Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Gets Threats Over Amazon Review (techcrunch.com)

Posted by msmash on from the topsy-turvy-world dept.

Kate Conger, reporting for TechCrunch:Amazon retailers sometimes go to extreme lengths to guarantee good reviews, as security developer Matthew Garrett recently discovered when he wrote a one-star review of an internet-connected electric socket. When Garrett politely pointed out that the socket in question was woefully insecure, he received emails from the manufacturer claiming that the review would get employees fired and that other reviewers were campaigning to get Garrett's review taken down. The socket in question is the AuYou Wi-Fi Switch, a $30 device that lets you turn the power from a wall outlet on and off using your phone. [...] But like so many Internet of Things devices, the AuYou switch seems to have a serious security flaw. As Garrett explains in his review, if your phone is connected to your home Wi-Fi, it sends the on/off command to the socket directly. But if you're not home, your phone sends the command to a server in China, which then passes the command along to the socket. "The command packets look like they're encrypted, but in reality there's no real cryptography here at all," Garrett explained in his review. [...] "Just now my boss has blamed me, and he said if I do not remove this bad review, he will quit me. Please help me," the representative wrote. "Could you please change your bad review into good?" Garrett responded that he would update the review if the manufacturer fixed the flaw. The AuYou representative insisted she would be fired if the review was not updated.

3 of 153 comments (clear)

  1. Internet of Temerity by StandardCell · · Score: 5, Interesting

    The idiocy surrounding IoT is mind boggling at nearly all levels in the chain. Ease of use and security are almost always at odds with each other, and the former typically wins at the expense of the latter. Secure device enrollment, VLANs, air gapping...who needs this crap when you can download an app, put the device on your home network with a button press on the router, and go?

    In this case, we have a bunch of designers without a real background in and/or regard for infosec putting out products that use the "security by obscurity" model and get called out on it. To top it off, it is also the model of personally identifiable information being shipped overseas for who knows how many violations of privacy, and subject to violations of rights by governmental entities monitoring the same information. That this is now common with so many Chinese-made products (especially web cams!) is particularly galling. Even better, the "threats" against this man would normally result in automatic termination of the threatening employee in most Western countries. I suspect this company is like the uncountable numbers of cockroaches on Alibaba, Ebay and Amazon hocking their trash - they'll sell it until they can't, then they'll re-form under a different name and do it again, and think that they're right until they get called out like these idiots did.

    Last year a recruiter presented me for a job at a lighting company in Eastern Pennsylvania for their IoT product efforts with my background in security and cryptography as well as electronics. They passed on me because I didn't have enough of lighting background (which is a hell of a lot easier to pick up than security). When I countered to the recruiter that security was the most important thing for them, he agreed wholeheartedly but said there was nothing he could do to convince them otherwise.

    If this is the future of IoT, I want no part of it.

  2. At least Garrett's review was real by reboot246 · · Score: 3, Interesting

    Too many reviews on Amazon are blatant fakes. I've gotten in the habit of looking at a reviewer's other reviews to try to figure out if they're a real person or just reviewing that one product.

    A couple of weeks ago I noticed that 13 out of 15 reviews of one product were by people who had reviewed only that one product, and all were 5 star reviews. Kinda obvious, wouldn't you say?

    I applaud Garrett's honesty. It's so rare nowadays.

  3. Re:Your shitty product kills jobs? by anarcobra · · Score: 3, Interesting

    If I have to jump through hoops and block traffic from this device just so it's not a security risk, it's not reliable or secure.
    If this device were free I wouldn't complain so much, but in this case you are paying for it.