Stories
Slash Boxes
Comments

SoylentNews is people

posted by takyon on Saturday November 18 2017, @03:17PM   Printer-friendly
from the turning-a-blind-eye dept.

WHEN AMAZON LAUNCHED[sic] its Amazon Key service last month, it also offered a remedy for anyone—realistically, most people—who might be creeped out that the service gives random strangers unfettered access to your home. That security antidote? An internet-enabled camera called Cloud Cam, designed to sit opposite your door and reassuringly record every Amazon Key delivery.

But now security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that camera can be not only disabled but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened and someone slips inside. That attack would potentially enable rogue delivery people to stealthily steal from Amazon customers, or otherwise invade their inner sanctum.

Source: https://www.wired.com/story/amazon-key-flaw-let-deliverymen-disable-your-camera/

Previously: Walmart Wants to Deliver Groceries Directly Into Your Fridge
Amazon Wants to Deliver Purchases into Your Home


Original Submission

Related Stories

Walmart Wants to Deliver Groceries Directly Into Your Fridge 109 comments

Walmart wants to test "in-fridge delivery" for Silicon Valley customers with August Home "smart locks":

Here's how the test will work: I place an order on Walmart.com for several items, even groceries. When my order is ready, a Deliv driver will retrieve my items and bring them to my home. If no one answers the doorbell, he or she will have a one-time passcode that I've pre-authorized which will open my home's smart lock. As the homeowner, I'm in control of the experience the entire time – the moment the Deliv driver rings my doorbell, I receive a smartphone notification that the delivery is occurring and, if I choose, I can watch the delivery take place in real-time. The Deliv associate will drop off my packages in my foyer and then carry my groceries to the kitchen, unload them in my fridge and leave. I'm watching the entire process from start to finish from my home security cameras through the August app. As I watch the Deliv associate exit my front door, I even receive confirmation that my door has automatically been locked.

While some may find the idea creepy, others have downplayed the creepiness factor:

Amazon Wants to Deliver Purchases into Your Home 41 comments

Hot on the heels of Walmart's plans to deliver groceries directly into the fridges of homes with smart locks, Amazon has announced a similar arrangement for package deliveries, called Amazon Key:

Amazon on Wednesday announced Amazon Key, a new program for Prime members that lets delivery people drop off packages inside of customer homes.

To make Amazon Key possible, Amazon has introduced its own $120 internet-connected security camera called Amazon Cloud Cam. Customers who want to participate in the program need to purchase an accompanying "smart" lock to allow delivery people to enter their home. Combined camera-lock packages start at $250.

With the program Amazon is adding what it thinks is a more convenient option than traditional outside drop-off, while also coming up with one solution to package theft which is rampant in some markets.

The obvious questions are whether people will trust a delivery person to enter their home unattended. Amazon is trying to assuage these fears by alerting customers when a delivery is about to happen to allow them to watch it live via their phone.

This really isn't a big deal. They were delivering to the doorstep previously, and now they want to move the delivery by a couple of feet. There's almost no difference.

Also at The Verge.

Previously: Amazon Wants to Deliver Purchases to Your Car Trunk


Original Submission

Amazon Acquires Ring, Maker of Internet-Connected Doorbells and Cameras, for Over $1 Billion 15 comments

Amazon has acquired Ring for over $1 billion:

Amazon said Tuesday that it had acquired Ring, a maker of internet-connected doorbells and cameras, pushing more deeply into the home security market. The deal is worth around $1.1 billion, according to a person briefed on the deal who would speak only anonymously because the terms were private.

Ring is best known for a doorbell with a security camera inside. The device allows homeowners to monitor visitors at their front door through an app on their phone, even if they're not at home. Amazon has made home automation a major focus because of the success of its Echo family of products, which allow users to control thermostats, surveillance cameras and other connected devices using voice commands.

[...] James McQuivey, an analyst at Forrester Research, said he believed that Amazon had bought Ring so it could add more intelligent capabilities to its doorbells and cameras, like the ability to use software to recognize faces at the front door. "I think it's about going to the next level and having Alexa say, 'James, your fifth grader just walked in, and I locked the door behind them,'" he said. "It's where these technologies have to go."

Also at The Verge.

Related: Amazon Wants to Deliver Purchases into Your Home
Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by Runaway1956 on Saturday November 18 2017, @04:37PM (9 children)

    by Runaway1956 (2926) Subscriber Badge on Saturday November 18 2017, @04:37PM (#598690) Journal

    You don't give anyone access to your stuff unless you - wait for it now - TRUST THEM!!

    Do I give unlimited, unsupervised access to my home to the cops? NO! To my neighbor? NO! To a preacher? NO! To a doctor? Again, NO!! So, people are contemplating giving access to their homes to total strangers, who managed to pass whatever background check Amazon runs? Yeah, right. And, ditto for the ex-cashiers and stockboys that Walmart wants to allow into your home.

