camp2023-57126-eng-Our_Time_in_a_Product_Review_Cabal_opus.vtt

WEBVTT

00:00:00.000 --> 00:00:10.000
 [MUSIC]

00:00:10.000 --> 00:00:20.000
 [MUSIC]

00:00:20.000 --> 00:00:35.800
 And okay, we are ready to start.

00:00:35.800 --> 00:00:42.720
 So from the US, we have two first time campers that are going to present

00:00:42.720 --> 00:00:46.960
 awesome stuff to us, Matt and Adam.

00:00:46.960 --> 00:00:51.480
 They are going to talk us about product review and the malware and

00:00:51.480 --> 00:00:57.920
 the back doors that they have been able to find in those situations.

00:00:57.920 --> 00:01:02.640
 So please give a huge applause to our speakers, please.

00:01:02.640 --> 00:01:10.240
 >> [APPLAUSE]

00:01:10.240 --> 00:01:12.800
 >> Hello, thank you.

00:01:12.800 --> 00:01:18.480
 I'm Adam Shaw and this is Matt and this is our time in a product review cabal and

00:01:18.480 --> 00:01:22.160
 the malware and bugs that came with it.

00:01:22.160 --> 00:01:26.480
 A little bit about us, I lead a team of AppSec engineers.

00:01:26.480 --> 00:01:28.400
 I'm a home lab enthusiast.

00:01:28.400 --> 00:01:34.960
 I have my own conference that I help run in Omaha, Nebraska in the United States.

00:01:34.960 --> 00:01:38.760
 And I help run my local Defcon group.

00:01:38.760 --> 00:01:44.360
 And also I help with a conference in Hawaii called LocomocoSec.

00:01:44.360 --> 00:01:47.440
 Highly recommended if you're able to get out there for that one.

00:01:47.440 --> 00:01:49.320
 >> And hey everyone, my name is Matt Veras.

00:01:49.320 --> 00:01:51.160
 It is my real last name.

00:01:51.160 --> 00:01:54.920
 I'm a IoT engineer at Cisco for about 15 years now.

00:01:54.920 --> 00:01:56.360
 I'm a part time farmer.

00:01:56.360 --> 00:01:57.920
 I'm a big hardware junkie.

00:01:57.920 --> 00:02:00.400
 I take everything apart and find out how it works.

00:02:00.400 --> 00:02:05.640
 I'm a former DOD forensic malware reverse engineer analyst.

00:02:05.640 --> 00:02:07.880
 And I'm founder of hackspace.io.

00:02:07.880 --> 00:02:10.160
 Slides and stuff from previous projects are posted out there.

00:02:10.160 --> 00:02:15.320
 So go check it out and follow us both on Twitter or on Slack or wherever.

00:02:15.320 --> 00:02:16.520
 >> Awesome.

00:02:16.520 --> 00:02:18.160
 And just a quick disclaimer.

00:02:18.160 --> 00:02:21.640
 All of this work was done for research purposes only.

00:02:21.640 --> 00:02:24.800
 Nothing we discussed today is representative of our employers.

00:02:24.800 --> 00:02:29.560
 We ensured that every review, photo and video were immediately taken down and reported.

00:02:29.560 --> 00:02:31.640
 This is platform agnostic.

00:02:31.640 --> 00:02:36.560
 It affects all online retailers, not specific ones.

00:02:36.560 --> 00:02:40.040
 And we're an ethical cabal.

00:02:40.040 --> 00:02:43.200
 So in July we were accepted for this talk.

00:02:43.200 --> 00:02:48.300
 Big thank you to Millie Ways and the staff that put this on.

00:02:48.300 --> 00:02:50.920
 This is one of my favorite childhood books.

00:02:50.920 --> 00:02:53.920
 So I was super pumped about it.

00:02:53.920 --> 00:02:57.120
 And then in August we decided we had to make the slides.

00:02:57.120 --> 00:03:03.100
 So if you saw us, you know, by our tent, we were working on this for quite some time.

00:03:03.100 --> 00:03:08.440
 This is my wife and I, this is like our normal interaction when we have a talk coming up.

00:03:08.440 --> 00:03:11.240
 I've almost started.

00:03:11.240 --> 00:03:17.720
 So in 2020, there was obviously the global pandemic with COVID.

00:03:17.720 --> 00:03:19.960
 And it meant that everyone needed to wear masks.

00:03:19.960 --> 00:03:22.720
 It was known for three things, right?

00:03:22.720 --> 00:03:26.360
 One, video streaming, all those streaming services.

00:03:26.360 --> 00:03:28.440
 And online shopping.

00:03:28.440 --> 00:03:29.480
 Yeah.

00:03:29.480 --> 00:03:33.000
 So what kind of stuff did you order online?

00:03:33.000 --> 00:03:38.600
 Maybe groceries, maybe delivery for food or things like that.

00:03:38.600 --> 00:03:39.600
 But not us.

00:03:39.600 --> 00:03:43.680
 We ordered all kinds of electronic gizmos and stuff that we really didn't need but looked

00:03:43.680 --> 00:03:48.080
 cool and was cheap because we were all stuck at home doing whatever we could only do at

00:03:48.080 --> 00:03:49.080
 home.

00:03:49.080 --> 00:03:51.440
 So that's kind of where we were.

00:03:51.440 --> 00:03:54.400
 So this whole thing started with a postcard.

00:03:54.400 --> 00:03:59.200
 I had ordered a smart switch from a company called Treat Life.

00:03:59.200 --> 00:04:04.200
 And in the box there was this postcard saying, "We are celebrating our company anniversary.

00:04:04.200 --> 00:04:07.280
 And you write to us, send us a note and we'll send you a free gift."

00:04:07.280 --> 00:04:10.000
 And who doesn't like a free gift?

