, which gives the company's delivery corps access to customers' homes via smart lock, sounds kind of sketchy under the best circumstances. Amazon, however, assured potential customers there'd be nothing to worry about with Key — the system offers 24/7 monitoring via the Alexa-enabled Cloud Cam to monitor deliveries.
That security safeguard doesn't look quite so foolproof after a group of researchers from Rhino Security Labs discovered multiple techniques to knock out the Cloud Cam and enter a house equipped with a Key system undetected. The group shared its findings with Wiredand in two videos demonstrated the techniques behind the relatively simple hacks, which could allow unscrupulous delivery people to move around Key-enabled homes undetected.
SEE ALSO:Bluetooth exploit may have impacted 20 million Amazon Echo and Google Home devices, says security firmAll it takes to knock out the camera is a computer running the right software within range of the home's Wi-Fi network. The first demonstration shows the "delivery person" unlocking the door using the PIN code, entering the room to deliver a package, and closing the door behind them, just like they should.
Instead of locking the door, however, the thief runs a "deauth" program to temporarily kick the Cloud Cam off the Wi-Fi network. The denial of service (DoS) script keeps the camera from coming back online for as long as the intruder requires, as the program loops the last frame recorded before going offline. Any live viewers or homeowners reviewing the recording are none the wiser.
After moving out of the camera's range and locking the door to avoid suspicion, the thief could move around the home as they liked.
The second attack is less likely to be put into practice IRL, but it's still worth highlighting. The same style of DoS is used to knock out the Cloud Cam, but the delivery person isn't the thief.
Instead, an unassociated hacker waits for the courier to drop off a package, then triggers the attack before the door is re-locked. Unfortunately, the Key Lock's Wi-Fi connection is through the Cloud Cam — so when the Cam is knocked offline, the Lock goes with it. Once the delivery person is out of the picture, the thief could access the house unimpeded.
Both of these scenarios depend on other variables to actually work without tipping off the system — the delivery person has to exit through another door in the first, while the second hinges on perfect timing and sloppy delivery work — but the vulnerabilities are worth highlighting.
Amazon is aware of the Rhino researcher's findings, but downplayed the actual threat they might pose if put into practice. The company pointed out to us in an email that All Key deliveries have time-stamped reports detailing how long doors are opened and the company alerts customers if the camera goes offline for extended periods of time.
Amazon also trusts its delivery people. A company rep told us that Amazon verifies all of its drivers with a "comprehensive background check," and emphasized how each assignment is tied to an individual driver, so any funny business would be immediately detected.
Still, Amazon will issue an update to the Key software to notify users more quickly if the camera goes offline during delivery, and the service won't unlock the door if the Wi-Fi is disabled and the camera is not online.
Featured Video For You
Amazon's new Echo Spot is here to replace your alarm clock
(责任编辑:资讯)
- 21 Unexpected Wonders in Colorado’s Vibrant Cities and Small Towns
- Djokovic is no 'villain', says Azarenka
- Kid who created his own campaign posters sure knows how to troll an election
- Lazio thump crumbling AC Milan
- 雅安市第四人民医院:工娱治疗让患者康复之路充满希望
- Tesla considers adding a new ‘stuck detection' feature to Cybertruck. Here’s why.
- Reims coach Still takes on PSG
- British newspapers want Facebook and Google investigated over fake news
- Apple funded study finds Apple Watch can detect irregular heart rate
- Yoon touts pension reform drive amid stagnant popularity rating
- Liberal voters outnumber conservatives: survey
- 10 million participate in 2016 rallies
- Russia proposed three
-
The Future of Tech: The Desktop PC
If you're over a certain age, you'll probably know that people have been foretelling the death of th ...[详细] -
Trump's favorite techie thinks there should be 'more open debate' on global warming
Global warming is a topic that suffers from "groupthink," and cries out for an "open debate" among s ...[详细] -
Jack Dorsey is recruiting his own personal bitcoin posse
If reporting directly to an eccentric billionaire and getting paid in bitcoin sounds like your cup o ...[详细] -
Here's what happens in the 'Kong: Skull Island' post
Kong: Skull Islandruns a healthy 120 minutes, which means you'll probably be tempted to get up and s ...[详细] -
The Wonderful World of Christmas Trees
There’s no denying the joy that a Christmas tree can bring. As soon as the turkey goes cold an ...[详细] -
'Be really careful': Australian Open tells Djokovic family
MELBOURNE:Australian Open chief Craig Tiley on Saturday advised Novak Djokovic's family to be &q ...[详细] -
Russians can compete as neutrals: United States
WASHINGTON:The United States backs moves to allow athletes from Russia and Belarus to take part at t ...[详细] -
Rights experts from 17 countries demand release of North Korean escapees in China
A woman waves the North Korean flag during a football match between North Korea and Taiwan at the 20 ...[详细] -
US Open 2024 livestream: How to watch US Open tennis for free
TL;DR:Live stream the 2024 US Open for free on 9Now and TVNZ+. Access these free streaming platforms ...[详细] -
'Iron Fist' reviews: Does the show live up to to its Marvel predecessors?
It seems Netflix and Marvel's latest show Iron Fist is not so punchy.While the two brands have rarel ...[详细]
NASA's new plan keeps Starliner astronauts in space until 2025
SEC says Elon Musk failing to get his Tesla tweets pre
- The Composer Has No Clothes
- 汉源县坭美乡山村农产品“选美”
- Jack Dorsey is recruiting his own personal bitcoin posse
- 汉碑路社区开展人口普查查遗补漏
- Webb scientists haven't found a rocky world with air. But now they have a plan.
- Ciara's new maternity photoshoot is definitely extraordinary
- Facebook's Snapchat clone is perfect for laying down thirst traps for crushes