Amazon’s new delivery service can allow people to enter your home without you knowing, security researchers have found.
Amazon Key lets delivery staff from the company unlock your front door and enter your home to drop off packages when you’re not around.
It relies on an indoor security camera and a smart lock. Unfortunately, these can be disabled, which means people can enter your home – and stick around – undetected.
Researchers at Rhino Security Labs have found a way to freeze the camera feed, so it shows footage of your closed front door even if someone has opened it to come inside.
“The camera is very much something Amazon is relying on in pitching the security of this as a safe solution,” Ben Caudill, the founder of Rhino Security Labs, told Wired.
“Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism.”
When an Amazon delivery person has been matched with the right package and the right address, the lock will let them in and the camera will record footage of the delivery.
As a safety precaution, the delivery person will not be able to make another trip until they’ve left the house and the door locks again.
However, the Rhino Security Labs researchers discovered that a delivery person who had gained access to an Amazon Key-protected house could prevent the door from locking them out by running a program on a nearby computer designed to knock the camera offline by flooding it with “deauthorization” commands.
They can then re-enter the house undetected. Once they’re inside and have closed the door behind them, they can move out of sight of the camera and unfreeze it.
The door will then lock properly and the feed will update to show real-time footage of your closed front door, as if nothing had happened.
Though Amazon says it will notify you if your camera goes offline "for an extended period" of time, it wouldn't take very long at all for a criminal to successfully execute the manoeuvre.
“Every delivery driver passes a comprehensive background check that is verified by Amazon before they can make in-home deliveries, every delivery is connected to a specific driver, and before we unlock the door for a delivery, Amazon verifies that the correct driver is at the right address, at the intended time,” Amazon told Wired.
“We currently notify customers if the camera is offline for an extended period. Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery.”