Amazon Key hack could make you clueless in a home invasion

A program could freeze the security camera's live feed, making it seem like you're watching a safely closed door while intruders sneak in.

Joan E. Solsman Former Senior Reporter
Joan E. Solsman was CNET's senior media reporter, covering the intersection of entertainment and technology. She's reported from locations spanning from Disneyland to Serbian refugee camps, and she previously wrote for Dow Jones Newswires and The Wall Street Journal. She bikes to get almost everywhere and has been doored only once.
Expertise Streaming video, film, television and music; virtual, augmented and mixed reality; deep fakes and synthetic media; content moderation and misinformation online Credentials
  • Three Folio Eddie award wins: 2018 science & technology writing (Cartoon bunnies are hacking your brain), 2021 analysis (Deepfakes' election threat isn't what you'd think) and 2022 culture article (Apple's CODA Takes You Into an Inner World of Sign)
Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Joan E. Solsman
Alfred Ng
2 min read

A demonstration of Amazon Key at a Brooklyn bed and breakfast.

Sarah Tew/CNET

In case you weren't already skeeved out by Amazon Key -- the e-commerce giant's service that lets couriers deliver packages directly inside your home -- security researchers raised new concern Thursday. 

A simple program could freeze the video feed of the security camera monitoring your door, a vulnerability that could let a thief inside while victims obliviously watch an image of a safely closed door, according to a Wired report.

Amazon Key uses the company's new Cloud Cam security camera, a smart door lock and the new Key app to let delivery people remotely unlock your door, set your packages down and relock your home with your goodies inside. 

But a proof-of-concept attack by Rhino Security Labs researchers disabled Amazon's Cloud Cam and kept it frozen on a single image. The program, which could be run from any computer within Wi-Fi range, pretends to be a router and sends a command over and over to keep the Cloud Cam offline and frozen. It works through deauthentication commands, a common attack that kicks victims off networks and affects most devices using Wi-Fi. Amazon Cloud Cam doesn't turn off when it's disconnected, instead remaining frozen on whatever the last image was. 

An Amazon spokeswoman said Key's delivery drivers must pass a comprehensive background check that is verified by Amazon before they can make in-home deliveries. She also said every delivery is connected to a specific driver and that before the door is unlocked for deliveries, Amazon verifies the correct driver is at the right address, at the intended time. 

"We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery. The service will not unlock the door if the Wi-Fi is disabled and the camera is not online," she added. 

First published Nov. 16, 9:32 a.m. PT.
Update, 11:20 a.m.: Adds comment from Amazon.