A security developer may be regretting the negative review he left for a product on Amazon.
Matthew Garrett began receiving threats shortly after leaving a one-star review for an internet-connected electric socket, TechCrunch reported on Friday (July 1). He initially received emails from the manufacturer of the socket warning that other reviewers were attempting to have Garrett’s review removed from Amazon.
In his review, Garrett pointed out that the AuYou Wi-Fi Switch may have a security flaw that sends the on/off command to the socket via a server in China if a phone is not connected to a user’s home Wi-Fi network.
“The command packets look like they’re encrypted, but in reality there’s no real cryptography here at all,” the review stated.
The vulnerability essentially leaves the unique network ID of a user’s socket unencrypted within the Chinese server. With that, if someone accesses the ID they could possibly control the socket itself.
“If anybody knows the MAC address of one of your sockets, they can control it from anywhere in the world. You can’t set a password to stop them, and a normal home router configuration won’t block this. You need to explicitly firewall off the server (it’s 115.28.45.50) in order to protect yourself. Again, this is completely unrealistic to expect for a home user, and if you do this then you’ll also entirely lose the ability to control the device from outside your home,” his review continued.
An internet-connected socket being vulnerable to takeover by an intruder could allow someone to turn the lights on and off or potentially damage a connected device.
“If I thought that there was a realistic chance that people were going to lose their jobs over something I was writing, that’s something that would make me reconsider,” Garrett told TechCrunch. “On the other hand, the attitude that many companies have of not giving any indication of caring about the security of the people they’re selling to is horrifying in its own way. That is important — to make people aware when choosing these devices.”