Security researchers from Rhino Security Labs have shown that it is trivial to disable the Amazon Cloud Cam that is a crucial component of the Amazon Key product – a connected home door-lock that allows delivery personnel to open your locked front door and leave your purchases inside – and have demonstrated attacks that would allow thieves to exploit this weakness to rob your home.
The vulnerability involves a simple, devastating attack on the camera, in which overwhelming its wifi connection with trivial-to-generate junk traffic causes it to lock up, so that all you see is the last image it transmitted before the attack – thus a well-timed attack would show your door to be closed and locked when it was open.
The camera itself serves as the internet gateway for Amazon Lock, with which it communicates via the notoriously insecure Zigbee protocol. Knocking the camera offline also disconnects your door-lock.
This could allow unscrupulous delivery people to let themselves into your home without your knowledge, though the audit trail left behind by the system would make it easy to tell who was the last person the system authorized to enter your home.
More dangerously, a thief who trailed a delivery person could take advantage of the situation by timing their attack to coincide with the unlock, while simultaneously disabling the camera – though they would have to trick the delivery person into leaving the door unlocked behind them.
Amazon is promising to patch its systems, but the Rhino recommendation is “Don’t use Amazon Key.”