Amazon Key Flaw Could Let Intruders Avoid Detection

The Amazon Key service lets users unlock their doors remotely for delivery people.

Aaron P. Bernstein/Getty Images

Researchers from Rhino Security Labs found a way to disable the Amazon Cloud Cam, a crucial safeguard for the Amazon Key service that allows Prime members to remotely unlock their front doors for couriers and other chosen visitors. The hack could theoretically allow people to enter into Amazon-Key-protected domiciles without users realizing it.

The camera is supposed to be placed in the foyer, allowing customers to monitor who they’re letting in. According to Wired, the researchers crafted a simple program to deactivate the Cloud Cam that any computer within Wi-Fi range can run. What makes the ruse so effective is that Key users wouldn’t notice that anything is amiss—the hack causes the live feed to freeze on the last frame before the camera was disabled. All they would see from the monitoring screen is a closed door, even though a person could be walking in. Once the intruder has successfully entered the house and evaded detection, the program can then re-enable the camera’s feed.

The researchers created a video of the potential trespass:

Amazon provided Wired with a statement: “We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery.”

The company pointed out that, while the camera may be disabled, staffers aren’t allowed to unlock doors without authorization to deliver a package. Amazon also claimed that it would be able to identify the couriers, who all pass through background checks, if they tried to pull off such a heist.