    Dude's got access to your freaking home, and your computer. He can reach out and touch the damned thing. He PWNS YOUR ASS!! (especially if you have a stock of videos of yourself nekkid, getting wild with - whatever you happen to get wild with)

    • (Score: 2) by takyon on Saturday November 18 2017, @06:17PM (6 children)

      by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Saturday November 18 2017, @06:17PM (#598710) Journal

      I don't get it. Are you telling me to not let strangers electronically unlock and enter my home while I'm away? What if my package gets stolen??!

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
      • (Score: 1, Interesting) by Anonymous Coward on Saturday November 18 2017, @06:57PM (1 child)

        by Anonymous Coward on Saturday November 18 2017, @06:57PM (#598722)

        TBH, I think there are better ways of handling the issue. Most of the time when packages are stolen off the doorstep it's because the thief views them as being valuable and they're small enough to pick up and run away with.

        In most cases it would make more sense to have a personal Amazon locker on your doorstep connected to something solid. Or possibly, some sort of strap with an alarm if somebody other than the authorized user tried to remove it.

        Sure, those aren't perfect, but rather than losing a single box, the Amazon Key system allows you to lose arbitrary things from inside your house if somebody manages to exploit one of these that's already installed.

        • (Score: 0) by Anonymous Coward on Saturday November 18 2017, @10:03PM

          by Anonymous Coward on Saturday November 18 2017, @10:03PM (#598765)

          Put your garbage in a Amazon box and leave it at the door.

      • (Score: 2) by edIII on Saturday November 18 2017, @07:25PM (3 children)

        by edIII (791) on Saturday November 18 2017, @07:25PM (#598732)

        That's why I have ZERO mail delivery at my residences. Long ago when I first became an adult and had a place, the U.S postal service literally couldn't get more than 3 pieces of mail to me in over 7 months. I was yelling and screaming, but nothing changed. It was either the postman dumping mail into a ditch, or somebody stealing my mail. So I learned early on that the U.S postal service sucked ass, and you needed to take steps.

        So I had everything delivered to my office after that, and then eventually, a private mail box company. These days I use c/o for all packages and have them delivered to my office. Everyone gets along really great and your package is signed for if necessary, and I can pick it up later. Why do I need Amazon to do anything again?

        Amazon already had a good idea with putting lockers in front of major grocery stores. I'm starting to see them everywhere, so why can't you go pick up your Amazon package while getting something at the store? It's space under good lighting, security cameras, and you have strip mall security guards in the parking lot. Don't think your package is going to be crowbar'd out of a locker anytime soon.

        --
        Technically, lunchtime is at any moment. It's just a wave function.
        • (Score: 2) by frojack on Saturday November 18 2017, @10:17PM (1 child)

          by frojack (1554) on Saturday November 18 2017, @10:17PM (#598767) Journal

          and you have strip mall security guards in the parking lot.

          Oh, I feel safer already.

          Lockers are cool if they are close. Around here every Safeway store and 7/11 have them.
          You got three days to pick up locker packages. And not everything is eligible to be shipped that way, but the trucks usually drop stuff earlier in the day than the home delivery. I think the lockers get first priority.

          --
          No, you are mistaken. I've always had this sig.
          • (Score: 2) by Virindi on Sunday November 19 2017, @07:51AM

            by Virindi (3484) on Sunday November 19 2017, @07:51AM (#598874)

            and you have strip mall security guards in the parking lot.

            Oh, I feel safer already.

            Why not? The purpose of a mall "security guard" is that if there is an obvious problem they call the real police. Amazon packages don't tend to be worth the effort of a sophisticated attack. Criminals do know about risk vs. reward.

        • (Score: 2) by Reziac on Sunday November 19 2017, @02:20AM

          by Reziac (2489) on Sunday November 19 2017, @02:20AM (#598818) Homepage

          There's a way to have street deliveries go to your post office instead. You'll have to get the correct address for that from your local post office. (I used this to get packages where the vendor would not deliver to a P.O. box, which I had because street deliveries were a problem!)

          --
          And there is no Alkibiades to come back and save us from ourselves.
    • (Score: 0) by Anonymous Coward on Sunday November 19 2017, @01:45AM (1 child)

      by Anonymous Coward on Sunday November 19 2017, @01:45AM (#598809)

      Do I give unlimited, unsupervised access to my home to the cops? NO!

      YES! You do when the cops break into your house, handcuff you, and hold you at gunpoint while they search your property.

      What, the FBI hasn't accused you of being a domestic terrorist yet? Well aren't you lucky.

      How about YOU SHUT THE FUCK UP about things YOU KNOW NOTHING ABOUT you IGNORANT SHIT.

      When you die, burn in hell, Runaway. Die, real soon.

      • (Score: 3, Funny) by Runaway1956 on Sunday November 19 2017, @02:21AM

        by Runaway1956 (2926) Subscriber Badge on Sunday November 19 2017, @02:21AM (#598820) Journal

        Somebody loves you, youngster. I have no idea who, but someone. Well, I hope so, anyway. Then again, maybe not . . . .

