Amazon security camera already compromised, can let rogue couriers into your home undetected

Alistair Charlton 16 November 2017



Just three weeks after it was announced, an Amazon security camera and door lock designed to let courier drivers drop packages in your house when you are away has been hacked and compromised.

Security researchers have discovered how a simple Wi-Fi trick can temporarily disable the camera, which is intended to record a customer's front door when the courier makes a delivery. Not only that, but when the Cloud Cam is disabled, it does not alert the owner via its mobile application - instead, that app shows the last frame of video the camera saw before being compromised. This is likely to be a still image of a closed door, and thus would not arouse suspicion.

Meanwhile, as the user thinks all is well, the courier can re-enter the house undetected, steal items, and make their escape through a different door or window.

Discovered by Seattle-based security firm Rhino Security Labs, the flaw focuses on what is known as a 'deauthorization', or deauth for short. This is not a software bug with the camera itself, but with Wi-Fi devices generally. The deauth is administered by running a program on a nearby laptop, which spoofs a command from a Wi-Fi router; this temporarily kicks the camera off the customer's Wi-Fi network, causing the video feed to freeze, as shown in the video below.

Rhino Security Labs, which discovered the flaw, suggests a rogue Amazon delivery driver could unlock the door as normal, using their Amazon-issued handheld device which connects to the camera and door lock when they are outside and wish to make a delivery. They then open the door in view of the camera, which is now recording, then drop the package and leave.

At this point they run the program, which Rhino says could operate on a laptop or a homemade device based on a pocket-sized Raspberry Pi computer. This freezes the camera, allowing them to re-enter. They then step out of shot of the camera and let it reconnect to the Wi-Fi, before locking the door using their Amazon-issued handset. As far as the customer is concerned - and as far as the log on their Amazon app shows - the package was delivered, video of this is accessible, the door was unlocked, then locked again, and everything is as normal.

However, the delivery driver is still in the house, and can now help themselves to whatever they like, before leaving via a different door.

"The camera is very much something Amazon is relying on in pitching the security of this as a safe solution," Ben Caudill, founder of Rhino, told Wired. "Disabling that camera on command is a pretty powerful capability when you're talking about environments where you're relying heavily on that being a critical safety mechanism...As a partially trusted Amazon delivery person, you can compromise the security of anyone's house you have temporary access to without any logs or entries that would be unusual or suspicious."

Amazon is aware of the flaw and said in a statement: "We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery."