
Devastating Amazon hardware review of a wireless power switch - webmaven
https://www.amazon.com/gp/review/R2JVRCO8T1ON0R
======
martey
Just as worrisome as the content of the review is the fact that the company
tried multiple avenues to make him remove it:

[https://twitter.com/mjg59/status/747612713786847232](https://twitter.com/mjg59/status/747612713786847232)

> _Incidentally, now up to three separate emails begging me to remove [the
> review] or they 'll be fired_

[https://twitter.com/mjg59/status/747866725945737216](https://twitter.com/mjg59/status/747866725945737216)
contains a screenshot of an email complaining that the review is "unfair"
because it is negative and people are marking it as helpful, making it more
difficult for other "honest reviewers" to get traction.

~~~
CWuestefeld
At the first link, I'm immediately turned off by his follow-up: _Capitalism is
fucking bullshit_

What's really ironic is that this experience shows how well capitalism does
work, more effectively than other systems can: The reviewer found a bad
product, reviewed it honestly, and is now helping other people stay away from
it. Let's see you try to make that happen when you're faced with poor and
disinterested government-provided services.

~~~
themgt
He doesn't actually clarify his line of thinking. As someone who is also not
much a fan of capitalism, my thought at getting those emails might be "this
company cut corners trying to turn a quick profit making a crap product, and
now some poor shmucks at the bottom are getting fired. capitalism sucks"

Soviet-style five year plans are also not the only alternative to hobbesian
capitalism, that is a false dichotomy.

~~~
CWuestefeld
_Soviet-style five year plans are also not the only alternative_

Actually, what I had in my mind when I was typing that was an experience of my
wife, very recently, right here in America. Her job is researching regulations
for Medicaid across the country. Her boss came across documentation from State
of Illinois that were contradictory, so he tried to call their offices. He
logged 11 calls to them two weeks ago today, with no one taking his call, and
then had to hand the question off to my wife.

Last Monday she attempted to call, only to get a message saying that: (a) they
were replacing their phone system for the entire week so they can't receive
any calls; and (b) they normally don't take any calls during the last week of
the month (!) but because of the phone system problems, they'd make an
exception and open their phone lines for the last week of June. So she started
trying again this past Monday, and it still took several days for her to get
someone to pick up the phone.

That can happen in any system where there's no market allowing people to
reject bad alternatives, and to signal the importance of a product through the
price system. But any time you remove the market forces (e.g., any socialist-
type system where the government is making the calls), the system quickly
stops responding to the needs of its customers.

Can you imagine any capitalist company that would simply take down phone
communications for a weeks while replacing the system? Years back, my employer
put in a new phone switch, and the outage amounted to hours over a weekend.
Even worse, can you imagine any company that would just say "we never take
customer calls during the last week of any month"?

~~~
davidgerard
It's entirely unclear that the US health insurance market is evidence that
capitalism is a _good_ thing, compared to literally the entirety of the rest
of the first world, _e.g._ the UK, where Garrett is from.

~~~
CWuestefeld
Yes, my point was that this is an example of a NON-market-driven system, i.e.,
not an example of capitalism at work.

------
gargravarr
Whilst I wouldn't use the word 'devastating', this is certainly a well-written
review pointing out the glaring flaws in this IoT device.

It's not devastating because there's enough 4- and 5-star reviews from people
who have evidently overlooked these flaws (or who have iPhones or old Android
devices that allowed setup to work). This word of caution is likely to get
lost among the noise.

The author has done a steller job highlighting the awful quality and attention
to security of an innocuous IoT device. Granted, a wifi-controlled socket is
likely to only power a table lamp or something similar, so anyone brute-
forcing the MAC addresses isn't going to do horrendous amounts of damage, but
the inability to prevent someone doing this is a clear illustration of the
little control the end user has over 'smart' devices.

Bottom line: if you can't root it, don't put it on your LAN.

~~~
ceejayoz
> It's not devastating because there's enough 4- and 5-star reviews from
> people who have evidently overlooked these flaws...

You misspelled "been paid by the seller via Fiverr".

------
jjp
Be interesting to see whether the reviewer gets any more bargains to review
after that?

~~~
oceanswave
With a review that thorough, he should get a consultation fee

~~~
0xdeadbeefbabe
Weird. I thought the review was myopic.

------
hbogert
paraphrase> The plug connects to a Chinese IP.

