Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Privacy The Internet

Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera (wired.com) 106

Security researchers claim to have discovered a flaw in Amazon's Key Service, which if exploited, could let a driver re-enter your house after dropping off a delivery. From a report: When Amazon launched its Amazon Key service last month, it also offered a remedy for anyone who might be creeped out that the service gives random strangers unfettered access to your home. That security antidote? An internet-enabled camera called Cloud Cam, designed to sit opposite your door and reassuringly record every Amazon Key delivery. Security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that camera can be not only disabled, but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened and someone slips inside. That attack would potentially enable rogue delivery people to stealthily steal from Amazon customers, or otherwise invade their inner sanctum. And while the threat of a camera-hacking courier seems an unlikely way for your house to be burgled, the researchers argue it potentially strips away a key safeguard in Amazon's security system. When WIRED brought the research to Amazon's attention, the company responded that it plans to send out an automatic software update to address the issue later this week.
This discussion has been archived. No new comments can be posted.

Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera

Comments Filter:
  • So what? (Score:3, Interesting)

    by Anonymous Coward on Thursday November 16, 2017 @02:30PM (#55564271)

    If you're dumb enough to let random delivery workers into your house without you being present, you're asking for trouble. Security flaws or not, you're an idiot if you allow this. You're asking for trouble.

    • People already allow housekeepers and babysitters into their homes. How is this different?

      • Re:So what? (Score:5, Insightful)

        by ClickOnThis ( 137803 ) on Thursday November 16, 2017 @03:01PM (#55564539) Journal

        People already allow housekeepers and babysitters into their homes. How is this different?

        You get to interview them first?

      • Some people only allow in housekeepers while they are home. Others may interview housekeepers first before giving them a key, and insisting on the housekeeper being insured and/or bonded. The housekeeper probably has access to a very limited number of homes compared to an Amazon / FedEd / UPS / etc delivery boy. Having some kind of "master key" to a large number of homes gives the feeling of being less likely to get caught.

        As for babysitters, you are entrusting them with the care of another human(s),
        • babysitter = neighbor's teenaged son or daughter who when they're not babysitting are either at school, playing video games, getting drunk and/or humping.

          Background check a babysitter? What the hell are you talking about? What kind of a neighborhood do you live in? Are you seriously planning on raising a kid where there are no other kids? Where will they go to school? There are teenagers needing cash everywhere. Make friends with a neighbor and ask them if they'd trust their pierce and tattooed teenaged bra
          • If you hire your neighbor's kid as a babysitter, then my point still stands that it is quite different than letting Amazon delivery into your home. You know the neighbor. You (presumably) know the kid.

            Yes. Background check and adult babysitter. You can live in a very nice neighborhood and still do this. Just because YOU live in a nice neighborhood doesn't mean that the babysitter is nice. Especially if hired by a service. I would also point out that some very bad people who do some very bad things
    • Dear Amazon,

      I heard that your goal is to cut delivery times, the target delivery time is one hour, is that right?

      Well, in all my days of dealing with technology, I noticed one very fast delivery mechanism. It is so fast and so simple.

      Seeing as how the delivery person is merely an interface between the storage and the home, there is already an existing technology that reduces the delivery interface. I'll bet you already know what that technology is, because you're incredibly smart. But for the other people o

  • Shocked to learn that such a "well thought out idea" like letting random strangers into your house to drop off a package via an automatic door unlocker and camera would have a security flaw.

    I mean, damn. What are the odds of this happening? Surely, Amazon would have tested this out before rolling out the system, instead of rushing it out the door in a mad grab for even more cash.

    Right?

    Right?

    • No. You are wrong. And you should NOT be shocked. Amazon would indeed rush this out without sufficient testing -- even without the motive of a grab for more cash. A more important concern you should have is whether Amazon has these people insured and/or bonded. Can access to your house be obtained by hacking Amazon or something the delivery person has? So do not assume the idea is well thought out, nor that even more security flaws won't be found.
      • Oh, I'm absolutely positive that Amazon takes no responsibility for the actions of the deliveryperson, who is an independent contractor, employed by a company not associated with Amazon. If they lift something from your house, Amazon will express their regrets, and that's about all you'll ever get from them.

        Heck, they've started using Amazon Logistics in my area now, and when the guy can't find my house, the order gets "lost". Then Amazon informs me that I'll need to re-place the order and they'll issue me

  • by 93 Escort Wagon ( 326346 ) on Thursday November 16, 2017 @02:35PM (#55564317)

    The good: Amazon promises they'll be pushing out a patch this week.

    The bad: It's about as bad a failure mode as is possible: "Most disturbingly, Amazon's camera doesn't respond to that attack by going dark, or alerting the user that the camera is offline. Instead, it continues to show any live viewer—or anyone watching back a recording—the last frame the camera saw when it was connected."

    Okay, maybe there's a worse failure mode possible... if the camera, upon losing connectivity, also spontaneously caught fire and burned your house down.

