Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera (wired.com) 106
Security researchers claim to have discovered a flaw in Amazon's Key Service, which if exploited, could let a driver re-enter your house after dropping off a delivery. From a report: When Amazon launched its Amazon Key service last month, it also offered a remedy for anyone who might be creeped out that the service gives random strangers unfettered access to your home. That security antidote? An internet-enabled camera called Cloud Cam, designed to sit opposite your door and reassuringly record every Amazon Key delivery. Security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that camera can be not only disabled, but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened and someone slips inside. That attack would potentially enable rogue delivery people to stealthily steal from Amazon customers, or otherwise invade their inner sanctum. And while the threat of a camera-hacking courier seems an unlikely way for your house to be burgled, the researchers argue it potentially strips away a key safeguard in Amazon's security system. When WIRED brought the research to Amazon's attention, the company responded that it plans to send out an automatic software update to address the issue later this week.
Re: (Score:2)
Go ahead and install an older version and disable updates. Then fork it and backport security fixes and feature updates yourself. Complaining isn't going to solve anything.
Rogue Deliveryman, WTF? (Score:2)
Actually, I don't see a good fit, let's call them Rangers.
But back to our original discussion, what class do we put bicycle repairman under?
Re: (Score:2)
So you're someone who is able to install an extension or add-on but not smart enough to switch to an earlier browser?
NoScript is out of date and provides a false sense of security. Though I understand the way it works is really quite nice for people surfing unusual pornographic sites with click bait everywhere. So I can understand why you might be intrigued by such a program.
Writing a web extension like NoScript is quite simple. If it's so important to you, then maybe I can re
Jeff Bezos Will Always Watch You Poop (Score:1)
So what? (Score:3, Interesting)
If you're dumb enough to let random delivery workers into your house without you being present, you're asking for trouble. Security flaws or not, you're an idiot if you allow this. You're asking for trouble.
Re: (Score:2)
People already allow housekeepers and babysitters into their homes. How is this different?
Re:So what? (Score:5, Insightful)
People already allow housekeepers and babysitters into their homes. How is this different?
You get to interview them first?
Re: (Score:3)
Amazon will vet the delivery people, just like Uber.
Re: (Score:3)
As for babysitters, you are entrusting them with the care of another human(s),
Re: (Score:2)
Background check a babysitter? What the hell are you talking about? What kind of a neighborhood do you live in? Are you seriously planning on raising a kid where there are no other kids? Where will they go to school? There are teenagers needing cash everywhere. Make friends with a neighbor and ask them if they'd trust their pierce and tattooed teenaged bra
Re: (Score:2)
Yes. Background check and adult babysitter. You can live in a very nice neighborhood and still do this. Just because YOU live in a nice neighborhood doesn't mean that the babysitter is nice. Especially if hired by a service. I would also point out that some very bad people who do some very bad things
Re: (Score:2)
Dear Amazon,
I heard that your goal is to cut delivery times, the target delivery time is one hour, is that right?
Well, in all my days of dealing with technology, I noticed one very fast delivery mechanism. It is so fast and so simple.
Seeing as how the delivery person is merely an interface between the storage and the home, there is already an existing technology that reduces the delivery interface. I'll bet you already know what that technology is, because you're incredibly smart. But for the other people o
Re: (Score:2)
Consider moving.
Re: (Score:2)
4. Put a honeypot Amazon box on the doorstep and wait across the street in a tree with a sniper rifle.
Re: (Score:3)
4A. This only works if the thief is Winnie the Pooh.
Re: (Score:3)
4. Put a honeypot Amazon box on the doorstep and wait across the street in a tree with a sniper rifle.
I actually did this after getting some packages stolen. Filled some old amazon boxes with garbage and set them on the porch. Well minus the sniper rifle, and plus some new security cameras. Unfortunately no one tried to steal it (or even checked it out before noticing the cameras.)
Re: (Score:2)
Do you know they were stolen? Or a delivery person said they delivered and you didn't receive them?
I knew they were stolen. I was sent out of town at the last minute, and this was shortly after I had returned from another trip so I couldn't get another "vacation " hold with the various delivery services (you usually have a cooldown unfortunately). It was 4 deliveries from 3 different carriers during the week (it was my Amazon subscribe and save items helpfully showing up a week early), all gone when I got back home. So it was either the last carrier that took all of them (not out of the question) or som
Re: (Score:2)
"Great neighborhood you have there"
This is highly common in affluent areas, actually. They tend to have stuff worth stealing. In fact, I'm looking at a memo sent out right now stating to be on the lookout for vehicles following postal vehicles or UPS/FedEx trucks (guess DHL's not on the watch-for list, good.)
