Vulnerabilities found when using Amazon Key

(CBS) -- "If it's digital it's hackable."

That's what cyber security expert John Sileo told us in October about the new in-your-home delivery service, Amazon Key.

"I want to see the hackers get a chance at it and see what they do with it," Sileo says.

Three weeks later? They have had their chance, and say they've already found flaws.

Here's how Amazon says it's supposed to work: For $249 the company sells you a special smart door lock, along with an in-home wireless camera aimed at the door.

A delivery driver uses an app to alert Amazon they have arrived. The company then activates the camera and unlocks the door remotely. The driver drops off the package, steps outside and tells Amazon to lock the door.

But now researchers from Rhino Security Labs say they've found a weakness in the security camera system. It's called a de-authentication attack.

"The camera is essentially dark. An attacker can walk in and leave and you won't be able to see anything, and there won't be a record," says Rhino Security Labs' Engagement Manager Chris Lakin.

In this Rhino Security demo, a mock driver finishes dropping off a package. Then, he or a nearby hacker sends commands to the wi-fi server the security system relies on and temporarily takes the camera offline before the door locks again.

"This is a really simple thing to do it takes just one command," Lakin says.

So while a customer's app still shows a closed door, a would-be burglar could walk inside without the camera seeing him.

"By being able to disable the camera, we're essentially reducing that security to essentially just providing a physical key to your home," says Rhino Security Labs' CEO Ben Caudill.

Amazon says that the flaw isn't in its software. It's a vulnerability all wifi servers contain.

The company plans to put a software update out later this week, to "more quickly provide notifications if the camera goes offline during delivery" and make sure the "service will not unlock the door if the wi-fi is disabled and the camera is not online." Amazon also calls these types of attacks "unlikely".

But Caudill disagrees.

"Based on the simplicity of the attack, $20 and some really freely available software you can implement this yourself. It's not a trivial attack," he says.

Amazon told us they do not believe customers would be put at risk by this. In their view, it is not a security issue and they say they thoroughly background-check their delivery drivers.

But Caudill told us he and his researchers were surprised to find this kind of a vulnerability in a system that literally opens people's doors.