Amazon's new service that enables couriers to unlock a customer's front door and drop off a package inside has serious security flaws.

A week after Amazon announced Amazon Key would be made available to Prime members in 37 U.S. cities, researchers found that the company's internet-connected security camera and smart lock can be hacked to let burglars into your home.

Amazon Key's system costs $250 and includes the Amazon Cloud Cam, a camera that's trained on a customer's door, as well as a smart lock that pairs with an app to grant access to delivery people. Customers can watch live as the delivery person steps inside their home, drops off the package, and closes the door.

According to Wired, security researchers demonstrated that a tech-savvy burglar could use software to freeze the Cloud Cam and make it look like the door is still closed while he enters the home. A team led by Ben Caudill, the founder of Seattle-based security firm Rhino Security Labs, discovered the vulnerability and posted a video on YouTube demonstrating the hack.

Amazon told Wired that it will issue a software update to eliminate the vulnerability, but Caudill says customers may still be afraid to use the service.

"Disabling that camera on command is a pretty powerful capability when you're talking about environments where you're relying heavily on that being a critical safety mechanism," he says.

The researchers also found that hackers can knock the Cloud Cam offline by sending it commands from a laptop or handheld device. Once the camera is offline, it disconnects the smart lock on the door. Caudill says that when the camera is knocked offline, it continues to show the last image that was streamed, so it appears as if the door is closed.

Caudill tells Wired that Amazon Key users should set up their own camera trained on the door with a clock in the frame. Otherwise, he says, "Don't use Amazon Key." 

Published on: Nov 16, 2017