00:04:10.000 --> 00:04:12.720
 So I reached out to them.

00:04:12.720 --> 00:04:13.720
 You could see the note there.

00:04:13.720 --> 00:04:15.280
 I said, "Hello, Treat Life team.

00:04:15.280 --> 00:04:17.040
 I like free stuff.

00:04:17.040 --> 00:04:18.120
 How does this work?"

00:04:18.120 --> 00:04:20.000
 And they said, "Oh, hello."

00:04:20.000 --> 00:04:26.560
 And you just buy our thing from this retailer and we'll give you a refund for it.

00:04:26.560 --> 00:04:28.760
 And you don't even have to leave us a review or anything.

00:04:28.760 --> 00:04:32.200
 Please just go buy it and everything will be good."

00:04:32.200 --> 00:04:35.800
 So we did.

00:04:35.800 --> 00:04:39.480
 So how it would kind of work is you would reach out to this retailer and say, "Hey,

00:04:39.480 --> 00:04:40.480
 I received this offer."

00:04:40.480 --> 00:04:42.060
 And then they would say, "Buy it."

00:04:42.060 --> 00:04:46.360
 And then we'll refund your money in PayPal or Amazon or whatever gift card you would

00:04:46.360 --> 00:04:47.360
 like.

00:04:47.360 --> 00:04:51.640
 And then you would have the device and use it and there would be no strings with some

00:04:51.640 --> 00:04:52.740
 vendors.

00:04:52.740 --> 00:04:57.220
 But then as we move forward, we learned that some vendors play by some different rules

00:04:57.220 --> 00:05:04.000
 and they may require a positive five-star review before they'll give you the reimbursement.

00:05:04.000 --> 00:05:07.280
 And it must have pictures or must have this or must have that.

00:05:07.280 --> 00:05:12.000
 But in general, with some of the vendors, they would give it for free for no strings

00:05:12.000 --> 00:05:14.200
 attached.

00:05:14.200 --> 00:05:19.200
 So once we start collecting things, it got to be quite a lot.

00:05:19.200 --> 00:05:22.680
 Cameras, switches, a lot of smart home devices.

00:05:22.680 --> 00:05:27.520
 I'm a big smart home automation firmware enthusiast, so that's kind of where I was targeting.

00:05:27.520 --> 00:05:32.480
 But then other strange devices too like a vacuum cleaner, which was really interesting.

00:05:32.480 --> 00:05:39.140
 And lots of cameras and other things, desk lamps, steaks, kitchen appliances, all kinds

00:05:39.140 --> 00:05:42.000
 of things.

00:05:42.000 --> 00:05:45.020
 So the list grew.

00:05:45.020 --> 00:05:50.400
 And as we collected more things, we started getting emails from additional vendors that

00:05:50.400 --> 00:05:53.360
 we hadn't necessarily reached out to directly.

00:05:53.360 --> 00:05:58.080
 It seemed that there was kind of this special list of customers that was shared amongst

00:05:58.080 --> 00:06:00.680
 these companies that were sending things out for free.

00:06:00.680 --> 00:06:04.600
 And so the more that we interacted with them, the more we got.

00:06:04.600 --> 00:06:07.820
 And the more vendors came to ask us if we would like their stuff.

00:06:07.820 --> 00:06:12.560
 So more is always better.

00:06:12.560 --> 00:06:18.260
 And then we started thinking like a hacker or thinking like a larcenist, what if we were

00:06:18.260 --> 00:06:21.820
 to use multiple email accounts to interact with them?

00:06:21.820 --> 00:06:25.360
 What if I want two of that thing or maybe five of that thing?

00:06:25.360 --> 00:06:26.360
 How could I do that?

00:06:26.360 --> 00:06:32.080
 So we'll have multiple email accounts and forward messages between them and collect things.

00:06:32.080 --> 00:06:36.800
 And we were wondering at first, like, is this a good idea?

00:06:36.800 --> 00:06:39.680
 Will they notice?

00:06:39.680 --> 00:06:40.680
 They did not.

00:06:40.680 --> 00:06:42.880
 They did not notice at all.

00:06:42.880 --> 00:06:49.400
 And in fact, things kind of escalated on from there.

00:06:49.400 --> 00:06:54.520
 So the thing that happened then is as we started collecting things and telling our friends,

00:06:54.520 --> 00:06:56.720
 they were jealous of all of the cool stuff we got.

00:06:56.720 --> 00:06:58.420
 Like I want stuff too.

00:06:58.420 --> 00:07:00.280
 So sharing is caring.

00:07:00.280 --> 00:07:04.080
 And we started to share some of our friends' contact information with these vendors.

00:07:04.080 --> 00:07:06.080
 And some of the sharing we did was official.

00:07:06.080 --> 00:07:10.560
 It was hello, Mr. Vendor, I have a friend who would like to work with you and the vendors

00:07:10.560 --> 00:07:12.480
 would always say yes.

00:07:12.480 --> 00:07:16.760
 But then as we'll talk about in a slide or two, some of the referrals were maybe not

00:07:16.760 --> 00:07:18.500
 quite so official.

00:07:18.500 --> 00:07:22.600
 So we'll talk about that in just a moment.

00:07:22.600 --> 00:07:24.040
 >> Yeah.

00:07:24.040 --> 00:07:30.040
 And along the way, we realized that there's just a bunch of people out there sending these

00:07:30.040 --> 00:07:34.200
 messages and they don't really care what we respond with.

00:07:34.200 --> 00:07:36.720
 They don't really care who we are.

00:07:36.720 --> 00:07:40.320
 They don't really care where we're sending the items.

00:07:40.320 --> 00:07:46.360
 I was sending items to like family members at some points.

00:07:46.360 --> 00:07:48.360
 And then I realized that they didn't care.