  • (Score: 0) by Anonymous Coward on Saturday November 18 2017, @06:05PM

    by Anonymous Coward on Saturday November 18 2017, @06:05PM (#598708)

    What could possibly go wrong? Who wants to start the list?

  • (Score: 3, Informative) by frojack on Saturday November 18 2017, @09:55PM (1 child)

    by frojack (1554) on Saturday November 18 2017, @09:55PM (#598764) Journal

    TFA says:

    that sends a series of "deauthorization" commands to the home's Cloud Cam.

    However that's not the whole story here.

    The delivery guy's device will not unlock your door unless there is a package for you on their truck that is shown as not-yet-delivered, and the delivery guy has to be standing at the door (checked both via GPS and the Door Lock). (It may surprise some that Amazon actually has computers that know this stuff. Who Knew?

    Amazon noted that it doesn't allow any staffer to unlock a door without being authorized to deliver a package at a certain address and time, even if the camera is disabled.

    So after delivery they have to jam the lock, because Amazon won't let them open the door a second time.

    Then (and only then) they have to disable the camera - (de-auth packet flood the wifi network, which will take down any wifi device in the house). They don't have to associate with your wifi to flood it with deauth commands, but they do have to fake the camera's mac address, OR flood all mac addresses their exploit can detect.

    And it isn't even an Amazon bug, its a WIFI AP/Router bug. Any cam or phone or printer can be De-authorized this way. Maybe even the door lock if it uses wifi .

    I'm not putting one of these on my door, but its no where near as vulnerable as most people here assume.

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 2) by urza9814 on Monday November 20 2017, @07:51PM

      by urza9814 (3954) on Monday November 20 2017, @07:51PM (#599365) Journal

      I don't think you're considering the right threat model.

      Of course the door only opens if they have a package. And the guy isn't likely to steal everything while delivering a package, that's way too obvious. Particularly if they're smart enough to think of doing this kind of attack (even if they just buy a device from someone else to do it).

      But the threat that's been discussed many times is that the delivery guy gets in the door, takes a look around, and then his friends come back and rob the place later, and know exactly what to take and where it is.

      If the camera works, the delivery guy can't do much more than poke his head in the door, he can't really look around without it being a bit suspicious. Depends a bit on the size of the package too, if it's bigger he can probably get away with coming inside to put it down and maybe "resting" for a couple seconds. If he wanders into the bedroom you know something's up. But if he can freeze the camera, then he can take a few minutes to walk around the whole house, get a good look at everything you own, sketch up a floor plan, and then leave. You might notice the camera didn't snap a picture of him, but you get home and everything is untouched so you figure it's no big deal. Then a week or a month later you get robbed and they can get in, grab exactly what they want, and be out again in ten or fifteen minutes. They can know what kind of alarm system you've got, maybe even have a virus planted on your PC by the delivery guy that's watching through the webcam, maybe unplug the alarm system from a specific entry point, etc. The delivery guy is never gonna be the real threat, he's gonna be recon. And he can be FAR more effective at that if he's not being watched.

  • (Score: 2) by Nuke on Saturday November 18 2017, @11:03PM

    by Nuke (3162) on Saturday November 18 2017, @11:03PM (#598779)

    Going down the route of the Amazon Key is only embarking on a security versus hacking arms race that will never end. Why bother?

    I have a large mail box near my front gate with a combination lock on it; I include the combination number on my delivery address. It works well. I'm sure that someone could hack the combination, but they have not tried yet, the time at risk for significant content is only on average about four hours per week, and it contains only limited content and is not my entire house. Valuable deliveries generally require a sigature anyway.

    Another poster mentioned the whole box possibly being stolen, but they would need an angle grinder to steal mine so I don't think they'd bother.

  • (Score: 2) by LoRdTAW on Monday November 20 2017, @12:05AM

    by LoRdTAW (3755) on Monday November 20 2017, @12:05AM (#599068) Journal

    Just a thought, why doesn't amazon figure out a better locker method? How about they lease space in apartment buildings for reserved amazon lockers? Then let the yuppies come in, grab their goods and take the elevators to their ivory tower. Private residences can install lockers in driveways or yards and grab their goods and go inside.

  • (Score: 2) by arslan on Monday November 20 2017, @01:39AM

    by arslan (3462) on Monday November 20 2017, @01:39AM (#599093)

    ZOMG my home can be broken into by some computer savvy burglar and I'll lose a bunch of shit and not know who did it!

    Umm... well the way I see, my home can be broken into by a crow-bar savvy burglar and I'll lose a bunch of shit and not know who did it today...

    My experience is the cops would spend exactly zero effort after getting my statement in the case - they have more pressing issues to deal with.

    In fact, if someone wants to break into my home, I'd prefer they not leave any physical damage that I'd have to pay extra for..

(1)