Security researchers found some glaring Amazon Key vulnerabilities
The service model offered by Amazon Key, which gives the company's delivery corps access to customers' homes via smart lock, sounds kind of sketchy under the best circumstances. Amazon, however, assured potential customers there'd be nothing to worry about with Key — the system offers 24/7 monitoring via the Alexa-enabled Cloud Cam to monitor deliveries.
That security safeguard doesn't look quite so foolproof after a group of researchers from Rhino Security Labs discovered multiple techniques to knock out the Cloud Cam and enter a house equipped with a Key system undetected. The group shared its findings with Wiredand in two videos demonstrated the techniques behind the relatively simple hacks, which could allow unscrupulous delivery people to move around Key-enabled homes undetected.
SEE ALSO:Bluetooth exploit may have impacted 20 million Amazon Echo and Google Home devices, says security firmAll it takes to knock out the camera is a computer running the right software within range of the home's Wi-Fi network. The first demonstration shows the "delivery person" unlocking the door using the PIN code, entering the room to deliver a package, and closing the door behind them, just like they should.
Instead of locking the door, however, the thief runs a "deauth" program to temporarily kick the Cloud Cam off the Wi-Fi network. The denial of service (DoS) script keeps the camera from coming back online for as long as the intruder requires, as the program loops the last frame recorded before going offline. Any live viewers or homeowners reviewing the recording are none the wiser.
After moving out of the camera's range and locking the door to avoid suspicion, the thief could move around the home as they liked.
The second attack is less likely to be put into practice IRL, but it's still worth highlighting. The same style of DoS is used to knock out the Cloud Cam, but the delivery person isn't the thief.
Instead, an unassociated hacker waits for the courier to drop off a package, then triggers the attack before the door is re-locked. Unfortunately, the Key Lock's Wi-Fi connection is through the Cloud Cam — so when the Cam is knocked offline, the Lock goes with it. Once the delivery person is out of the picture, the thief could access the house unimpeded.
Both of these scenarios depend on other variables to actually work without tipping off the system — the delivery person has to exit through another door in the first, while the second hinges on perfect timing and sloppy delivery work — but the vulnerabilities are worth highlighting.
Amazon is aware of the Rhino researcher's findings, but downplayed the actual threat they might pose if put into practice. The company pointed out to us in an email that All Key deliveries have time-stamped reports detailing how long doors are opened and the company alerts customers if the camera goes offline for extended periods of time.
Amazon also trusts its delivery people. A company rep told us that Amazon verifies all of its drivers with a "comprehensive background check," and emphasized how each assignment is tied to an individual driver, so any funny business would be immediately detected.
Still, Amazon will issue an update to the Key software to notify users more quickly if the camera goes offline during delivery, and the service won't unlock the door if the Wi-Fi is disabled and the camera is not online.
Featured Video For You
Amazon's new Echo Spot is here to replace your alarm clock
(责任编辑:产品中心)
- Slot extends perfect Liverpool start
- Juve, Inter play catch
- 全国人大代表廖志略:助推化橘红中药文化申报国家级非遗
- NK meets on typhoon, coronavirus responses
- 优化广东优质农产品产销资源对接!“农友圈”又有新动作
- What Ever Happened to Winamp?
- Mark Zuckerberg's joke was a slap in the face of Facebook's victims
- Solskjaer hails United's away consistency, Moyes upset with decision
- 'Avengers: Endgame' finally got romance right for the MCU
- 水产品占“四席”!广州南沙十个农产品上榜“国字号”
- US wants diplomatic solution to North Korea's nuclear crisis: CIA chief
- After the silence it's night of cheer as fans watch Arsenal win
- The world of Voice AI according to Gary Vaynerchuk
-
12 Places that Celebrate Women in Science
Advancements in science and medicine have been pivotal to the betterment of the modern world, and ma ...[详细] -
Cannavaro on brink of sack again
BEIJING:Fabio Cannavaro's reign at Guangzhou Evergrande appears to be all but over after the eig ...[详细] -
雅安日报-北纬网讯昨(13)日,市人民检察院和雨城区人民检察院共同开展了“检察开放日”活动。活动围绕加强侦查监督,维护司法公正的主题,向与会的人大代表、政协委员、人民监督员及媒体记者通报了市、区两级检 ...[详细]
-
千亩七彩月季花海浪漫之约!赤坭如此“锡你”_南方+_南方plus阳春三月,春暖花开之际,一株株月季枝头摇曳,弥漫着素雅的清香,如梦似幻、浪漫醉人。在花都区赤坭镇蓝田村,近千亩的七彩月季竞相绽放,沐浴着 ...[详细]
-
Best smartphone deal: Google Pixel 8a on sale for $449 at Amazon
SAVE $50:As of August 27, get the Google Pixel 8a for $449, down from $499, at Amazon. That's 10% of ...[详细] -
South Korean skiers head to North for joint training at Masikryong
South and North Korean skiers will train together at a major ski resort in the North this week as sc ...[详细] -
Facebook is actively deleting shares of 'The Daily Stormer' article on Heather Heyer
Facebook isn't just about shutting down fake news. The social network is actively removing posts tha ...[详细] -
The world of Voice AI according to Gary Vaynerchuk
Gary Vaynerchuk and his agency VaynerMedia are already known for dominating and owning social media. ...[详细] -
9 Planetariums to Get Lost in the Cosmos
The constellations, planets, and moons that make up the night sky feel far from human reach—because ...[详细] -
FM calls for peace efforts at Davos
By Yi Whan-wooForeign Minister Kang Kyung-wha called for global support for South Korea's efforts to ...[详细]
- Footage of Kim Yo
- Juve, Inter play catch
- Grosjean crash a wake
- Conservative and moderate Republicans both hate Trumpcare. Someone has to budge.
- Abrar Ahmed returns as Pakistan names squad for second Test against Bangladesh
- [67th Anniversary Special] How life has changed after coronavirus
- Mark Zuckerberg's joke was a slap in the face of Facebook's victims