00:07:48.360 --> 00:07:52.120
 So I started sending them to different apartments in my own house.

00:07:52.120 --> 00:07:56.240
 I had six or seven apartments in my house that I would send them to.

00:07:56.240 --> 00:07:59.640
 And they just all show up on my doorstep.

00:07:59.640 --> 00:08:08.320
 And we realized, okay, let's just share the -- not only are we sharing like -- not only

00:08:08.320 --> 00:08:13.160
 are we telling the vendors, hey, contact this person, but now if they contact us, let's

00:08:13.160 --> 00:08:17.080
 just send that email to another one of our friends.

00:08:17.080 --> 00:08:19.420
 And then more friends can sign up.

00:08:19.420 --> 00:08:20.880
 And then more friends.

00:08:20.880 --> 00:08:24.000
 We eventually just dropped all the pretense altogether.

00:08:24.000 --> 00:08:30.120
 And we started by sending -- we would change the headers and modify the email and make

00:08:30.120 --> 00:08:32.960
 it look like they had emailed us.

00:08:32.960 --> 00:08:37.280
 But at the end of it, I was just replying to ones that were sent to Matt, for example.

00:08:37.280 --> 00:08:42.680
 >> Like, hey, Adam, I got an invite for a pool filter and some kitchen knives.

00:08:42.680 --> 00:08:43.680
 Would you like that one?

00:08:43.680 --> 00:08:46.120
 >> And I say, I need some knives.

00:08:46.120 --> 00:08:47.120
 Sure.

00:08:47.120 --> 00:08:51.280
 And I would just reply to the email address and say, please send me knives.

00:08:51.280 --> 00:08:52.860
 And they'd say, okay.

00:08:52.860 --> 00:08:54.700
 And so they'd just send stuff then.

00:08:54.700 --> 00:08:56.320
 And we started sharing the best invites.

00:08:56.320 --> 00:09:02.920
 And this is how we built this cabal of people who we would just share all the invites with.

00:09:02.920 --> 00:09:07.460
 And we'd say, hey, I got an invite group or chat.

00:09:07.460 --> 00:09:15.380
 And this invite is product X, Y, and Z. And somebody would say, I need product Y.

00:09:15.380 --> 00:09:17.580
 And so we just forward the email to them.

00:09:17.580 --> 00:09:21.360
 And somebody else would say, I need product X and forward the email to them.

00:09:21.360 --> 00:09:23.880
 And nobody ever seemed to notice.

00:09:23.880 --> 00:09:28.000
 And we just, everyone just got free stuff.

00:09:28.000 --> 00:09:33.200
 The profit slide where Matt had all of those different things, every one of us had closets

00:09:33.200 --> 00:09:36.400
 like that, you know, where we were just filling up with stuff.

00:09:36.400 --> 00:09:40.140
 The problem is, they started turning into pushers.

00:09:40.140 --> 00:09:46.260
 They started sending us emails and they'd say, hey, here is 60 products.

00:09:46.260 --> 00:09:48.340
 Pick two of them that you want.

00:09:48.340 --> 00:09:52.060
 And they would be the most wacky products.

00:09:52.060 --> 00:09:53.060
 Sex toys.

00:09:53.060 --> 00:09:55.060
 Dog treat dispensers.

00:09:55.060 --> 00:09:56.060
 Pool floaties.

00:09:56.060 --> 00:09:57.060
 Yeah.

00:09:57.060 --> 00:09:58.060
 Toilet scooters.

00:09:58.060 --> 00:09:59.060
 Toilet drain stoppers.

00:09:59.060 --> 00:10:00.060
 Yeah.

00:10:00.060 --> 00:10:01.060
 Pasta dishes.

00:10:01.060 --> 00:10:05.940
 And we didn't really care about a lot of those.

00:10:05.940 --> 00:10:13.500
 What we cared about was the technology ones that we were interested in and researching.

00:10:13.500 --> 00:10:15.040
 But it got extensive.

00:10:15.040 --> 00:10:17.780
 And there was a few main characters in this.

00:10:17.780 --> 00:10:25.860
 If you see these on your recommended anywhere, know that 90% of their reviews are probably

00:10:25.860 --> 00:10:27.420
 fake.

00:10:27.420 --> 00:10:29.260
 One of them is Vixer.

00:10:29.260 --> 00:10:31.100
 See all the different emails.

00:10:31.100 --> 00:10:34.940
 It's a little difficult to see in the sunlight over here, but all the different emails on

00:10:34.940 --> 00:10:38.940
 the right from Vixer over 2020.

00:10:38.940 --> 00:10:41.180
 Apeman was a big one.

00:10:41.180 --> 00:10:48.540
 They would send us emails constantly and Treat Life.

00:10:48.540 --> 00:10:50.980
 Treat Life was one of our favorites.

00:10:50.980 --> 00:10:52.220
 By far the favorite.

00:10:52.220 --> 00:10:53.220
 Yeah.

00:10:53.220 --> 00:10:54.220
 Because highly recommended.

00:10:54.220 --> 00:11:00.300
 Well, they send good quality products that are mostly not...

00:11:00.300 --> 00:11:03.540
 Well, we'll get into the technical details in a minute.

00:11:03.540 --> 00:11:09.980
 But they also never really cared if you did the reviews or not.

00:11:09.980 --> 00:11:12.300
 We would go and make a review.

00:11:12.300 --> 00:11:17.980
 And for some products that you had to have a review before they reimbursed you, and then

00:11:17.980 --> 00:11:21.620
 we would immediately delete the review and report it.

00:11:21.620 --> 00:11:28.660
 Or other products, like Treat Life, I could just open up my developer console in Chrome

00:11:28.660 --> 00:11:32.620
 and just edit one to look like I just made a review and screenshot it and send it.

00:11:32.620 --> 00:11:33.620
 And they didn't even look.