Re: (Score:2)
Unlikely???
Given all the types out there that would absolutely abuse this, it's not unlikely. It's inevitable.
Re: (Score:3)
...if you are dumb enough to accept a whole home burglary to prevent e-mailing a Amazon customer service rep...
It's not accepting a break-in. It's accepting a chance of a burglary. Guess what? There's already a chance that your house might be burgled. This (might) slightly increase that risk.
It's not:
(Cost of home burglary) > (Cost of porch burglary)
It's:
(Change in chance of home burglary)*(Cost of home burglary) ? (Chance of porch burglary)*(Cost of porch burglary)
Re: (Score:2)
So that said... I think we need to sort out this mulatto thing. I mean seriously... black and white makes mulatto... then there's white and oriental, black and oriental, latino and
My wife and daughter are Coconut, I'm Cookie Dough, my
Re: (Score:2)
Re: (Score:3)
I'm shocked (Score:1)
Shocked to learn that such a "well thought out idea" like letting random strangers into your house to drop off a package via an automatic door unlocker and camera would have a security flaw.
I mean, damn. What are the odds of this happening? Surely, Amazon would have tested this out before rolling out the system, instead of rushing it out the door in a mad grab for even more cash.
Right?
Right?
Re: (Score:1)
I'm not saying every "Internet of Things" idea out of Amazon or Google (or whoever) these days is crap, though. But seriously, this one?
Any service that allows people into a residence needs to have good security. And you can bet your ass that the one thing Amazon covered on this was their liability if something goes wrong. They might not be able to properly staff a testing department for this thing, but you can bet their lawyers earned some bucks removing any chance you could sue Amazon over someone exploit
criminal liability (Score:2)
criminal liability is still an issue that no EULA can't take away.
Re: (Score:2)
Not to mention, I have a security system that requires a code once the door is opened. No way I'll give an alternate access code to Amazon, which could be used at any other time as well. Even if I disable that code when I get home, I'm still vulnerable for the remainder of that day.
Re: (Score:2)
Re: (Score:3)
Oh, I'm absolutely positive that Amazon takes no responsibility for the actions of the deliveryperson, who is an independent contractor, employed by a company not associated with Amazon. If they lift something from your house, Amazon will express their regrets, and that's about all you'll ever get from them.
Heck, they've started using Amazon Logistics in my area now, and when the guy can't find my house, the order gets "lost". Then Amazon informs me that I'll need to re-place the order and they'll issue me
Actually the flaw is pretty bad (Score:5, Interesting)
The good: Amazon promises they'll be pushing out a patch this week.
The bad: It's about as bad a failure mode as is possible: "Most disturbingly, Amazon's camera doesn't respond to that attack by going dark, or alerting the user that the camera is offline. Instead, it continues to show any live viewer—or anyone watching back a recording—the last frame the camera saw when it was connected."
Okay, maybe there's a worse failure mode possible... if the camera, upon losing connectivity, also spontaneously caught fire and burned your house down.
Re:Actually the flaw is pretty bad (Score:5, Insightful)
Re:Actually the flaw is pretty bad (Score:5, Insightful)
I'd say 'the bad' is that you never really know if every flaw is patched
No, you know the answer. The answer is No, they're not patched.
Re: (Score:2)
I'd say 'the bad' is that you never really know if every flaw is patched.
Sure you do.
There will always be unpatched flaws. This is true of everything.
On the other hand the probability that some deliveryman has access to an unknown 0day and is willing to use it to steal from you is quite low. Much lower than the probability that some random burglar is willing to break your window in order to steal from you. A regular stream of vulnerability reports like this is a good thing, because it means researchers are paying attention. It's better if the researcher practices responsible
Re: (Score:2)
Re: (Score:2)
You're right, far more concerning that someone on the internet finds a 0day and puts your Amazon camera on some open website.
No, I don't think that would be particularly likely. It would require a much deeper compromise of the device. And if someone had such a deep compromise, why would they bother using it to stream a picture of your front door? Well, maybe yours is much more interesting than mine.
Re: (Score:2)
Okay, maybe there's a worse failure mode possible... if the camera, upon losing connectivity, also spontaneously caught fire and burned your house down.
