Couriers are issued with a one-time code that allows them to unlock the door once, and Amazon takes into account factors like the delivery person's physical location and the time at which they're present to decide whether to open the door.
However, security researchers claim to have been able to hack and freeze the Cloud Cam using a computer (or, the researchers point out, a handheld device built using a Raspberry Pi) within WiFi range.
The hack exploits a bug in WiFi devices, that lets nearby attackers overload them with a series of "deauthorisation" commands. Amazon, however, assured potential customers there'd be nothing to worry about with Key - the system offers 24/7 monitoring via the Alexa-enabled Cloud Cam to monitor deliveries.
Amazon may have pitched the Cloud Cam as a key security feature of Amazon Key, but researchers have demonstrated a huge flaw that could leave customers thinking twice about giving couriers virtual keys. Rhino Labs founder Ben Caudill told Wired that fully fixing the loophole would need to involve caching video locally even if the camera is disconnected from the network.
"It's an issue for practically all Wi-Fi devices, one that allows anyone to spoof a command from a Wi-Fi router that temporarily kicks a device off the network", the report notes.More news: Clinton: Threat Of Special Counsel For Uranium Deal Is 'Politicization' Of DOJ
After a deliveryman closes a door to leave a home, there's a brief window of time in which an attacker, perhaps someone lurking in the bushes or in a nearby vehicle, can send out his own deauthorization script, similar to the first attack. Additionally, Amazon links each delivery to a specific driver and checks that it is the right driver at the right address. And if something does go wrong, Amazon said, it works with the customer to fulfill Amazon's Happiness Guarantee if any products or property are damaged. The customer wouldn't even get a notification on their phone that the camera is offline.
Discovered by Seattle-based security firm Rhino Security Labs, the flaw focuses on what is known as a "deauthorization", or deauth for short. Unfortunately, the Key Lock's Wi-Fi connection is through the Cloud Cam - so when the Cam is knocked offline, the Lock goes with it. "Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery".
Amazon Key is available to Amazon customers who have bought and installed Amazon's own Cloud Cam security camera and installed it at their front door. The survey also found that 53 percent of respondents said the idea of the virtual key service makes them "very uncomfortable". The parcel is delivered as expected, so as to not raise any suspicion, however once the program is run, the courier has the ability to re-enter the home without notifying the Cloud Cam or the history of authorised unlocks.
Amazon's Cloud Cam responds by freezing on the last frame filmed.