Security researchers found some glaring Amazon Key vulnerabilities
The service model offered by Amazon Key, which gives the company's delivery corps access to customers' homes via smart lock, sounds kind of sketchy under the best circumstances. Amazon, however, assured potential customers there'd be nothing to worry about with Key — the system offers 24/7 monitoring via the Alexa-enabled Cloud Cam to monitor deliveries.
That security safeguard doesn't look quite so foolproof after a group of researchers from Rhino Security Labs discovered multiple techniques to knock out the Cloud Cam and enter a house equipped with a Key system undetected. The group shared its findings with Wiredand in two videos demonstrated the techniques behind the relatively simple hacks, which could allow unscrupulous delivery people to move around Key-enabled homes undetected.
SEE ALSO:Bluetooth exploit may have impacted 20 million Amazon Echo and Google Home devices, says security firmAll it takes to knock out the camera is a computer running the right software within range of the home's Wi-Fi network. The first demonstration shows the "delivery person" unlocking the door using the PIN code, entering the room to deliver a package, and closing the door behind them, just like they should.
Instead of locking the door, however, the thief runs a "deauth" program to temporarily kick the Cloud Cam off the Wi-Fi network. The denial of service (DoS) script keeps the camera from coming back online for as long as the intruder requires, as the program loops the last frame recorded before going offline. Any live viewers or homeowners reviewing the recording are none the wiser.
After moving out of the camera's range and locking the door to avoid suspicion, the thief could move around the home as they liked.
The second attack is less likely to be put into practice IRL, but it's still worth highlighting. The same style of DoS is used to knock out the Cloud Cam, but the delivery person isn't the thief.
Instead, an unassociated hacker waits for the courier to drop off a package, then triggers the attack before the door is re-locked. Unfortunately, the Key Lock's Wi-Fi connection is through the Cloud Cam — so when the Cam is knocked offline, the Lock goes with it. Once the delivery person is out of the picture, the thief could access the house unimpeded.
Both of these scenarios depend on other variables to actually work without tipping off the system — the delivery person has to exit through another door in the first, while the second hinges on perfect timing and sloppy delivery work — but the vulnerabilities are worth highlighting.
Amazon is aware of the Rhino researcher's findings, but downplayed the actual threat they might pose if put into practice. The company pointed out to us in an email that All Key deliveries have time-stamped reports detailing how long doors are opened and the company alerts customers if the camera goes offline for extended periods of time.
Amazon also trusts its delivery people. A company rep told us that Amazon verifies all of its drivers with a "comprehensive background check," and emphasized how each assignment is tied to an individual driver, so any funny business would be immediately detected.
Still, Amazon will issue an update to the Key software to notify users more quickly if the camera goes offline during delivery, and the service won't unlock the door if the Wi-Fi is disabled and the camera is not online.
Featured Video For You
Amazon's new Echo Spot is here to replace your alarm clock
相关文章
Tesla considers adding a new ‘stuck detection' feature to Cybertruck. Here’s why.
By now, you've probably seen the viral videos of the Tesla Cybertruck get stuck trying to do, well,2024-09-22Elon Musk endorsing Kanye, then reconsidering, is the world's shortest love story
It only lasted for three days. When Kanye West announced his candidacy to become President of the Un2024-09-22NK's Kim, Putin exchange congratulatory messages marking 75th anniversary of diplomatic ties
North Korean leader Kim Jong-un, left, and Russian President Vladimir Putin hold talks in Russia, Se2024-09-22- 市农业局专家现场指导梨树的修剪“真是太谢谢你们了,把技术送上门,要不这些梨树的修剪等技术问题,还真不知道该怎么解决。”11月15日,迎来了市、区农业部门的农业技术人员和四川农业大学的教授,雨城区凤鸣乡2024-09-22
- Noelle Mateer ,July 17, 2024 The Techies W2024-09-22
NK suffers $200 mln in foreign currency loss on sanctions: report
North Korea is presumed to have suffered some $200 million in foreign currency loss for nine months2024-09-22
最新评论