It's time we setup a standard so that everybody can choose there own "cloud"
server for these "smart" home electronics. These manufacturers should not be
building their own. Of course the app on your phone could also just connect to
the bloody thing itself instead of using these relay servers of the
manufacturer. (yes I know, NAT punching is a PITA, but better than this)

~~~
forbiddenlake
You can use a solution like Home Assistant or OpenHAB today. Device support
isn't 100% there but they are constantly improving.

------
StavrosK
Great review, but I'm more excited about the fact that this runs on an
ESP8266, presumably controlling a simple relay. This means that I can just
open it up, hook it up to my computer and flash my own firmware that will be
exactly as secure as I need, all for a rather low price.

Hell, maybe they left the FOTA port open and I can give people a small script
with a firmware so they can just run that and flash the plug over the wifi
network!

~~~
driverdan
Why pay $30 for such a device when you can order a similar product direct from
China for $5? [https://www.itead.cc/sonoff-wifi-wireless-
switch.html](https://www.itead.cc/sonoff-wifi-wireless-switch.html)

It has the same configuration problems he mentioned but is easily flashable
via FTDI.

~~~
nfriedly
Incidentally, I reviewed a pre-release version of that device a few months
back. I didn't try flashing custom firmware to it though - are there any
instructions for that that I could link to from the review?

[http://www.nfriedly.com/techblog/2015-12-16-itead-sonoff-
sla...](http://www.nfriedly.com/techblog/2015-12-16-itead-sonoff-slampher-
review/)

~~~
StavrosK
It looks like you connect 3.3V/GND/TX/RX to the four pins shown in this image:

[http://dl.itead.cc/IM151116002/sonoff-parts-
without-433.jpg](http://dl.itead.cc/IM151116002/sonoff-parts-without-433.jpg)

Then you flash it with PlatformIO as usual, except I'm not sure which pins are
connected where, that would take some fiddling. I'll buy one to experiment
with.

------
muratsu
Can someone explain me "If anybody knows the MAC address of one of your
sockets, they can control it from anywhere in the world." part in more detail?

~~~
BugsBunnySan
a) the sockets all connect to a central server in China b) the sockets
identify themselves to that server with their MAC address (kind of makes
sense, it's a readily available, global unique (more or less) identifies) c)
if you send a message to a socket (identified by its MAC address) from the app
on your phone and your mobile phone can't find it on the local network, the
app sends a message to the central server in China, which sends it on to the
socket, if that happens to be turned on and is thus connected over the
internet to that central server

So, it's not that you can suddenly magically access devices by MAC address
over the Internet (MAC addresses are still local network only), but since the
sockets are all connected to a central server who knows them by their MAC
address, that makes it possible to send those messages.

This would all not be a problem with good crypto for authentication (and
secrecy), but apparently they put pretty much none of that into the
product/app. So it should be realtivly easy to find out the MAC address and
then very easy to talk to the central server and tell it to send messages to
whatever device.

(It's a little like an open relay mail server, and bad for similar reasons)

~~~
gargravarr
One other issue is that MAC addresses are allocated in contiguous blocks to
manufacturers. If you know the general pattern (the first N characters are
manufacturer-specific), there is precious little stopping you writing a script
to loop through all the possibilities and spam the server with them. Most
network devices have the MAC address printed on a label (with a barcode for an
admin to scan), so it would be trivial to grab an example from a photo.

~~~
Godel_unicode
N=6, this is called the OUI.

~~~
yuubi
Sometimes N=9, such as when the address starts 00:50:c2. This block is divided
into blocks of 4096 instead of the usual 2^24 so small users can get a block
for a few hundred dollars instead of over a thousand.

------
ljk
this is a big problem with customer reviews in general. Only rarely you'll see
a review by someone who knows what they're doing; most times the reviews are
very superficial and isn't helpful at all.

------
wuezz
<3 mjg59

------
0xdeadbeefbabe
> In summary: by default this is stupendously insecure, there's no reasonable
> way to make it secure

That's an honest review? I tend to ignore reviewers who talk about security as
an all or nothing proposition. Maybe everyone else will in a few years too.

~~~
anonymousab
It is likely possible to take the device apart and overwrite its firmware in
some way to be more safe, but that is somewhat unfeasible for the average
consumer.

~~~
0xdeadbeefbabe
I'm not interested in a review of the average consumer and what they can and
can't achieve. That seems like a harder problem anyway.

