Matthew Garrett is a security developer at CoreOS who also buys Internet of Things devices on Amazon and writes security reviews about them. Among his purchased and reviewed gadgets are seven smart bulbs and the AuYou Wi-Fi Switch, which lets users remotely turn their home sockets on and off. His writeup, titled "Nice hardware, infuriating setup issues, terrible insecure software," dives deep into the security of this Chinese-manufactured switch that he says exposes the MAC address of users’ sockets.
"In summary: by default [AuYou Wi-Fi Switch] is stupendously insecure, there's no reasonable way to make it secure, and if you do make it secure then it's much less useful than it's supposed to be," he wrote. "Don't buy it."
a bad review prompted the device's removal
About a week later, AuYou pulled its product listing. It’s unclear whether it did so because it wants to remedy the security vulnerabilities or because it wants to re-list the item without a bad review. I hope it’s the former option, but still, Garrett’s a serious hero! He analyzed a device that at least 20 people had purchased (who presumably had no idea the switch they bought put their home at risk), and exposed the vulnerabilites. Hero!
But the real story here isn’t about the plug or even the rest of the gadgets Garrett has written up; it’s that it’s insanely easy to manufacture an internet-connected device, yet is immensely difficult to build a secure one. If Google, Facebook, and Yahoo all operate their own bug bounty programs, and white hat hackers continue to find bugs in their platforms, how is a small company supposed to adequately handle cybersecurity? Furthermore, consumers have no way to assess cybersecurity ratings like they would use the calorie count on a bag of chips to determine whether it's worth the health repercussions. People have to buy based off faith because there’s no good way to vet products from unknown manufacturers. Garrett reminds us that as we start connecting everything — EVERYTHING — to the internet, we should be thinking about how much security matters and how we'll assess devices going forward. Thanks for that one, Garrett.