If that is actually worse or not might depend on if you keep your smoke detectors serviced, and have fire insurance...
Re: (Score:2)
Smoke detectors don't do any good if there's nobody home to hear them. Unless maybe your smoke detectors automatically call 911 like they do in office buildings, but that seems unlikely.
Re: (Score:2)
You missed the point; if you're not home, you're also not dying in the fire. That was why I talked about smoke detectors at all; if you're home and die in the fire, then you don't care about insurance! If you didn't die in the fire, then it is an insurance matter.
If somebody robs you, and has a frozen-frame video to "prove" they were never there, then you could lose [whatever you have of value in your house] and you might not even have an insurance claim! You could even be threatened with making a false pol
Unencrypted Video foolishness (Score:2)
Re: (Score:1)
It should be assumed that any voice activated "Internet of Things" device is recorded your commands/queries/whatever for transmission back to the company that sells the device. These days, there's no way any company is going to pass up the opportunity to accumulate big data on their customers.
Re: (Score:2)
if the camera, upon losing connectivity, also spontaneously caught fire and burned your house down.
Is that before or after the thief who disabled it is able to get out?
Another problem with the Internet of Things (Score:2)
Hacking my door takes an axe.
Re: (Score:3)
Shoulders are overrated. A boot is usually the best way, next to a door ram.
Here in the US, front door physical security is piss-poor across the board, be it easily bumpable five-pin tumbler locks, doors that will fall to a stout kick because it only locks one point, doors with large windows, and so on. At best, if you want better, you buy a security screen door.
The average European door has at least 3-4 point locking, cylinders that resist snapping, punching, and drilling, deadlocking, and a solid door j
Re: (Score:2)
If the door proves too hard, the determined burglar smashes through the wall. If I'm going to be burgled, I'd rather forego the structural damage.
Re: (Score:2)
You know, they make steel doors.
Is the camera WiFi only? (Score:2)
How about providing a *wired* (capable) camera. Many people might not use that, but I would be willing to run some CAT5 for extra security or, rather, confidence.
Re: (Score:2)
CAT5 ? To connect to your brand new 486DX 66Mhz PC ?
Maybe you can just run two parallel iron wires and send long and short electrical signals over them.
Re: (Score:2)
CAT5 ? To connect to your brand new 486DX 66Mhz PC ?
I have CAT5e [ which is what I meant by CAT5 - geesh (can one even easily buy just CAT5 anymore?) ] throughout my house and run my gigabit devices over it just fine Mr. Pedantic McSnobby.
Milk boxes, Ice boxes (Score:2)
Look, stop trying to invent new tech.
Most homes built until the 1980s had a box built into the porch next to the door, or a door built into the house next to the front door, that revealed a 2x2x2 area (sometimes larger) in which you could place things.
It was opened by a key the delivery people had. And inside by a key the owner had (different door).
It was used for ice deliveries, package deliveries, milk deliveries.
Do that. Add a camera or sensor to that.
Don't make the door to your house be open to delivery
Re: (Score:2)
Look, stop trying to invent new tech.
Most homes built until the 1980s had a box built into the porch next to the door, or a door built into the house next to the front door, that revealed a 2x2x2 area (sometimes larger) in which you could place things.
...
SERIOUSLY!
This is not actually true. "Seriously."
The outside world really exists; order some dark sunglasses and in a few days after they're delivered, go outside and check! You'll find almost all the houses were built before the 1980s, and they don't have these boxes.
Re: (Score:2)
Came here to post this solution. You beat me to it. I grew up in a house that had a milk box. It was actually used for milk
But what we need is something larger than a milk box. Maybe an outdoor shed that does double-duty as garden storage. Or maybe just use a garage if you have one?
Re: (Score:2)
Maybe in the area where you live, but not around here (Canada).
It's a good idea, though. Instead of this crappy "Amazon Key" crap with a camera, they should be selling the "Personal Amazon Box", something you secure to your house and that the delivery guy has access to. Not the whole fucking hous
Re: (Score:1)
Actually, I've seen them in BC and Alberta, which are both in Canada.
Re: (Score:2)
"Personal Amazon Box", something you secure to your house and that the delivery guy has access to. Not the whole fucking house.
Ah.... another thing for the HOA to complain about. The brighter the colors and the more flamboyant the Amazon branding on the large box, the better.
