When Amazon launched its Amazon Key service last month, it also offered a remedy for anyone—realistically, most people—who might be creeped out that the service gives random strangers unfettered access to your home. That security antidote? An internet-enabled camera called Cloud Cam, designed to sit opposite your door and reassuringly record every Amazon Key delivery.

But now security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that camera can be not only disabled but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened and someone slips inside. That attack would potentially enable rogue delivery people to stealthily steal from Amazon customers, or otherwise invade their inner sanctum.

And while the threat of a camera-hacking courier seems an unlikely way for your house to be burgled, the researchers argue it potentially strips away a key safeguard in Amazon's security system. When WIRED brought the research to Amazon's attention, the company responded that it plans to send out an automatic software update to address the issue later this week.

"The camera is very much something Amazon is relying on in pitching the security of this as a safe solution," says Ben Caudill, the founder of the Seattle-based security firm Rhino Security Labs, whose researchers discovered and demonstrated the Amazon Key attack. "Disabling that camera on command is a pretty powerful capability when you’re talking about environments where you’re relying heavily on that being a critical safety mechanism."

Key Master

The Rhino Labs proof-of-concept attack on Amazon Key is relatively simple. In their demonstration, shown in the video above, a delivery person unlocks the door with their Amazon Key app, opens the door, drops off a package, and then closes the door behind them. Normally, they'd then lock the door with their app. In this attack, they instead run a program on their laptop—or, Rhino's researchers suggest, on a simple handheld device anyone could build using a Raspberry Pi minicomputer and an antenna—that sends a series of "deauthorization" commands to the home's Cloud Cam.

That so-called deauth technique isn't exactly a software bug in Cloud Cam. It's an issue for practically all Wi-Fi devices, one that allows anyone to spoof a command from a Wi-Fi router that temporarily kicks a device off the network. In this case, Rhino's script sends the command again and again, to keep the camera offline as long as the script is running. Most disturbingly, Amazon's camera doesn't respond to that attack by going dark or alerting the user that the camera is offline. Instead, it continues to show any live viewer—or anyone watching back a recording—the last frame the camera saw when it was connected.

'Disabling that camera on command is a pretty powerful capability.' Ben Caudill, Rhino Labs

That means the deauth command sent by the delivery-person-turned-hacker standing just outside your door can freeze the camera on the image of a closed door, while he then waltzes in a second time and closes the door behind them. Once inside, the intruder can simply move beyond the view of the Cloud Cam, stop sending the deauth command to allow the camera to reconnect, and hit the lock button on their app. Neither the lock's logs nor the video record would appear amiss to the Amazon Key user, even as a stranger runs amok inside their house.