Watch CBS News

Researchers find "simple" way to hack Amazon Key

Amazon Key security flaws?
Security experts find serious flaws in Amazon Key 03:46

Cybersecurity researchers are raising concerns about Amazon's new service that lets drivers deliver packages inside your home. Amazon Key is a way for drivers to unlock and relock your door and record their entry with a wireless security camera, but that convenience may come with a serious risk.

The findings of one security research firm raise questions about whether that camera is capturing what's really going on, reports CBS News correspondent Anna Werner.

When CBS News asked cybersecurity expert John Sileo about the new in-your-home delivery service back in October, he said "If it's digital it's hackable." 
 
"I want to see the hackers get a chance at it and see what they do with it," Sileo said.

Amazon shoppers will soon have option of in-home delivery 02:10

Three weeks later? They have had their chance – and say they've already found flaws.
 
Here's how Amazon says it's supposed to work: For $249 the company sells you a special smart door lock, along with an in-home wireless camera aimed at the door. A delivery driver uses an app to alert Amazon they have arrived. The company then activates the camera and unlocks the door remotely. The driver drops off the package, steps outside and tells Amazon to lock the door. 

But now, researchers from Rhino Security Labs say they've found a weakness in the security camera system. It's called a de-authentication attack.

"An attacker can walk in and leave and you won't be able to see anything, and there won't be a record," said Chris Lakin, an engagement manager at Rhino.

In a Rhino Security demo, a mock driver finishes dropping off a package. Then he or a nearby hacker sends commands to the Wi-Fi server the security system relies on and temporarily takes the camera offline before the door locks again.

"This is a really simple thing to do it takes just one command," Lakin said.
 
So while a customer's app still shows a closed door, a would-be burglar could walk inside without the camera seeing him. 

"By being able to disable the camera, we're essentially reducing that security to essentially just providing a physical key to your home," said Rhino's CEO Ben Caudill.  

ctm-111717-amazonkey-1.jpg
Demo showing how a nearby hacker could send commands to the Wi-Fi server the security system relies on and temporarily take the camera offline before the door locks again.  Rhino Security Labs  


 Amazon says that flaw isn't in its software, it's a vulnerability all Wi-Fi servers contain.
 
The company plans to put a software update out later this week, to "more quickly provide notifications if the camera goes offline during delivery" and make sure the "service will not unlock the door if the Wi-Fi is disabled and the camera is not online." Amazon also called these types of attacks "unlikely."

Caudill disagrees.

"Based on the simplicity of the attack, $20 and some really freely available software you can implement this yourself. It's not a trivial attack," he said.

Amazon told CBS News they do not believe customers would be put at risk by this. In their view it is not a security issue and they say they thoroughly background-check their delivery drivers. However, Caudill told us he and his researchers were surprised to find this kind of a vulnerability in a system that literally opens people's doors.

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.