Re: (Score:1)
Who says you can't do this? Just hack up an Amazon Key to open your special delivery box door instead of the front door. Then put a sign saying: "Amazon deliveries here" or something. It will work itself out and you'll properly receive the deliveries.
Re: (Score:2)
You don't comprehend liability.
If you did, you'd be saying, "Golly, I wonder if their liability insurance rates went up over this!"
One time code? (Score:2)
Note, I'd never use this, but...
As I understood the plan originally, the code that they give the delivery person to open the door is a one-time code. So, if the would-be thief has no way to get in again, how is this a total failure? I'd also bet that both the usage time of the code and whether the door was left locked are both sent back to Amazon. They obviously have communication with the lock if they can set a one-time code.
Re: (Score:1)
Simple.
* Set up your WiFi hacking equipment outside the front door, but don't do anything with it yet.
* Indicate you're ready to do the delivery to Amazon.
* Get your one time code.
* Open the door.
* Deliver the package normally.
* Return to the door.
* Close the door, but do NOT release the knob/latch (i.e. don't let the door relatch). This is possible with almost all doors that open on a latch, and will be visually indistinct from closing the door and letting it latch.
* Activate your hacking gear outside the
Re: (Score:2)
Re: (Score:3)
Smart locks are almost always dead-bolts and know whether or not the bolt was thrown. It should not report closed and locked if it isn't.
Also, if you burgle the place on the same day, you're caught. It is extremely unlikely that the police won't be able to find further evidence given that they will know exactly who to look at. In addition, if they ever got away with it once, they won't get away with it again. They'd likely be fired just on the possibility that they committed the crime - firing does not requ
Wireless "security" camera (Score:2)
Even after the flaw is fixed, what's to stop someone from jamming the wifi signal while they take everything you own?
Re: (Score:2)
If you jam the WiFi to disable the camera after you open the door with the one-time key, you're (at a minimum) an EXTREMELY likely suspect
Suppose you're not the delivery person, BUT some criminal who was following the delivery person. You see the delivery person open the door, so you immediately activate your jammer to stop the camera, then you ninja quietly sneak in the door and hide: waiting for the delivery person to drop the boxes off and leave, OR you stick something in the door that will st
Other way around please (Score:2, Insightful)
Why not give everyone a key to the Amazon warehouse. I'm sure if Amazon has good enough security and tracking, it's users can be trusted.
Amazon wants me to trust them, why doesn't Amazon trust me?
Why can't Amazon ship me stuff while awaiting payment, why don't they take cheques? promissory notes? trades?
Just unplug it (Score:2)
they did something like this in the movie speed (Score:2)
they did something like this in the movie speed.
Who would sign up for that anyway? (Score:1)
Who, honestly, would think it's a good idea to let delivery drivers INTO YOUR HOUSE? In what Mayberry-like universe is this a good idea? I'm perfectly fine with UPS or whoever leaving the package at the side garage or at the front door. In no shape or form do I want or need a driver depositing the package in my foyer. I get all of the IoT madness but this is extremely over the top and doesn't come remotely close to a good idea.
could be brute forced also (Score:2)
The wifi signal could be swamped out by a strong enough transmitter, also. Wifi security cameras are convenient and easy to set up (I have a couple) but may not be appropriate for the most sensitive locations. My doorway cam is hard wired to a computer in the garage. To foil a physical brute force attack (break into the house and steal the surveillance computer) the computer emails me and puts the clip on dropbox when the motion sensor trips. Even that isn't a perfect solution, but at some point you hav
"Security Researchers" (Score:2)
So they've done their job. Amazon should fix it. The researchers should continue to do their job. Amazon should keep fixing what they find.
Isn't that the whole point? No software is perfect, even through rigorous QA, shit gets through. Sure, it's broken, people can exploit it. So Amazon should fix it.
You need a criminal who's smart enough and desperate enough to try and pull this off. If you're seriously worried about this, add your own camera and DON'T connect it to the internet. Your paranoia has just bee
Bad solution (Score:2)
This whole "let some random guy into your home" thing is just a terrible idea.
If Amazon would let people put a sturdy locker on their property that could (theoretically) only be opened by a driver making deliveries, I'd be much more inclined to go with something like that as a solution. Fasten it securely to something and the worst that could happen is the locker itself is stolen.
But letting some rando into my home to drop shit off is NEVER EVER going to happen, period. NE-VER.
Automatic caged paths (Score:2)