• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 28th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Technology News

Researchers demonstrate Amazon Key system can be hacked

November 18th, 2017 Waqas Security, Technology News 0 comments
Researchers demonstrate Amazon Key system can be hacked
Share on FacebookShare on Twitter

Rhino Security Labs’ researchers have discovered a vulnerability in Amazon’s Key delivery service and Cloud Cam security camera. This vulnerability allows an attacker to manipulate the functioning of the camera to make it go offline due to which it will not be possible to monitor if someone entered a home or not.

It is worth noting that Amazon Key Service is designed especially for homeowners so that they could remotely lock and unlock the front doors for visitors while this service is connected with the Cloud Cam security camera. When a delivery drive arrives at your home, he will send an unlock request to Amazon after which the company will authenticate the driver’s identity, package information, and home address. If the information is correct, the door will unlock automatically, and the package will be left inside the home. Then the driver would send a request to lock the door and Amazon will lock it.

Throughout the process, the Key app will keep homeowner connected and updated while the entire process gets completed in mere seconds. Amazon’s Prime members can allow carriers to verify their identity in order to relock and unlock the door to leave a package inside the home all by themselves.

This shows that the camera and key service is developed to safeguard homeowners from rogue Key delivery persons. However, Rhino Labs researchers discovered that the flaw identified in the camera is shared with all the wireless network based devices and it can bring the camera offline after which a hacker can access your Wi-Fi network and send deauthorization command script to the camera, which is known as the Deauth Attack.

This would enable the camera to stop recording footages. This is contrary to the claims made by Amazon by stating that safety and security are “built into every aspect of the service.” According to Rhino Labs, when Cloud Cam goes offline it sends a snapshot of the last taken footage before going offline to the owner. The whole attack is easily carried out using just a computer or a tiny handheld Raspberry Pi and an antenna add-on.

Deauth attack is not just applicable on Amazon Key because it affects almost every Wi-Fi connected device and makes it go offline. But, the catch in this situation is that the hacker can manipulate the Key app in a way that it won’t inform the homeowner regarding any foul play and will keep showing the last live frame, which might be of a locked door. The driver will have the power to re-lock the door after re-entering it to make sure that homeowner doesn’t suspect anything unusual.

However, Amazon’s spokesperson believes that the issue is not in the camera, but the Wi-Fi network and these findings are not as threatening to the average user of Amazon Key service as it is being touted. Moreover, their drivers are hired after a comprehensive background check and are, therefore, quite reliable.

Having said that, the company assured that it would be releasing a firmware update for the camera and for the time being, Amazon will be notifying users if it finds the camera to be offline for long and the update will be churned out later this week. The company says it will provide notifications quickly if the camera is offline while delivery is taking place and the service won’t unlock the door if Wi-Fi service is disabled or the camera isn’t online.

“We currently notify customers if the camera is offline for an extended period… Later this week, we will deploy an update to more quickly provide notifications if the camera goes offline during delivery.”

It is evident that despite the vulnerability, whether it is in the camera or the network, the technique is rather complex and difficult to pull off. Only the delivery driver or a close acquaintance can unlock the door, but even then they would require sophisticated technical know-how and capability of sending deauthorization command script to the camera. Otherwise, the feat will fall flat, but even if something is stolen, then Amazon will instantly locate the criminal unless the theft is undetectable such as identity theft.

Rhino Labs researchers developed a proof-of-concept video to validate their findings. In the video, the de-authentication attack has been recorded, and researchers have repeated the attack to prove their point further. Their findings were published in Wired.

[fullsquaread][/fullsquaread]

  • Tags
  • Amazon
  • Camera
  • hacking
  • internet
  • IoT
  • Privacy
  • security
  • Vulnerability
Facebook Twitter LinkedIn Pinterest
Previous article Germany bans kids smartwatches, asks parents to destroy them
Next article Misconfigured Amazon S3 Buckets Exposed US Military’s Social Media Spying Campaign
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
World's Most 'Resilient Malware' Botnet Emotet Taken Down

World's Most 'Resilient Malware' Botnet Emotet Taken Down

Top Cybersecurity Threats to Watch in 2021

Top Cybersecurity Threats to Watch in 2021

Database of 176 million Pakistani mobile phone users sold online

Database of 176 million Pakistani mobile phone users sold online

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
NetWalker ransomware disrupted - Cryptocurrency and domain seized
Cyber Crime

NetWalker ransomware disrupted - Cryptocurrency and domain seized

39
Transferring Whatsapp data from iPhone to Android with MobileTrans
How To

Transferring Whatsapp data from iPhone to Android with MobileTrans

25
World's Most 'Resilient Malware' Botnet Emotet Taken Down
Cyber Crime

World's Most 'Resilient Malware' Botnet Emotet Taken Down

72

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us