In case you weren't already skeeved out by-- the e-commerce giant's service that lets couriers deliver packages directly inside your home -- security researchers raised new concern Thursday.
A simple program could freeze the video feed of the security camera monitoring your door, a vulnerability that could let a thief inside while victims obliviously watch an image of a safely closed door, according to a Wired report.
Amazon Key uses the company's new Cloud Cam security camera, a smart door lock and the new Key app to let delivery people remotely unlock your door, set your packages down and relock your home with your goodies inside.
But a proof-of-concept attack by Rhino Security Labs researchers disabled Amazon's Cloud Cam and kept it frozen on a single image. The program, which could be run from any computer within Wi-Fi range, pretends to be a router and sends a command over and over to keep the Cloud Cam offline and frozen. It works through deauthentication commands, a common attack that kicks victims off networks and affects most devices using Wi-Fi. Amazon Cloud Cam doesn't turn off when it's disconnected, instead remaining frozen on whatever the last image was.
An Amazon spokeswoman said Key's delivery drivers must pass a comprehensive background check that is verified by Amazon before they can make in-home deliveries. She also said every delivery is connected to a specific driver and that before the door is unlocked for deliveries, Amazon verifies the correct driver is at the right address, at the intended time.
"We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery. The service will not unlock the door if the Wi-Fi is disabled and the camera is not online," she added.
First published Nov. 16, 9:32 a.m. PT.
Update, 11:20 a.m.: Adds comment from Amazon.