00:11:33.620 --> 00:11:34.620
 They were just like, "All right, here's money.

00:11:34.620 --> 00:11:35.620
 Here you go."

00:11:35.620 --> 00:11:40.060
 Yeah, or even they would just say, "Please send us your order ID."

00:11:40.060 --> 00:11:43.020
 And after they got the order ID, they would just pay right away.

00:11:43.020 --> 00:11:44.020
 Yeah.

00:11:44.020 --> 00:11:45.860
 And then Facebook groups.

00:11:45.860 --> 00:11:47.700
 We were involved in a lot of these.

00:11:47.700 --> 00:11:53.300
 In fact, after the pandemic, we pretty much stopped doing this.

00:11:53.300 --> 00:11:57.380
 It was a while back, but we still get invites all the time.

00:11:57.380 --> 00:12:00.780
 And they're primarily moving to Facebook now, I've noticed.

00:12:00.780 --> 00:12:06.420
 I get a lot of Facebook invites, and they email to me to join their Facebook group.

00:12:06.420 --> 00:12:11.100
 And they're actually moving countries now, too.

00:12:11.100 --> 00:12:20.420
 While I was preparing slides, one of the emails I got for a Facebook group was specific to

00:12:20.420 --> 00:12:21.700
 Thailand.

00:12:21.700 --> 00:12:29.140
 So only in Thailand do they want people to come and do reviews, which I thought was interesting.

00:12:29.140 --> 00:12:32.580
 But what about the stuff?

00:12:32.580 --> 00:12:36.140
 We're giving all this free stuff, but what about it?

00:12:36.140 --> 00:12:38.500
 And for that, let's dive deep.

00:12:38.500 --> 00:12:39.500
 Yeah.

00:12:39.500 --> 00:12:43.220
 So this is by no means exhaustive or complete.

00:12:43.220 --> 00:12:49.780
 This is just a few of the particularly interesting details from a deep dive of what the hardware

00:12:49.780 --> 00:12:51.560
 and software looked like.

00:12:51.560 --> 00:12:56.860
 So I encourage you to do your own research and follow along if you'd like.

00:12:56.860 --> 00:13:01.060
 So the first case study we'll talk about is the three T's.

00:13:01.060 --> 00:13:03.940
 Treat Life, Tekken, and Tuya.

00:13:03.940 --> 00:13:07.580
 So Treat Life and Tekken use the Tuya IoT platform.

00:13:07.580 --> 00:13:09.220
 Maybe some of you have heard of the Tuya platform.

00:13:09.220 --> 00:13:10.820
 It's one of the largest in the world.

00:13:10.820 --> 00:13:12.220
 And anybody can sign up to use Tuya.

00:13:12.220 --> 00:13:16.220
 You just pay them a few dollars, and you can use their development kit, and you can even

00:13:16.220 --> 00:13:19.900
 use their hardware that they kind of white label, and then you can cook your own firmware

00:13:19.900 --> 00:13:22.740
 for it, and it's very interesting.

00:13:22.740 --> 00:13:27.260
 So interesting things about Tuya is they store a number of things in plain text.

00:13:27.260 --> 00:13:29.140
 They collect a number of things plain text.

00:13:29.140 --> 00:13:33.420
 Phone number, the device that you use to set it up, the SSID that it connects to, the device

00:13:33.420 --> 00:13:37.780
 stats like when a light switch turns on or off, things like that.

00:13:37.780 --> 00:13:42.340
 But where things get really interesting and particularly dangerous that maybe people haven't

00:13:42.340 --> 00:13:46.580
 thought of is a number of the vacuum cleaners, including the one that I got through this

00:13:46.580 --> 00:13:47.580
 program.

00:13:47.580 --> 00:13:48.880
 They're using the Tuya platform.

00:13:48.880 --> 00:13:55.540
 So the floor plans of your house are potentially in the Tuya cloud, and whatever vendor sold

00:13:55.540 --> 00:13:59.500
 that to you can access that and sell that to anyone or do whatever they'd like with

00:13:59.500 --> 00:14:00.500
 it.

00:14:00.500 --> 00:14:01.500
 So that's interesting.

00:14:01.500 --> 00:14:07.660
 And of course the device manufacturer, whoever that is, they can push a firmware update whenever

00:14:07.660 --> 00:14:09.580
 they want, and they can do it silently.

00:14:09.580 --> 00:14:13.500
 So if you -- I'm jumping ahead a little bit, but if you go look at Michael Stegerwald's

00:14:13.500 --> 00:14:18.860
 talk from a few years ago at a CCC event, he talks extensively about the evils of Tuya

00:14:18.860 --> 00:14:20.500
 and how they can do all sorts of interesting things.

00:14:20.500 --> 00:14:22.900
 I'd encourage you to go take a look at that.

00:14:22.900 --> 00:14:30.380
 So the first wave of devices that were collected from TreatLife and from Tekken were ESP8266-based,

00:14:30.380 --> 00:14:32.440
 and it's a great microprocessor.

00:14:32.440 --> 00:14:35.460
 It's fantastic for the hacker community.

00:14:35.460 --> 00:14:39.580
 The Wemos D1 minis for sale over in the village, that's an ESP8266.

00:14:39.580 --> 00:14:43.300
 They're easy to flash, Arduino compatible, very good firmware.

00:14:43.300 --> 00:14:50.780
 And what happened eventually is we were flashing devices just with an interface with the FTDI.

00:14:50.780 --> 00:14:56.340
 And then there was this massive vulnerability that Stegerwald came out with from VTrust

00:14:56.340 --> 00:15:01.140
 where we were able to flash device firmware over the air without having to take it apart

00:15:01.140 --> 00:15:03.580
 or solder or anything, and it was great.

00:15:03.580 --> 00:15:05.460
 It's called TuyaConvert, and the link's right there.

