Amazon may have pitched the Cloud Cam as a key security feature of Amazon Key, but researchers have demonstrated a huge flaw that could leave customers thinking twice about giving couriers virtual keys. Launched in October, Amazon Key offers Amazon’s most loyal users in its Prime membership scheme a way to accept packages even if they’re not home, by giving delivery people one-time access to the home with a connected lock. Figuring many would be wary of that, the Amazon Cloud Cam was pitched as a way to ensure everything was above board.
Unfortunately, it seems that reassurance wasn’t entirely well-placed. Rhino Security Labs, a Seattle-based security research firm, discovered a flaw in the Cloud Cam that allows a computer within WiFi range to freeze the camera’s view, Wired reports.
That, like the old movie trope of putting a photo of a corridor in front of a security camera so that it looks like nothing is happening, would potentially allow the hackers to make it look like everything was fine within the Cloud Cam’s field of view. Both live viewing of the camera’s stream, and its recordings, would be impacted. At the same time, a courier with access to the home could use the unexpected absence of monitoring to steal items or otherwise act nefariously.
Amazon says that it plans to release an update this week, which will automatically upgrade the Cloud Cam so as to prevent this type of hack from taking place in future. Nonetheless, this is exactly the sort of story around Amazon Key that the online retail behemoth would have wanted to avoid. Indeed, one of the key messages of the Cloud Cam was that it would give a vital sense of reassurance for users of the Amazon Key service.
To be fair, the likelihood of such a security lapse being used to burgle a house is probably quite low. The exploit affects the Cloud Cam but doesn’t give access to the connected lock: as a result, even if the video feed was spoofed, a courier with bad intent would already need to be delivering a package there, because of the way the access protocol operates. Couriers are issued with a one-time code that allows them to unlock the door once, and Amazon takes into account factors like the delivery person’s physical location and the time at which they’re present to decide whether to open the door.
However, should that courier be so minded, the exploit would allow them to effectively enter the house twice. As the Rhino team explains it, the first time would be legitimate: unlocking the door with Amazon Key, bringing in a package, and then leaving again – closing the door, but not hitting the lock option in their Amazon app. Once the WiFi device with the Cloud Cam override was activated, the view from the camera inside would be frozen.
That would permit the courier to re-enter – safe in the knowledge that the door was still unlocked and that they weren’t being caught on camera – for whatever reason, then leave again and finally restore the Cloud Cam functionality and lock the door. No logs of either the camera’s hacking nor the activity of the lock would be kept.
Amazon says that it plans to update the Cloud Cam to issue an alert if it’s offline during a delivery more rapidly than it does now. Currently, if there’s a power cut or a drop in WiFi connectivity, the camera notifies its owner with a push notification. During Amazon Key deliveries, that downtime will be flagged more aggressively.
Still, it’s another reason why those installing connected cameras might want to consider models with local storage too. Like Nest Cam IQ and others, the Amazon Cloud Cam doesn’t allow for local recording of video, even as a backup during network downtime; the Cloud Cam actually has 4GB of internal storage, but that’s used for firmware upgrades rather than saving video.