Amazon Key is Demonstrably Not Secure

Good news, hackers/murderers!

Remember Amazon Key? That thing that lets strangers into your house while you’re gone? Well, part of it, the Amazon Cloud Cam, is obvious hacker bait. Rhino Security Labs posted the video above, and had this to say:

That so-called deauth technique isn’t exactly a software bug in Cloud Cam. It’s an issue for practically all Wi-Fi devices, one that allows anyone to spoof a command from a Wi-Fi router that temporarily kicks a device off the network. In this case, Rhino’s script sends the command again and again, to keep the camera offline as long as the script is running. Most disturbingly, Amazon’s camera doesn’t respond to that attack by going dark, or alerting the user that the camera is offline. Instead, it continues to show any live viewer—or anyone watching back a recording—the last frame the camera saw when it was connected.

That means the deauth command sent by the delivery-person-turned-hacker standing just outside your door can freeze the camera on the image of a closed door, while he then waltzes in a second time and closes the door behind them. Once inside, the intruder can simply move beyond the view of the Cloud Cam, stop sending the deauth command to allow the camera to reconnect, and hit the lock button on their app. Neither the lock’s logs nor the video record would appear amiss to the Amazon Key user, even as a stranger runs amok inside their house.

Remind me why people think the Internet of Things is useful, again? Needless to say, you probably shouldn’t use Amazon Key.

READ:  Motorola announces Smartphone Event
Source: Boing Boing

About Author

B. Simmons

Based out of Glendale California, Bryan is a GAMbIT's resident gaming contributor. Specializing in PC and portable gaming, you can find Bryan on his 3DS playing Monster Hunter or at one of the various conventions throughout the state.

Learn More →