Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera (wired.com) 66
Security researchers claim to have discovered a flaw in Amazon's Key Service, which if exploited, could let a driver re-enter your house after dropping off a delivery. From a report: When Amazon launched its Amazon Key service last month, it also offered a remedy for anyone who might be creeped out that the service gives random strangers unfettered access to your home. That security antidote? An internet-enabled camera called Cloud Cam, designed to sit opposite your door and reassuringly record every Amazon Key delivery. Security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that camera can be not only disabled, but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened and someone slips inside. That attack would potentially enable rogue delivery people to stealthily steal from Amazon customers, or otherwise invade their inner sanctum. And while the threat of a camera-hacking courier seems an unlikely way for your house to be burgled, the researchers argue it potentially strips away a key safeguard in Amazon's security system. When WIRED brought the research to Amazon's attention, the company responded that it plans to send out an automatic software update to address the issue later this week.
Jeff Bezos Will Always Watch You Poop (Score:1)
Re: (Score:2)
Go ahead and install an older version and disable updates. Then fork it and backport security fixes and feature updates yourself. Complaining isn't going to solve anything.
So what? (Score:1)
If you're dumb enough to let random delivery workers into your house without you being present, you're asking for trouble. Security flaws or not, you're an idiot if you allow this. You're asking for trouble.
Re: (Score:2)
Consider moving.
Re: (Score:2)
4. Put a honeypot Amazon box on the doorstep and wait across the street in a tree with a sniper rifle.
Re: (Score:2)
4A. This only works if the thief is Winnie the Pooh.
Re: (Score:2)
4. Put a honeypot Amazon box on the doorstep and wait across the street in a tree with a sniper rifle.
I actually did this after getting some packages stolen. Filled some old amazon boxes with garbage and set them on the porch. Well minus the sniper rifle, and plus some new security cameras. Unfortunately no one tried to steal it (or even checked it out before noticing the cameras.)
Re: (Score:2)
"Great neighborhood you have there"
This is highly common in affluent areas, actually. They tend to have stuff worth stealing. In fact, I'm looking at a memo sent out right now stating to be on the lookout for vehicles following postal vehicles or UPS/FedEx trucks (guess DHL's not on the watch-for list, good.)
Re: (Score:2)
Unlikely???
Given all the types out there that would absolutely abuse this, it's not unlikely. It's inevitable.
Re: (Score:2)
People already allow housekeepers and babysitters into their homes. How is this different?
Re: (Score:3)
People already allow housekeepers and babysitters into their homes. How is this different?
You get to interview them first?
Re: (Score:2)
As for babysitters, you are entrusting them with the care of another human(s),
Re: (Score:2)
I'm shocked (Score:1)
Shocked to learn that such a "well thought out idea" like letting random strangers into your house to drop off a package via an automatic door unlocker and camera would have a security flaw.
I mean, damn. What are the odds of this happening? Surely, Amazon would have tested this out before rolling out the system, instead of rushing it out the door in a mad grab for even more cash.
Right?
Right?
Re: (Score:1)
I'm not saying every "Internet of Things" idea out of Amazon or Google (or whoever) these days is crap, though. But seriously, this one?
Any service that allows people into a residence needs to have good security. And you can bet your ass that the one thing Amazon covered on this was their liability if something goes wrong. They might not be able to properly staff a testing department for this thing, but you can bet their lawyers earned some bucks removing any chance you could sue Amazon over someone exploit
criminal liability (Score:2)
criminal liability is still an issue that no EULA can't take away.
Re: (Score:2)
Re: (Score:2)
Oh, I'm absolutely positive that Amazon takes no responsibility for the actions of the deliveryperson, who is an independent contractor, employed by a company not associated with Amazon. If they lift something from your house, Amazon will express their regrets, and that's about all you'll ever get from them.
Heck, they've started using Amazon Logistics in my area now, and when the guy can't find my house, the order gets "lost". Then Amazon informs me that I'll need to re-place the order and they'll issue me
Actually the flaw is pretty bad (Score:5, Interesting)
The good: Amazon promises they'll be pushing out a patch this week.
The bad: It's about as bad a failure mode as is possible: "Most disturbingly, Amazon's camera doesn't respond to that attack by going dark, or alerting the user that the camera is offline. Instead, it continues to show any live viewer—or anyone watching back a recording—the last frame the camera saw when it was connected."
Okay, maybe there's a worse failure mode possible... if the camera, upon losing connectivity, also spontaneously caught fire and burned your house down.
