Good news, hackers/murderers!
Remember Amazon Key? That thing that lets strangers into your house while you’re gone? Well, part of it, the Amazon Cloud Cam, is obvious hacker bait. Rhino Security Labs posted the video above, and had this to say:
That so-called deauth technique isn’t exactly a software bug in Cloud Cam. It’s an issue for practically all Wi-Fi devices, one that allows anyone to spoof a command from a Wi-Fi router that temporarily kicks a device off the network. In this case, Rhino’s script sends the command again and again, to keep the camera offline as long as the script is running. Most disturbingly, Amazon’s camera doesn’t respond to that attack by going dark, or alerting the user that the camera is offline. Instead, it continues to show any live viewer—or anyone watching back a recording—the last frame the camera saw when it was connected.
That means the deauth command sent by the delivery-person-turned-hacker standing just outside your door can freeze the camera on the image of a closed door, while he then waltzes in a second time and closes the door behind them. Once inside, the intruder can simply move beyond the view of the Cloud Cam, stop sending the deauth command to allow the camera to reconnect, and hit the lock button on their app. Neither the lock’s logs nor the video record would appear amiss to the Amazon Key user, even as a stranger runs amok inside their house.
Remind me why people think the Internet of Things is useful, again? Needless to say, you probably shouldn’t use Amazon Key.