    • by fluffernutter ( 1411889 ) on Thursday November 16, 2017 @02:39PM (#55564357)
      I'd say 'the bad' is that you never really know if every flaw is patched.
      • by phantomfive ( 622387 ) on Thursday November 16, 2017 @02:44PM (#55564401) Journal

        I'd say 'the bad' is that you never really know if every flaw is patched

        No, you know the answer. The answer is No, they're not patched.

      • I'd say 'the bad' is that you never really know if every flaw is patched.

        Sure you do.

        There will always be unpatched flaws. This is true of everything.

        On the other hand the probability that some deliveryman has access to an unknown 0day and is willing to use it to steal from you is quite low. Much lower than the probability that some random burglar is willing to break your window in order to steal from you. A regular stream of vulnerability reports like this is a good thing, because it means researchers are paying attention. It's better if the researcher practices responsible

        • You're right, far more concerning that someone on the internet finds a 0day and puts your Amazon camera on some open website. Probably more likely than getting robbed at all. Good thinking.
          • You're right, far more concerning that someone on the internet finds a 0day and puts your Amazon camera on some open website.

            No, I don't think that would be particularly likely. It would require a much deeper compromise of the device. And if someone had such a deep compromise, why would they bother using it to stream a picture of your front door? Well, maybe yours is much more interesting than mine.

    • Okay, maybe there's a worse failure mode possible... if the camera, upon losing connectivity, also spontaneously caught fire and burned your house down.

      If that is actually worse or not might depend on if you keep your smoke detectors serviced, and have fire insurance...

      • by nasch ( 598556 )

        Smoke detectors don't do any good if there's nobody home to hear them. Unless maybe your smoke detectors automatically call 911 like they do in office buildings, but that seems unlikely.

        • You missed the point; if you're not home, you're also not dying in the fire. That was why I talked about smoke detectors at all; if you're home and die in the fire, then you don't care about insurance! If you didn't die in the fire, then it is an insurance matter.

          If somebody robs you, and has a frozen-frame video to "prove" they were never there, then you could lose [whatever you have of value in your house] and you might not even have an insurance claim! You could even be threatened with making a false pol

    • I just got and am returning an Arlo camera system from Net Gear. Good hardware HORRIBLE implementation -- like most IOT. It doesn't come with a package that unlocks the door... But is is another example of (video and sound!) sensitive data being sent out over the Internet without the average consumer even having an idea that they have just 'bugged' their own home. If products have warnings about kids suffocating on the wrapper, why don't these IOT gadgets have warnings like: Caution Do not point camera at
      • It should be assumed that any voice activated "Internet of Things" device is recorded your commands/queries/whatever for transmission back to the company that sells the device. These days, there's no way any company is going to pass up the opportunity to accumulate big data on their customers.

    • if the camera, upon losing connectivity, also spontaneously caught fire and burned your house down.

      Is that before or after the thief who disabled it is able to get out?

  • Hacking my door takes an axe.

    • You know, they make steel doors.

  • How about providing a *wired* (capable) camera. Many people might not use that, but I would be willing to run some CAT5 for extra security or, rather, confidence.

    • by psergiu ( 67614 )

      CAT5 ? To connect to your brand new 486DX 66Mhz PC ?
      Maybe you can just run two parallel iron wires and send long and short electrical signals over them.

      • CAT5 ? To connect to your brand new 486DX 66Mhz PC ?

        I have CAT5e [ which is what I meant by CAT5 - geesh (can one even easily buy just CAT5 anymore?) ] throughout my house and run my gigabit devices over it just fine Mr. Pedantic McSnobby.

  • Look, stop trying to invent new tech.

    Most homes built until the 1980s had a box built into the porch next to the door, or a door built into the house next to the front door, that revealed a 2x2x2 area (sometimes larger) in which you could place things.

    It was opened by a key the delivery people had. And inside by a key the owner had (different door).

    It was used for ice deliveries, package deliveries, milk deliveries.

    Do that. Add a camera or sensor to that.

    Don't make the door to your house be open to delivery

    • Look, stop trying to invent new tech.

      Most homes built until the 1980s had a box built into the porch next to the door, or a door built into the house next to the front door, that revealed a 2x2x2 area (sometimes larger) in which you could place things.

      ...

      SERIOUSLY!

      This is not actually true. "Seriously."

      The outside world really exists; order some dark sunglasses and in a few days after they're delivered, go outside and check! You'll find almost all the houses were built before the 1980s, and they don't have these boxes.

    • Came here to post this solution. You beat me to it. I grew up in a house that had a milk box. It was actually used for milk

      But what we need is something larger than a milk box. Maybe an outdoor shed that does double-duty as garden storage. Or maybe just use a garage if you have one?

    • Most homes built until the 1980s had a box built into the porch next to the door, or a door built into the house next to the front door, that revealed a 2x2x2 area (sometimes larger) in which you could place things.

      Maybe in the area where you live, but not around here (Canada).

