Amazon Key, a new service unveiled in October that allows couriers for the e-commerce giant to unlock doors to drop off packages, could be manipulated by would-be burglars or those same delivery people, through a flaw exposed by security researchers, according to a report.
Rhino Security Labs, a Seattle-based penetration testing company, discovered that the Cloud Cam required for use of the service can be disabled and frozen through a program that can be installed with relative ease on a handheld device, according to a report on Thursday by Wired.
The glitch, security experts warn, could allow rogue Amazon couriers to enter homes legitimately to drop off deliveries before leaving the property and freezing the camera on an image of the closed door—then subsequently returning, this time undetected by the disabled camera. Using the Key app, Amazon Prime subscribers would see the courier enter and leave, but would not be notified of his or her illicit return, Rhino Security Labs experts told Wired.
Beside couriers, the flaw could be exploited by enterprising burglars, who could theoretically run the so-called ‘deauth command,’ or ‘deauthentication command,’ immediately following a delivery of Amazon products. Of course, that would require a thief to closely follow the courier.
A request for comment on the flaw from Amazon wasn’t immediately returned, but a spokesperson told Wired on Thursday that the company was working on an update to the application.
“Later this week we will deploy an update to more quickly provide notifications if the camera goes offline during delivery,” a spokesperson told Wired.
Unveiled in October, the Amazon Key application and service are technically free to use, but, in addition to subscription fees for Amazon Prime, an Amazon Key In-Home Kit containing the smart lock and Cloud Cam costs $250. Key also works with locks from Kwikset and Yale.
Currently available in 37 metropolitan markets, Amazon Key can also be used to allow entry for cleaners, dog walkers, repair technicians and visiting relatives, the company announced.
In addition to Amazon, several other companies are already targeting the real estate industry with smart lock app integrations and digital lockboxes, including Master Lock, Toor, August Home and Prempoint, each with varying remote unlocking and security features.
Email Jotham Sederstrom