Re:Actually the flaw is pretty bad (Score:4, Insightful)
Re: (Score:3)
I'd say 'the bad' is that you never really know if every flaw is patched
No, you know the answer. The answer is No, they're not patched.
Re: (Score:2)
I'd say 'the bad' is that you never really know if every flaw is patched.
Sure you do.
There will always be unpatched flaws. This is true of everything.
On the other hand the probability that some deliveryman has access to an unknown 0day and is willing to use it to steal from you is quite low. Much lower than the probability that some random burglar is willing to break your window in order to steal from you. A regular stream of vulnerability reports like this is a good thing, because it means researchers are paying attention. It's better if the researcher practices responsible
Re: (Score:2)
Okay, maybe there's a worse failure mode possible... if the camera, upon losing connectivity, also spontaneously caught fire and burned your house down.
If that is actually worse or not might depend on if you keep your smoke detectors serviced, and have fire insurance...
Unencrypted Video foolishness (Score:2)
Re: (Score:1)
It should be assumed that any voice activated "Internet of Things" device is recorded your commands/queries/whatever for transmission back to the company that sells the device. These days, there's no way any company is going to pass up the opportunity to accumulate big data on their customers.
Re: (Score:2)
if the camera, upon losing connectivity, also spontaneously caught fire and burned your house down.
Is that before or after the thief who disabled it is able to get out?
Another problem with the Internet of Things (Score:2)
Hacking my door takes an axe.
Re: (Score:2)
Shoulders are overrated. A boot is usually the best way, next to a door ram.
Here in the US, front door physical security is piss-poor across the board, be it easily bumpable five-pin tumbler locks, doors that will fall to a stout kick because it only locks one point, doors with large windows, and so on. At best, if you want better, you buy a security screen door.
The average European door has at least 3-4 point locking, cylinders that resist snapping, punching, and drilling, deadlocking, and a solid door j
Is the camera WiFi only? (Score:2)
How about providing a *wired* (capable) camera. Many people might not use that, but I would be willing to run some CAT5 for extra security or, rather, confidence.
Milk boxes, Ice boxes (Score:2)
Look, stop trying to invent new tech.
Most homes built until the 1980s had a box built into the porch next to the door, or a door built into the house next to the front door, that revealed a 2x2x2 area (sometimes larger) in which you could place things.
It was opened by a key the delivery people had. And inside by a key the owner had (different door).
It was used for ice deliveries, package deliveries, milk deliveries.
Do that. Add a camera or sensor to that.
Don't make the door to your house be open to delivery
Re: (Score:2)
Look, stop trying to invent new tech.
Most homes built until the 1980s had a box built into the porch next to the door, or a door built into the house next to the front door, that revealed a 2x2x2 area (sometimes larger) in which you could place things.
...
SERIOUSLY!
This is not actually true. "Seriously."
The outside world really exists; order some dark sunglasses and in a few days after they're delivered, go outside and check! You'll find almost all the houses were built before the 1980s, and they don't have these boxes.
Re: (Score:2)
Came here to post this solution. You beat me to it. I grew up in a house that had a milk box. It was actually used for milk
But what we need is something larger than a milk box. Maybe an outdoor shed that does double-duty as garden storage. Or maybe just use a garage if you have one?
Re: (Score:2)
Maybe in the area where you live, but not around here (Canada).
It's a good idea, though. Instead of this crappy "Amazon Key" crap with a camera, they should be selling the "Personal Amazon Box", something you secure to your house and that the delivery guy has access to. Not the whole fucking hous
Re: (Score:1)
Actually, I've seen them in BC and Alberta, which are both in Canada.
Re: (Score:2)
You don't comprehend liability.
If you did, you'd be saying, "Golly, I wonder if their liability insurance rates went up over this!"
One time code? (Score:2)
Note, I'd never use this, but...
As I understood the plan originally, the code that they give the delivery person to open the door is a one-time code. So, if the would-be thief has no way to get in again, how is this a total failure? I'd also bet that both the usage time of the code and whether the door was left locked are both sent back to Amazon. They obviously have communication with the lock if they can set a one-time code.
Wireless "security" camera (Score:2)
Even after the flaw is fixed, what's to stop someone from jamming the wifi signal while they take everything you own?
Other way around please (Score:1)
Why not give everyone a key to the Amazon warehouse. I'm sure if Amazon has good enough security and tracking, it's users can be trusted.
Amazon wants me to trust them, why doesn't Amazon trust me?
Why can't Amazon ship me stuff while awaiting payment, why don't they take cheques? promissory notes? trades?
Just unplug it (Score:1)
they did something like this in the movie speed (Score:2)
they did something like this in the movie speed.