00:15:05.460 --> 00:15:06.500
 You can check it out.

00:15:06.500 --> 00:15:08.260
 And TuyaConvert worked for quite a while.

00:15:08.260 --> 00:15:12.060
 There were several kind of cat and mouse games where the firmware got patched and then the

00:15:12.060 --> 00:15:16.300
 exploit got rewritten, and eventually it stopped working.

00:15:16.300 --> 00:15:21.380
 They changed the way that the keys were derived for the devices, and no longer could we just

00:15:21.380 --> 00:15:25.300
 flash them over the air because of the private key and public key interaction between the

00:15:25.300 --> 00:15:27.900
 server and the device.

00:15:27.900 --> 00:15:29.760
 So then things were great.

00:15:29.760 --> 00:15:33.180
 We were collecting all these devices and taking all of this terrible Tuya code off

00:15:33.180 --> 00:15:37.220
 and putting firmware like Tesmota or ESPHome running it with Node-RED.

00:15:37.220 --> 00:15:40.260
 But then the devices themselves changed.

00:15:40.260 --> 00:15:43.460
 The ESP8266 disappeared.

00:15:43.460 --> 00:15:50.620
 And despite this very substantial change in the device, the FCC documentation never changed.

00:15:50.620 --> 00:15:54.900
 And that's kind of an interesting question for devices that the FCC reviews.

00:15:54.900 --> 00:15:59.660
 If there's a substantial change, it's supposed to require a follow-on examination.

00:15:59.660 --> 00:16:03.980
 I would say that changing the microcontroller would be substantial enough to require a new

00:16:03.980 --> 00:16:05.180
 examination.

00:16:05.180 --> 00:16:11.500
 So it became very hard to know which device would have which controller or which CU.

00:16:11.500 --> 00:16:15.760
 So we kind of got to where you try to order from maybe different vendors and try to find

00:16:15.760 --> 00:16:19.980
 one that had old stock because at the time we didn't really know what to do with these

00:16:19.980 --> 00:16:23.900
 processors and we didn't want to just put them on our network and deal with the evilness

00:16:23.900 --> 00:16:26.300
 of Tuya.

00:16:26.300 --> 00:16:32.460
 But the interesting thing about these controllers is they were the same pinout as the ESP, but

00:16:32.460 --> 00:16:36.020
 they were not able to run Arduino code, so it was good and bad.

00:16:36.020 --> 00:16:42.620
 Then we figured out that they're pin compatible with the ESP32C3 and the ESP12F, so we'd use

00:16:42.620 --> 00:16:47.420
 a hot air station and just drop the chip off and then put a chip flash with Tesmota or

00:16:47.420 --> 00:16:51.860
 potentially ESPHome, but usually Tesmota, so you could step through the GPIOs and figure

00:16:51.860 --> 00:16:54.260
 out the hardware traces and do that easily.

00:16:54.260 --> 00:16:56.100
 So then everything was very good again.

00:16:56.100 --> 00:16:59.580
 We could take these devices with terrible processors and use them with our open source

00:16:59.580 --> 00:17:00.580
 code.

00:17:00.580 --> 00:17:02.380
 Very good.

00:17:02.380 --> 00:17:07.380
 But then moving forward, Khalid Nassar and some others, there's an excellent post here.

00:17:07.380 --> 00:17:08.780
 You should definitely go read it.

00:17:08.780 --> 00:17:14.220
 He walks through a very detailed posting of how some data was stored in some fields inappropriately

00:17:14.220 --> 00:17:19.220
 and there was no bounce checking on it, so we were able to inject code into that buffer.

00:17:19.220 --> 00:17:25.500
 And through that we're able to run a vulnerability that's been called named Tuya Cloud Cutter.

00:17:25.500 --> 00:17:30.700
 And with Cloud Cutter, originally we were able to modify the local keys on the device,

00:17:30.700 --> 00:17:35.100
 and when we modify the local keys, we could potentially write the same key to all of the

00:17:35.100 --> 00:17:36.820
 devices that we're working with.

00:17:36.820 --> 00:17:41.520
 So we have a common key to access our devices, and once we modify the keys, then Tuya can

00:17:41.520 --> 00:17:46.020
 no longer interact with the device, so we still have untrusted firmware, but we have

00:17:46.020 --> 00:17:50.260
 a device that we can control that no one else can control, so it's generally good.

00:17:50.260 --> 00:17:54.260
 And there are ways to hook that device with different automation platforms and make it

00:17:54.260 --> 00:17:57.100
 work, so that was good.

00:17:57.100 --> 00:18:03.620
 But then as we moved forward, there was some substantial development done with a project

00:18:03.620 --> 00:18:07.500
 called, it was originally called Libretuya, but Tuya got mad at that, so it became renamed

00:18:07.500 --> 00:18:08.780
 Libretiny.

00:18:08.780 --> 00:18:10.820
 And another one called OpenBeckon.

00:18:10.820 --> 00:18:16.980
 Libretiny is a port of ESPHome that runs on the Becken hardware, and it looks a lot like

00:18:16.980 --> 00:18:19.220
 ESPHome works the same as YAML-based.

00:18:19.220 --> 00:18:22.820
 There's a container plugin for Home Assistant, it all works very well.

00:18:22.820 --> 00:18:25.100
 And OpenBeckon is a standalone hardware.

00:18:25.100 --> 00:18:29.060
 It's kind of sort of similar to Tasmota, if any of you have used it, but it gives you

00:18:29.060 --> 00:18:32.860
 an API and MQTT and everything, and it runs standalone on the device.

00:18:32.860 --> 00:18:37.940
 Fairly stable, revved a lot, the developer is active in a lot of discords, and as is

00:18:37.940 --> 00:18:40.340
 the developer for Libretiny, very active.

