Rogue couriers can enter your home by disabling the Amazon Key smart lock

Not so smart, after all

It's only been a few weeks since Amazon introduced its latest consumer convenience/privacy nightmare innovation known as the Amazon Key: an ingenious way to let couriers deliver items without poking around in your begonias.

Amazon Key uses a smart lock from Yale or Kwikset, plus an Amazon Cloud Cam security camera. Couriers can enter the property after scanning a barcode, which is checked against Amazon's own records in the cloud to make sure that they're in the right place at the right time. The camera also records the delivery.

However, only a week after the product was launched, it has been broken by security researchers, who managed to hack and freeze the Cloud Cam using a computer (or, the researchers point out, a handheld device built using a Raspberry Pi) within WiFi range.

A rogue courier could make a delivery and leave the property as normal, but disable the system before the door is re-locked. The frozen camera would not show them returning to the house, and it is up to them to relock the door.

Researchers at Rhino Labs discovered the vulnerability. Founder Ben Caudill told Wired, "Disabling that camera on command is a pretty powerful capability when you're talking about environments where you're relying heavily on that being a critical safety mechanism."

The technique, known as deauth (because it sends a series of deauthorisation commands to the Cloud Cam), is an issue for most WiFi devices. An attacker can spoof commands from a router that can kick a device off of a WiFi network temporarily. The danger comes from the complete lack of alert from the Amazon Key: the camera doesn't go dark or send a warning to the homeowner, but only shows the last frame from when it was connected.

In a statement, Amazon said, ‘We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery.'

Malwarebytes published a warning about Amazon's Key service just after it was announced, specifically mentioning the vulnerability of WiFi compared to alternatives like Bluetooth LE.