Amazon Key, a new service from Amazon, enables their delivery person to unlock your door and deliver your packages inside your house. But hackers have figured out a loophole in the system that could allow the delivery person full access to your home without you knowing.
Amazon knows about the flaw and says they've issued a software update. But cybersecurity experts says the vulnerability is still there.
When you get Amazon Key, Amazon gives you a special lock and a camera. When the delivery person comes into your home, you can watch it live on your phone to make sure everything is OK, or you can watch the a recording of the delivery later. But not long after Amazon Key was launched, a cybersecurity company hacked the system, exposing a flaw in it.
With the permission of a homeowner named Rachelle, who watched remotely from a cafe using her Amazon Key app, Ben Caudill, founder of Rhino Security Labs, played the delivery person in a demonstration of the flaw.
Exploiting the vulnerability, Caudill was able to disable the homeowner's Wi-Fi and freeze the camera feed, making it look to Rachelle as if nothing was going on at her front door. "Right now, she's totally blind to the whole thing," Caudill said.
When Amazon was made aware of the vulnerability weeks ago, it issued a software update, saying customers would be notified more quickly if their camera goes offline. Rachelle, the homeowner in the demonstration, received a notification in less than a minute that her camera was unavailable — but no clear indication that it had been hacked, or that someone was in her home.
While the software update may help, experts say it doesn't fix the problem itself: The camera can still be hacked.
Amazon told NBC News that "safety and security are built into every aspect of the service" and this poses little risk to customers, and that the issue is with most Wi-Fi systems themselves, not with Amazon's software. The company said it receives an alert if the door is unlocked for more than several minutes, and also said that each driver must pass a "comprehensive background check … before they can make in-home deliveries."
"Amazon needs to fix this," expert Caudill told TODAY national investigative correspondent Jeff Rossen. "This is a pretty major security design flaw in the whole system and puts users at risk."
Amazon Key won't work if your home security system is activated, so the company tells its customers to shut off their alarms during the four-hour delivery window on the day they're expecting a package. But Caudill told Rossen that could be dangerous, leaving your home completely vulnerable.
After our story aired, Amazon told us during a delivery scenario, it “will get alerts within seconds of a camera interruption, immediately know who the driver is and when and where the incident happened.” At that point, Amazon will notify the customer and initiate an investigation. They say the customer also gets a notification on the app within seconds “if more than two seconds of live view has been interrupted during a delivery.” These safeguards only function during a delivery when using the Amazon driver’s app, not when using the customer app as in the demonstration.