Analysis Amazon has pushed out an emergency security update to its door-unlocking system called Key – which is used by couriers to let themselves into people's homes to drop off packages inside when folks are out.
Delivery workers show up at a home, and use a smartphone to temporarily disable the lock on the front door so they can pop in. As part of the system, a Wi-Fi-connected webcam watches the door from the inside to record any theft or other mischief.
One little flaw: if you flood the camera off the wireless network with deauthorization packets – and an attacker doesn't need to know your Wi-Fi password to do this – it effectively freezes the equipment and prevents the door from being locked. The camera stops streaming its video feed across the internet to Amazon's cloud, so anyone monitoring the scene from Amazon's app will just see a still image: the last shot received. That means they won't see a rogue courier jamming the Wi-Fi and slipping back in to get up to no good.
Amazon's patch, being pushed automatically to devices, will allow the system to instantly alert customers of what could be suspicious activity if the camera is knocked offline, but a bigger question over the technology's security remains unresolved – and may require a hardware fix.
How's that for some disruption?
Bods at Rhino Security Labs revealed this week that they were able to disrupt Amazon's CloudCam, the camera component of the Key system, causing it to show only the last image captured, and block the lock signal to the smart door lock, and so potentially allow a delivery driver to sneak back into someone's house undetected.
The actual method of disruption, flooding the network with deauthorization packets, is not exclusive to Amazon's hardware. It affects pretty much every webcam, device or computer using Wi-Fi to communicate. It's the same method used by hotels to jam guests' personal hotspots, forcing them to use the location's expensive Wi-Fi.
However, because Amazon has linked the camera to its smart door lock as part of an overall package to give customers peace of mind about a stranger entering their home, the Wi-Fi vulnerability is a black mark against the technology.
Knock, knock? Oh, no one there? No problem, Amazon will let itself in via your IoT smart lockREAD MORE
Here's how it works. The courier's app connects to Amazon's servers and asks for permission to enter a home. Amazon verifies a drop-off is scheduled, and the location of the deliver worker is correct, and then connects to the wireless-connected camera inside to authorize access. The camera starts recording and communicates with the smart door lock via the IoT protocol Zigbee to instruct the lock to unlock. The door is locked again when the driver indicates via their app that the drop-off was carried out and that they have left.
So, the courier enters, drops off the package, and leaves, closing the door. Immediately upon doing this, the miscreant starts jamming the home's Wi-Fi network from, say, a Raspberry Pi in their pocket. The camera gets kicked off the network, and freezes: it stops sending video, the last shot received by Amazon will be a still of the closed door, and crucially, the camera does not signal to the smart door lock to lock.
Thus, the door remains unlocked, allowing the dodgy deliverer to slip back in, grab some stuff, and exit. The jamming is then discontinued, the camera reconnects to the internet and Amazon, gets a command from the courier's app to lock the door, and does so, via a Zigbee signal to the smart lock.
The key thing here is that after the thief leaves for the first time and before locking the door behind them via their delivery app, they jam the Wi-Fi. That means the camera stops streaming and doesn't get the message to lock the door. When the jamming ends, after the miscreant has snatched stuff or planted evidence and taken off, the camera reconnects and and locks the door.
The video below shows the attack in action:
Amazon has been quick to point out that a real-world application of this approach is fairly unlikely: the biz will know exactly who was at a given house at a given time, and so if anything was stolen or a homeowner noticed something odd after a visit, the driver would come under immediate suspicion.
The web giant has also stressed that all drivers undergo a background check, that carrying out the exploit would require a decent level of technical knowledge, and a time stamp is kept of all openings and closings, so it is not an easy job. It also had a policy of calling any drivers that take longer than one minute to complete delivery to check up on them.
Similarly, due to the short timing, it would almost certainly have to be an Amazon driver that sneaked back in, rather than, say, a thief who waited for an Amazon delivery person to turn up and then disrupted the camera as soon as they left.
In a statement to The Register, an Amazon spokesperson said:
Safety and security are built into every aspect of the service. Every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time.
We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery. The service will not unlock the door if the Wi-Fi is disabled and the camera is not online.
However, despite these reassurances, and with many folks already uneasy about the idea of giving a corporation access to their home, any flaw in the system is a cause for concern.
Amazon has responded by pushing out a software update that gives users immediate alerts if their camera goes offline – something that risks annoying them given Wi-Fi cameras have a tendency to periodically fall asleep, but will lend a greater sense of security, especially if it happens around the same time as a delivery.
But, as Amazon is willing to accept, it is not a fix. In fact, there is no real fix to the issue given that it is the underlying Wi-Fi protocol itself that is being exploited.
One potential fix would be for the CloudCam to include extra storage, and cache video locally for some period of time after it is knocked offline. That would then capture footage of any attempted reentry.
But that approach is not only imperfect – a potential thief could keep the camera offline until the cache was full – but would almost certainly require a hardware update, ie: a product recall to install extra digital capacity and video management firmware.
"The proposed fix is better than nothing, but it doesn't address the underlying problem," Benjamin Caudill, CEO of Rhino Security Labs, told The Register today.
You know IoT security is bad when libertarians call for strict regulationREAD MORE
"What I would suggest to Amazon is to incorporate local storage to cache video, and log lock activity, until the [Wi-Fi] signal is restored. It's not a perfect fix – a bad guy can just continue DoS'ing until the storage fills up or cycles through – but it would increase the complexity to exploitation significantly.
"In either case, the identified issues will not be resolved without a product recall for a hardware modification: a local storage module."
Maybe people won't really care?
It all depends on how much the news of a potential exploit impacts Amazon customers' use of the feature and especially sales of the new system. If sales drop off, we would expect to see a version 2.0 of the CloudCam Key Edition with local caching very soon.
But it could also be that the issue does not impact consumers as much as people imagine. After all, Amazon's Echo digital assistant is effectively a permanent bug in your home, and yet has been an enormous success for the company. Not only that but Amazon has built on and expanded that success by adding products that capture not only sound but also video – the Amazon Show.
Anyone vehemently opposed to granting a corporation access to their house was never going to be a potential customer for Amazon Key in the first place. The question for all those that would consider installing such a system is: does this exploit tip them over into not getting the system?
Or is it a minor concern compared to having their goods safely delivered inside their home rather than left outside? Amazon – and many others – will be watching closely. ®