Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Gets Threats Over Amazon Review (techcrunch.com)

Posted by msmash on from the topsy-turvy-world dept.

Kate Conger, reporting for TechCrunch:Amazon retailers sometimes go to extreme lengths to guarantee good reviews, as security developer Matthew Garrett recently discovered when he wrote a one-star review of an internet-connected electric socket. When Garrett politely pointed out that the socket in question was woefully insecure, he received emails from the manufacturer claiming that the review would get employees fired and that other reviewers were campaigning to get Garrett's review taken down. The socket in question is the AuYou Wi-Fi Switch, a $30 device that lets you turn the power from a wall outlet on and off using your phone. [...] But like so many Internet of Things devices, the AuYou switch seems to have a serious security flaw. As Garrett explains in his review, if your phone is connected to your home Wi-Fi, it sends the on/off command to the socket directly. But if you're not home, your phone sends the command to a server in China, which then passes the command along to the socket. "The command packets look like they're encrypted, but in reality there's no real cryptography here at all," Garrett explained in his review. [...] "Just now my boss has blamed me, and he said if I do not remove this bad review, he will quit me. Please help me," the representative wrote. "Could you please change your bad review into good?" Garrett responded that he would update the review if the manufacturer fixed the flaw. The AuYou representative insisted she would be fired if the review was not updated.

10 of 153 comments (clear)

  1. Your shitty product kills jobs? by Opportunist · · Score: 5, Insightful

    Then I guess you should have made a better product.

    Killing the messenger won't make your product any less shitty.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Your shitty product kills jobs? by HeadSoft · · Score: 5, Insightful

      Agreed. If her job depends on good reviews and no bad reviews, her days were numbered the day she started work anyway.

    2. Re:Your shitty product kills jobs? by ShanghaiBill · · Score: 5, Informative

      The correct response to her is, "Tough shit, princess!"

      Even better would be to append your review to say that they contacted you and tried to intimidate you into changing the review. That is relevant information, and future buyers should be aware of what they are doing.

    3. Re:Your shitty product kills jobs? by theskipper · · Score: 5, Informative

      Yeah and not limited to insecure transmissions to foreign servers, embedded stock passwords and keys too. If you check out his other reviews, he actually outs them on another product. For example:

      Morjava®MJ-SmallK Intelligent Smart Wifi Plug Socket Wireless Switch Timer Wifi Socket Wifi Smart US Plug for iPhone iPad Android Smartphone APP
      https://www.amazon.com/dp/B01F...

      "The ugly:

      Oh this is all pretty terrible. To start: the security on this device is a joke. The communication between the app and the device is encrypted with AES, but the encryption key is the same for all devices and is contained within the app - it's "fdsl;mewrjope456fds4fbvfnjwaugfo". This means that it's easy to decrypt any traffic you can see other people send, and also easy to encrypt your own commands. This isn't too much of a problem on your local network (the majority of smart devices will allow anybody on your wifi to control them), but it's awful when it comes to the cloud interface. By default, anyone in the world can send a command to the plug and it'll just perform it. That means anyone can just turn your plugs on and off, and also set the timer. You can avoid the worst of this by setting a password in the app, but there's no sort of rate limiting on the queries so if someone has identified your plug it won't take too long for them to crack your password.

      But wait! There's more!

      It runs ssh by default and has a default root password (" p9z34c"), so anyone on your network can log into it and run whatever they want on it. Anyone who can see your network traffic can decrypt the commands and extract the password, so don't use the app on any untrusted networks. It downloads app updates and plug firmware updates over http and doesn't do signature validation, so anyone can man in the middle you and get you to flash backdoored firmware onto your plug."

      Needless to say, a big thank you to Mr. Garrett for exposing these issues. This is the kind of thing I might buy on a whim and certainly don't have time to figure out what level of security these things are operating at. He's performing a much needed public service.

  2. Update the review with AuYou responses by jishak · · Score: 5, Insightful

    Update your review with the responses from the company. Be fully transparent to future customers whoe might be mislead by the company's products. Don't feel bad if someone loses their job because they weren't doing it properly to begin with. I would go so far as to tell the company that if they keep pushing it I would start investigating the security of their other products and possibly educate them about the Streisand Effect with other companies who have tried to do the same thing.

  3. Re:Cry me a fucking river by Anonymous Coward · · Score: 5, Funny

    Other than that, 5 stars. Will buy again.

  4. Internet of Temerity by StandardCell · · Score: 5, Interesting

    The idiocy surrounding IoT is mind boggling at nearly all levels in the chain. Ease of use and security are almost always at odds with each other, and the former typically wins at the expense of the latter. Secure device enrollment, VLANs, air gapping...who needs this crap when you can download an app, put the device on your home network with a button press on the router, and go?

    In this case, we have a bunch of designers without a real background in and/or regard for infosec putting out products that use the "security by obscurity" model and get called out on it. To top it off, it is also the model of personally identifiable information being shipped overseas for who knows how many violations of privacy, and subject to violations of rights by governmental entities monitoring the same information. That this is now common with so many Chinese-made products (especially web cams!) is particularly galling. Even better, the "threats" against this man would normally result in automatic termination of the threatening employee in most Western countries. I suspect this company is like the uncountable numbers of cockroaches on Alibaba, Ebay and Amazon hocking their trash - they'll sell it until they can't, then they'll re-form under a different name and do it again, and think that they're right until they get called out like these idiots did.

    Last year a recruiter presented me for a job at a lighting company in Eastern Pennsylvania for their IoT product efforts with my background in security and cryptography as well as electronics. They passed on me because I didn't have enough of lighting background (which is a hell of a lot easier to pick up than security). When I countered to the recruiter that security was the most important thing for them, he agreed wholeheartedly but said there was nothing he could do to convince them otherwise.

    If this is the future of IoT, I want no part of it.

  5. Re:Cry me a fucking river by HornWumpus · · Score: 5, Funny

    You should post that as an Amazon review of the product.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  6. Dealing with threats and deception by Bruce+Perens · · Score: 5, Insightful

    I recently posted a similar review on Amazon, although mine was regarding a burglar alarm which connects to a server in China and has no encryption. To their credit, the manufacturer has not challenged the review.

    First, it's entirely possible that the management did not realize that the device was not encrypted or that they specified encryption and that the programmer involved provided something very lame like exclusive-OR with a byte. This, however, indicates a failure of due diligence on the part of the management.

    Globally, the quality of employees performing embedded-systems programming for consumer products is dismal. This doesn't mean just China, it's also really bad in the U.S. and South Korea in my personal experience. The employees can not be expected to have any concept of proper security. I have seen lame attempts at encryption, stripping the executable as an anti-reverse-engineering strategy (!), and many other things a competent systems programmer would face-palm upon encountering.

    Firing the employee as a condition of your not removing the review is deceptive. If the employee actually did something wrong (which we can't tell from here) that is the cause of their firing and it should be independent of whether your review stays up or not.

    It's clearly just an attempt to lay guilt upon you for doing the right thing. But the people you should be protecting first are the consumers who could buy this device and rely on it having more security than it actually does. Go on and do the right thing by making this review available wherever people would purchase the device.

    --
    Bruce Perens.
  7. So, did this guy actually receive threats? by bistromath007 · · Score: 5, Informative

    I only see begging in the summary. Way to go, editors.