00:18:40.340 --> 00:18:45.460
 So in the end, we have hardware that was previously untrusted that we couldn't work with, that

00:18:45.460 --> 00:18:52.060
 was linked to a generally evil overlay platform, but now we're able to put whatever firmware

00:18:52.060 --> 00:18:56.620
 we want on it, control it how we want, and we're able to audit all of the functions that

00:18:56.620 --> 00:18:57.620
 firmware does.

00:18:57.620 --> 00:19:01.340
 So very powerful, and we take a device that we can't trust at all to a device that we

00:19:01.340 --> 00:19:05.860
 absolutely trust, and we can do whatever we'd like with it.

00:19:05.860 --> 00:19:10.420
 The next case study is around cameras, and there are many cameras that were collected.

00:19:10.420 --> 00:19:15.180
 I use these, I live on a farm, so I use some of these cameras in the shop and for outdoor

00:19:15.180 --> 00:19:18.740
 surveillance and kind of all over the place, so many cameras.

00:19:18.740 --> 00:19:28.700
 And the default in stock firmware was very much not good, very unstable, and very interesting

00:19:28.700 --> 00:19:30.180
 connections outbound.

00:19:30.180 --> 00:19:37.340
 Some of the cameras were using the Tuya platform, and interesting, some of them were leaking

00:19:37.340 --> 00:19:44.820
 to Chinese IP space in earlier firmwares, and there was one, I forgot to collect the

00:19:44.820 --> 00:19:50.020
 data and save it, but in advance of a firmware update, before it was beaconing out to some

00:19:50.020 --> 00:19:54.340
 Chinese IP space, and then after a firmware update it was leaking out to a cloud provider

00:19:54.340 --> 00:20:02.020
 that was US IP space, but it's important to know that the country destination of the,

00:20:02.020 --> 00:20:06.380
 the country of the destination IP is really not all that important, and in the end there's

00:20:06.380 --> 00:20:10.500
 nothing that stops a foreign national from creating a cloud provider account and collecting

00:20:10.500 --> 00:20:12.960
 data and packing it off wherever they'd like.

00:20:12.960 --> 00:20:18.420
 So whether that's a US cloud provider or a Chinese cloud provider, it still should be

00:20:18.420 --> 00:20:22.260
 handled with a minimal amount of trust.

00:20:22.260 --> 00:20:26.460
 So the, in particular the cameras that were not on the Tuya platform, there's one from

00:20:26.460 --> 00:20:32.260
 S-Cam that was very interesting, it has this P2P connectivity and there's a QR code that

00:20:32.260 --> 00:20:36.940
 has a device ID, and this device ID, if you have it, you can connect to the camera with

00:20:36.940 --> 00:20:40.940
 no authentication, all you need is that device ID, so it's very dangerous.

00:20:40.940 --> 00:20:46.740
 And a gentleman named Paul, he gave a big talk on the dangers of this particular P2P

00:20:46.740 --> 00:20:51.860
 network at Defcon, I think two years ago, but the link is there, definitely go watch

00:20:51.860 --> 00:20:58.540
 it, there's huge exposure, and the goal of the P2P network is to make it so you don't

00:20:58.540 --> 00:21:03.780
 have to port forward, or so you can use these cameras behind a CG NAT and still have access

00:21:03.780 --> 00:21:07.420
 to the video, but the thing about that is it gives whoever's authoring the firmware

00:21:07.420 --> 00:21:12.100
 and pushing the updates the ability to do reverse shells and all those things as well, so it's

00:21:12.100 --> 00:21:16.040
 a terrible security vulnerability and just something that's very dangerous that you should

00:21:16.040 --> 00:21:19.440
 not ever trust on your network.

00:21:19.440 --> 00:21:25.060
 So with this particular camera, there's an app to set it up called the P6S Lite, and

00:21:25.060 --> 00:21:29.620
 some of the early documentation of the app references local mode, where you could open

00:21:29.620 --> 00:21:33.000
 the app on your phone and it would find the camera and peer to it and then you could do

00:21:33.000 --> 00:21:38.820
 local mode and it would pull up an interface where you could tell the camera to connect,

00:21:38.820 --> 00:21:47.020
 and so this particular app was missing that function, and so that was troubling, it was

00:21:47.020 --> 00:21:49.600
 kind of what happened to this interface.

00:21:49.600 --> 00:21:54.300
 So it started trolling around on an Android phone and was able to connect to the SSID

00:21:54.300 --> 00:21:59.020
 broadcast by the camera and then exited the app, dropped into the network settings and

00:21:59.020 --> 00:22:04.580
 saw that it was a very non-standard, very strange DHCP IP that I'd been assigned, but with a

00:22:04.580 --> 00:22:12.060
 very common gateway, a .1 gateway, so opened a browser window to .1 on my phone and here

00:22:12.060 --> 00:22:17.440
 I have the interface to this camera, and once I have access to the camera's web interface,

00:22:17.440 --> 00:22:23.000
 I was able to configure it to SSID and configure it to join my network and I was able to not

00:22:23.000 --> 00:22:27.900
 allow it to register on the P2P network, so interesting functionality that was there in

00:22:27.900 --> 00:22:34.180
 like the 2.x version of the app that was gone in the 3.x and they're now on 5 or late 5s

00:22:34.180 --> 00:22:38.900
 or early 6s, so it's like that function was purposefully taken out, at least that would

00:22:38.900 --> 00:22:47.080
 be my conjecture, so an interesting removal from that APK.