      It's a good idea, though. Instead of this crappy "Amazon Key" crap with a camera, they should be selling the "Personal Amazon Box", something you secure to your house and that the delivery guy has access to. Not the whole fucking hous

      • Actually, I've seen them in BC and Alberta, which are both in Canada.

      • by mysidia ( 191772 )

        "Personal Amazon Box", something you secure to your house and that the delivery guy has access to. Not the whole fucking house.

        Ah.... another thing for the HOA to complain about. The brighter the colors and the more flamboyant the Amazon branding on the large box, the better.

    • by Anonymous Coward

      Who says you can't do this? Just hack up an Amazon Key to open your special delivery box door instead of the front door. Then put a sign saying: "Amazon deliveries here" or something. It will work itself out and you'll properly receive the deliveries.

  • Note, I'd never use this, but...

    As I understood the plan originally, the code that they give the delivery person to open the door is a one-time code. So, if the would-be thief has no way to get in again, how is this a total failure? I'd also bet that both the usage time of the code and whether the door was left locked are both sent back to Amazon. They obviously have communication with the lock if they can set a one-time code.

    • by Anonymous Coward

      Simple.

      * Set up your WiFi hacking equipment outside the front door, but don't do anything with it yet.
      * Indicate you're ready to do the delivery to Amazon.
      * Get your one time code.
      * Open the door.
      * Deliver the package normally.
      * Return to the door.
      * Close the door, but do NOT release the knob/latch (i.e. don't let the door relatch). This is possible with almost all doors that open on a latch, and will be visually indistinct from closing the door and letting it latch.
      * Activate your hacking gear outside the

      • by sinij ( 911942 )
        Getting inside the house is not an issue, crow bar will open most residential doors. The issue is information, or what door to open and when. Amazon delivery offers risk-free method to collect such information. Camera, even when working, does very little to stop you looking around.
      • Smart locks are almost always dead-bolts and know whether or not the bolt was thrown. It should not report closed and locked if it isn't.

        Also, if you burgle the place on the same day, you're caught. It is extremely unlikely that the police won't be able to find further evidence given that they will know exactly who to look at. In addition, if they ever got away with it once, they won't get away with it again. They'd likely be fired just on the possibility that they committed the crime - firing does not requ

  • Even after the flaw is fixed, what's to stop someone from jamming the wifi signal while they take everything you own?

  • by Anonymous Coward

    Why not give everyone a key to the Amazon warehouse. I'm sure if Amazon has good enough security and tracking, it's users can be trusted.

    Amazon wants me to trust them, why doesn't Amazon trust me?

    Why can't Amazon ship me stuff while awaiting payment, why don't they take cheques? promissory notes? trades?

  • I don't see how this is different than the delivery man simply reaching over and unplugging the Camera's data or power cable. Not sure how Amazon is going to patch that...
  • they did something like this in the movie speed.

  • Full disclosure: I'm a big Amazon fan and love my Prime subscription.

    Who, honestly, would think it's a good idea to let delivery drivers INTO YOUR HOUSE? In what Mayberry-like universe is this a good idea? I'm perfectly fine with UPS or whoever leaving the package at the side garage or at the front door. In no shape or form do I want or need a driver depositing the package in my foyer. I get all of the IoT madness but this is extremely over the top and doesn't come remotely close to a good idea.
  • The wifi signal could be swamped out by a strong enough transmitter, also. Wifi security cameras are convenient and easy to set up (I have a couple) but may not be appropriate for the most sensitive locations. My doorway cam is hard wired to a computer in the garage. To foil a physical brute force attack (break into the house and steal the surveillance computer) the computer emails me and puts the clip on dropbox when the motion sensor trips. Even that isn't a perfect solution, but at some point you hav

  • So they've done their job. Amazon should fix it. The researchers should continue to do their job. Amazon should keep fixing what they find.

    Isn't that the whole point? No software is perfect, even through rigorous QA, shit gets through. Sure, it's broken, people can exploit it. So Amazon should fix it.
    You need a criminal who's smart enough and desperate enough to try and pull this off. If you're seriously worried about this, add your own camera and DON'T connect it to the internet. Your paranoia has just bee

  • This whole "let some random guy into your home" thing is just a terrible idea.

    If Amazon would let people put a sturdy locker on their property that could (theoretically) only be opened by a driver making deliveries, I'd be much more inclined to go with something like that as a solution. Fasten it securely to something and the worst that could happen is the locker itself is stolen.

    But letting some rando into my home to drop shit off is NEVER EVER going to happen, period. NE-VER.

  • the solution to this problem is an add-on to the Amazon Echo that makes it so that when the delivery guy unlocks the door, then steal bar cages immediately create a secured path between the door and the kitchen table and refrigerator. I would recommend a few altered Sony Aibos with teeth to follow and guard the criminal closely.

The primary function of the design engineer is to make things difficult for the fabricator and impossible for the serviceman.

Working...