Knock! Knock! Your Package Has Arrived: Amazon's New In-Garage Delivery Service
Amazon recently announced a new delivery service, where they will deliver packages directly into your garage. No more worrying about porch pirates stealing your Amazon Prime Glitter Bombs off your porch while you’re at work. It seems like a great idea on the surface.
However, this means connecting your garage door to the internet and adding an optional cloud-based camera to your garage.
From Amazon’s announcement, it appears they’ve put some thought into security. The delivery driver can only open the garage door if their GPS shows them at your house and has a package for you on their truck. You’ll get push notifications when the driver opens your door and when it’s closed. If you install the cloud camera, you’ll get pictures or video from it during the delivery.
But, in an increasingly connected world, security is a two-way street. Since Amazon is using off-the-shelf cloud products, the MyQ garage door controller and Ring cameras, consumers now have two additional online accounts to protect. All too often we hear stories of people whose cloud-connected cameras were “hacked.” In most instances, this has been due to poor password hygiene (weak passwords, or re-using passwords on multiple services). Take this news report from the New York Times for example. In December 2019 poor password hygiene allowed an attacker to access a Ring camera installed in an 8-year-old girl’s bedroom, where the attacker was able to both watch and talk to the child through the camera. The article references three other similar cases within that same month.
In addition, each internet-connected device is another device that, if compromised, could give an attacker access to your internal network. I personally think the risk of this is relatively low at the moment, but as these systems become more popular, we’ll see them become an even bigger target for attackers.
You also need to think about physical security. Is your garage standalone or attached? Is there a door between your garage and house, and if so, is it locked? Do you have anything valuable in your garage? Sure, Amazon will only allow a delivery driver to open your garage if they’re at your house with a package for you, but what if you have a malicious delivery driver that has a package for you on their truck? They open your garage, drop off your package, and grab a couple of small items out of your garage while they’re there. If you’re lucky, you installed the optional camera, noticed something missing the same day, reviewed the video, contact Amazon, the driver is fired and arrested and you get your items back.
What if you didn’t install the camera though? Or what if you didn’t notice anything was missing until after the camera recordings aged out of the system? Then it becomes much more difficult to prove what happened.
As with everything in the cyber security world, one must weigh the risks versus the reward. If you live in an area where package theft is common and have a fairly clean garage this service is a good way to ensure your packages stay safe. But if package theft isn’t common, or you have a lot of valuables in your garage, the scales could tip to where the risk is greater than the reward. This risk analysis is something each person must weigh before signing up for a service like Amazon’s In-Garage Delivery, and there’s no one-size-fits-all answer.
For me, this is not a service I’ll utilize. For you? Well… only you can answer that. If you do decide to utilize this service (or similar services) be sure to take into account both physical security and cyber security. Get the optional camera and install it in a location to maximize what it can see. Put expensive tools or other items away so they’re out of sight and out of mind. If you have a door between your house and garage, keep it locked. On the cyber side, be sure to use strong unique passwords for all of your online accounts, and utilize two-factor authentication where possible. I would also recommend segregating IoT devices onto their own network, firewalled off from the rest of your network. That way if one of them gets compromised, the damage is limited to your IoT network. Unfortunately for most consumers, this is not easily accomplished, as most consumer routers lack this capability, and more advanced routers require advanced networking knowledge.