00:22:47.080 --> 00:22:51.860
 So I kind of got ahead of myself a bit, but yeah, the local mode was gone and when you

00:22:51.860 --> 00:22:58.540
 do this via direct web interface, the P2P registration does not happen and as you see in this one,

00:22:58.540 --> 00:23:03.900
 this is an iteration I did while using the actual app and doing it and this camera actually

00:23:03.900 --> 00:23:10.260
 did join that P2P network and all sorts of interestingness, so every camera, whether

00:23:10.260 --> 00:23:15.420
 it was Tuya or non-Tuya platform, every camera beaconed out, some a little bit, some a whole

00:23:15.420 --> 00:23:20.100
 lot, some of the interesting addresses were some of them were China and some other ones

00:23:20.100 --> 00:23:25.500
 were China and some of that's Alibaba, some of it's not and some of the other IP connections

00:23:25.500 --> 00:23:30.820
 were previously, like I said, to China and then some to other non-Chinese cloud providers

00:23:30.820 --> 00:23:32.580
 but still not to be trusted.

00:23:32.580 --> 00:23:36.460
 The cameras worked to a varying degree of success, some not at all and some really well

00:23:36.460 --> 00:23:42.380
 with RTSP and ONVIF, those are ways to access a camera locally and have the data local and

00:23:42.380 --> 00:23:46.340
 not out to a cloud or a cloud server, some of them worked, some of them did not at all

00:23:46.340 --> 00:23:50.980
 and the typical ways with the non-trusted firmware that you can take a camera like that that

00:23:50.980 --> 00:23:58.860
 does allow ONVIF or RTSP to allow and have it be semi-trusted is create a P2P reservation

00:23:58.860 --> 00:24:05.260
 for it with no default gateway and/or give it no DNS, have layer 3 ACLs, even layer 2

00:24:05.260 --> 00:24:09.460
 ACLs if you'd like, there are a number of ways to take a device like that and pin it

00:24:09.460 --> 00:24:15.980
 in a corner but still have it be usable, not necessarily the recommended way.

00:24:15.980 --> 00:24:21.940
 Most of the cameras were using Acya and Realtek chipsets, if you troll around a bit you can

00:24:21.940 --> 00:24:28.300
 find that the UART and JTAG interfaces for these chipsets are generally documented, I

00:24:28.300 --> 00:24:33.620
 wouldn't say well documented but I would say that they are documented and there are OpenIPC

00:24:33.620 --> 00:24:37.740
 for sure works on the S-cam, I set that up and it works fairly well, there's a lot of

00:24:37.740 --> 00:24:43.740
 the Realtek firmware support for the Yi cameras and some of the Victor cameras and some of

00:24:43.740 --> 00:24:48.620
 the others, so with some digging you can get this set up and working and you can get these

00:24:48.620 --> 00:24:53.060
 cameras to run code that you can actually audit and you know what it does because you've

00:24:53.060 --> 00:24:56.660
 seen the code and you can follow the packets so that would be my suggestion if you're going

00:24:56.660 --> 00:25:01.820
 to chase after any of these devices is do a bit of research, pull down my slides, find

00:25:01.820 --> 00:25:05.920
 some of the devices that use these particular chipsets that you can push your firmware to

00:25:05.920 --> 00:25:10.940
 and not have to deal with some third party vendors firmware and be at their mercy.

00:25:10.940 --> 00:25:19.700
 Yeah, unsurprisingly cameras were probably the most emailed thing that we got, you know

00:25:19.700 --> 00:25:27.180
 obviously vendors wanted you know wanted insight into our homes, baby monitors were up there

00:25:27.180 --> 00:25:34.240
 too, I actually had small kids during the pandemic and had used some of these products

00:25:34.240 --> 00:25:39.240
 as baby monitors so obviously they had to be safe.

00:25:39.240 --> 00:25:46.320
 The other big one was some type of routers, there was mesh routers and Wi-Fi extenders

00:25:46.320 --> 00:25:52.080
 that they were always offering and I think that's pretty obvious too why that was another

00:25:52.080 --> 00:25:55.100
 one that got offered a lot.

00:25:55.100 --> 00:26:02.740
 In this case study this is a mesh force router, the router configuration required a phone

00:26:02.740 --> 00:26:08.300
 to set up, they don't have a web interface for the router and Nmap showed three open

00:26:08.300 --> 00:26:16.860
 ports 5500 which is UPMP, obviously that should be disabled by default to protect security

00:26:16.860 --> 00:26:19.200
 and it wasn't.

00:26:19.200 --> 00:26:26.380
 Port 9000 for the app interface and ports 12598 used for auto configuring the Wi-Fi

00:26:26.380 --> 00:26:29.020
 repeaters.

00:26:29.020 --> 00:26:35.680
 Originally the app used clear text TCP coms over port 9000 to retrieve the serial number

00:26:35.680 --> 00:26:42.660
 and configure the device, the serial number then became an unchangeable password and you

00:26:42.660 --> 00:26:45.460
 weren't able to do anything about that.

00:26:45.460 --> 00:26:54.420
 This is again this is the mesh force router which is still on sale today on online retailers.

00:26:54.420 --> 00:27:00.560
 Also then the Android reached out to a few places, one the router, fine, for some reason

00:27:00.560 --> 00:27:07.920
 it tried to call out to Facebook, I don't know why and then lastly another IP, I wonder

00:27:07.920 --> 00:27:10.620
 what that is, it's China.

00:27:10.620 --> 00:27:18.660
 So this is another case where we were looking at a device that basically was calling out

00:27:18.660 --> 00:27:30.940
 to places to give them access or some type of data and what else went wrong with it?

00:27:30.940 --> 00:27:37.500
 We had an APK of the app, the Android app, so APKs obviously we can expand and dwell

00:27:37.500 --> 00:27:46.220
 into them and when you do that and look at the Java classes with something like JD GUI,

00:27:46.220 --> 00:27:54.300
 we saw references to CGI bin Lucy admin data manager which if you Google it and do some

00:27:54.300 --> 00:28:02.980
 research, this is a possible tender back door which has been everywhere.

