« | Home | Categories | »

Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera

Posted on November 21st, 2017 at 23:17 by John Sinteur in category: News -- Write a comment

I noped the heck out of this a while ago. Unsurprisingly then:

[Quote:]

When Amazon launched its Amazon Key service last month, it also offered a remedy for anyone—realistically, most people—who might be creeped out that the service gives random strangers unfettered access to your home. That security antidote? An internet-enabled camera called Cloud Cam, designed to sit opposite your door and reassuringly record every Amazon Key delivery.

But now security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that camera can be not only disabled but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened and someone slips inside. That attack would potentially enable rogue delivery people to stealthily steal from Amazon customers, or otherwise invade their inner sanctum.

And note that I’m not exempting other suppliers from being terminally stupid with this. On the contrary. We need to call this effort by Amazon for what it really is. If the problem Amazon is solving is “having your stuff stolen by strange”r, why does the solution they offer involve allowing strangers access to even more of your stuff? What we do know is Amazon (with every other big biz) the goal is data. Who enters your house and at what times. For F*ck sake, they data mine what you look at, what you buy, what you watch, what you listen too. With Alexa they data mine your voice, who you call. Does anyone think Amazon is accruing massive debt for package delivery?

Amazon has pretty smart people working for them. Surely they recognize this thing violates an insane amount of principles in security: Least Privilege and Separation of Domains, Separation of roles and Segregation of duties. Just to name a few. These weaknesses are built in the fabric of the design. As a general rule, weaknesses at the concept levels cannot be fixed the design level, weaknesses at the design level cannot be fixed at the architecture level, and weaknesses at the architecture level cannot be fixed at the implementation or coding levels. This entire idea is fucked from the start. And yet they go on with it.

previous post: Abandoned ruins of Soviet space shuttles

next post: The Blockchain Might Scare the Gig Economy to Death