Slashdot Mirror
Security Researcher Gets Threats Over Amazon Review (techcrunch.com)
Kate Conger, reporting for TechCrunch:Amazon retailers sometimes go to extreme lengths to guarantee good reviews, as security developer Matthew Garrett recently discovered when he wrote a one-star review of an internet-connected electric socket. When Garrett politely pointed out that the socket in question was woefully insecure, he received emails from the manufacturer claiming that the review would get employees fired and that other reviewers were campaigning to get Garrett's review taken down. The socket in question is the AuYou Wi-Fi Switch, a $30 device that lets you turn the power from a wall outlet on and off using your phone. [...] But like so many Internet of Things devices, the AuYou switch seems to have a serious security flaw. As Garrett explains in his review, if your phone is connected to your home Wi-Fi, it sends the on/off command to the socket directly. But if you're not home, your phone sends the command to a server in China, which then passes the command along to the socket. "The command packets look like they're encrypted, but in reality there's no real cryptography here at all," Garrett explained in his review. [...] "Just now my boss has blamed me, and he said if I do not remove this bad review, he will quit me. Please help me," the representative wrote. "Could you please change your bad review into good?" Garrett responded that he would update the review if the manufacturer fixed the flaw. The AuYou representative insisted she would be fired if the review was not updated.
You can round up your crummy employees and dump them into an incinerator for all I care. I shit on the mass grave where their mothers have been bulldozed into. I hope they die horribly in a gutter of flesh-eating bacteria infection while their kids are sold into sex slavery to cannibals.
I only see begging in the summary. Way to go, editors.
The correct response to her is, "Tough shit, princess!"
Even better would be to append your review to say that they contacted you and tried to intimidate you into changing the review. That is relevant information, and future buyers should be aware of what they are doing.
The original Catcher in the Rye quote was about being so uninteresting/difficult to interact with that nobody would ever bother you.
Laughing Man's trick was managing to achieve that while still participating in human society.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Yeah and not limited to insecure transmissions to foreign servers, embedded stock passwords and keys too. If you check out his other reviews, he actually outs them on another product. For example:
Morjava®MJ-SmallK Intelligent Smart Wifi Plug Socket Wireless Switch Timer Wifi Socket Wifi Smart US Plug for iPhone iPad Android Smartphone APP
https://www.amazon.com/dp/B01F...
"The ugly:
Oh this is all pretty terrible. To start: the security on this device is a joke. The communication between the app and the device is encrypted with AES, but the encryption key is the same for all devices and is contained within the app - it's "fdsl;mewrjope456fds4fbvfnjwaugfo". This means that it's easy to decrypt any traffic you can see other people send, and also easy to encrypt your own commands. This isn't too much of a problem on your local network (the majority of smart devices will allow anybody on your wifi to control them), but it's awful when it comes to the cloud interface. By default, anyone in the world can send a command to the plug and it'll just perform it. That means anyone can just turn your plugs on and off, and also set the timer. You can avoid the worst of this by setting a password in the app, but there's no sort of rate limiting on the queries so if someone has identified your plug it won't take too long for them to crack your password.
But wait! There's more!
It runs ssh by default and has a default root password (" p9z34c"), so anyone on your network can log into it and run whatever they want on it. Anyone who can see your network traffic can decrypt the commands and extract the password, so don't use the app on any untrusted networks. It downloads app updates and plug firmware updates over http and doesn't do signature validation, so anyone can man in the middle you and get you to flash backdoored firmware onto your plug."
Needless to say, a big thank you to Mr. Garrett for exposing these issues. This is the kind of thing I might buy on a whim and certainly don't have time to figure out what level of security these things are operating at. He's performing a much needed public service.
Then I guess you should have made a better product.
We don't know that the product isn't good. All we know is that there is a convenience option that has a security issue, but which is trivially eliminated by prudent network management. The device itself may function flawlessly and do exactly what you need it to do.
For example, this has a similar "call home to Momma" feature, but by simply blocking outbound connections from it at the router you solve the problem completely. You're left with a pretty reliable remote controllable power switch. I've got four of them in the field and they work great.
Not to mention that company is violating the GPL. The next paragraph from his review lays it out:
It's also running Linux and various other pieces of GPLed software. The GPL is a software license that requires that you either include the source code to the GPLed components when you sell a device, or include an offer to provide the source code on request. This does neither, which is a violation of the license. Unless you meet the requirements of the license, you're breaching copyright. So this device breaches international copyright law. The manufacturer told me that they were unable to provide the source code.
If I have to jump through hoops and block traffic from this device just so it's not a security risk, it's not reliable or secure.
Reliability is a different issue than security. And it's not a big hoop. It's a hoop that you should be jumping through whenever you add a device that you don't want talking to the outside world to your net. You have no reason to believe that any device you use isn't trying to talk to someone somewhere these days and especially if the device is advertised as "IoT" and controllable from a mobile device from anywhere in the world. It shouldn't take a bad review on Amazon to tell you this. If you do the blocking automatically, it won't matter if the device tries to phone home or not, you'll be covered.
If this device were free I wouldn't complain so much, but in this case you are paying for it.
Yeah, you usually have to pay for physical hardware. You don't have to pay for the network connection to China, though. You can block that for free.
As for Opportunist, who writes:
So a product being crap doesn't really matter that much if you can easily take care of it?
Being insecure in the manner this one is doesn't mean the product is crap. It means there is a security issue that can be trivially solved.
So glad you agree that VW shouldn't be required to pay that ridiculous fine.
So glad you're happy putting words in my mouth and trying to compare apples to oranges.