00:28:02.980 --> 00:28:11.220
 Here's a couple of articles referencing a tender back door in wireless routers and this

00:28:11.220 --> 00:28:19.100
 is something that is very similar and that's as deep as we went right there because that

00:28:19.100 --> 00:28:24.420
 was enough for me to junk it to be honest and we have a giveaway and we're giving it

00:28:24.420 --> 00:28:35.340
 away but honestly this was a really fun time because we were stuck at home and we had a

00:28:35.340 --> 00:28:42.460
 lot of time on our hands and so we were able to pour all of our time into looking into

00:28:42.460 --> 00:28:46.580
 these products to determine what's safe and what wasn't.

00:28:46.580 --> 00:28:52.980
 Some lessons that we learned, if something is too good to be true, it probably is, right?

00:28:52.980 --> 00:28:56.740
 Always check your hardware that you're buying offline in a safe environment before plugging

00:28:56.740 --> 00:29:04.540
 it into like a production home operations and be wary of online reviews.

00:29:04.540 --> 00:29:08.780
 Research with caution, not all of them are legitimate.

00:29:08.780 --> 00:29:11.180
 So how do you spot fake reviews?

00:29:11.180 --> 00:29:19.780
 Again, all of Matt's and I reviews were then immediately deleted and nuked from the platform

00:29:19.780 --> 00:29:28.380
 but here's how you can spot fake reviews if you're online and if you're looking at buying

00:29:28.380 --> 00:29:29.380
 a product.

00:29:29.380 --> 00:29:32.740
 One, is this a brand you trust?

00:29:32.740 --> 00:29:39.820
 Does it have a trusted name in the industry or is it something you've never heard of before?

00:29:39.820 --> 00:29:46.660
 Some of these vendors would send us emails with different names, different product names,

00:29:46.660 --> 00:29:53.140
 so they were constantly recreating companies and putting a new decal on their product and

00:29:53.140 --> 00:29:55.420
 that was a brand new company for them.

00:29:55.420 --> 00:29:59.940
 So they were switching company names all the time.

00:29:59.940 --> 00:30:02.860
 If you can check user history, do it.

00:30:02.860 --> 00:30:08.900
 Not all platforms allow you to view reviews that a user has left but some platforms do.

00:30:08.900 --> 00:30:13.780
 Some of these online retailers allow you to view other things that this person has reviewed.

00:30:13.780 --> 00:30:14.780
 Check that out if you can.

00:30:14.780 --> 00:30:21.020
 If you see a lot of, well, a lot of reviews frankly on particular products, that could

00:30:21.020 --> 00:30:23.140
 be a red flag.

00:30:23.140 --> 00:30:30.060
 So all of these reviews, the ones that required us to leave a review before a refund, they

00:30:30.060 --> 00:30:32.980
 also required that you left a picture.

00:30:32.980 --> 00:30:38.620
 So I'm not saying that pictured reviews are necessarily more fake but that's something

00:30:38.620 --> 00:30:42.220
 that was like, bare minimum, you had to add it.

00:30:42.220 --> 00:30:43.220
 Yeah, sure.

00:30:43.220 --> 00:30:48.020
 And one other thing is the reviews all had to be five stars.

00:30:48.020 --> 00:30:50.820
 Could be four, had to be five.

00:30:50.820 --> 00:30:55.580
 So be very wary and when we would leave these reviews, we wanted to get our money but we

00:30:55.580 --> 00:30:59.300
 would still write a review that would maybe say, "Hey, here's three good things and two

00:30:59.300 --> 00:31:03.820
 really bad things but I still give it five stars because the good things were so good."

00:31:03.820 --> 00:31:07.740
 So if you see reviews that are like, "This product was great except for this was really

00:31:07.740 --> 00:31:10.180
 terrible but I give it five stars."

00:31:10.180 --> 00:31:12.540
 That was written to get a reimbursement for sure.

00:31:12.540 --> 00:31:17.420
 I had some egregious ones where I'd say, "Here's one good thing and here's six bad things about

00:31:17.420 --> 00:31:24.420
 this product and they still send me the money but I was trying to warn people from getting

00:31:24.420 --> 00:31:26.820
 that particular product."

00:31:26.820 --> 00:31:30.340
 And then the other thing, the time the review has been posted.

00:31:30.340 --> 00:31:32.540
 So this is an industry, right?

00:31:32.540 --> 00:31:33.540
 This is a business.

00:31:33.540 --> 00:31:37.420
 You can go purchase fake reviews online and there are companies out there who will go

00:31:37.420 --> 00:31:42.380
 and they'll find email lists like our names are on these email lists and they'll just

00:31:42.380 --> 00:31:49.660
 spam them and try to get people to do reviews and if the reviews have been posted within

00:31:49.660 --> 00:31:55.300
 a few days, it might be fake because usually companies nowadays, online retailers, they've

00:31:55.300 --> 00:32:03.900
 used reports like Matt and I have been doing and others to actually get pretty good at

00:32:03.900 --> 00:32:09.260
 detecting fake reviews and they'll ban accounts too.

00:32:09.260 --> 00:32:15.000
 They'll ban an account if they see enough fake reviews but usually that's a one or two

00:32:15.000 --> 00:32:20.420
 day process before they can determine, "Hey, is this review legitimate or fake?"

00:32:20.420 --> 00:32:26.740
 And so if you have a review that's less than two days old, good chances are that you want

00:32:26.740 --> 00:32:32.860
 to maybe circle back in a few days and see if it's still there.

00:32:32.860 --> 00:32:35.060
 Now this isn't all doom and gloom.

00:32:35.060 --> 00:32:39.460
 There are good companies that do these kind of things.

00:32:39.460 --> 00:32:41.780
 A good example is Amcrest.

00:32:41.780 --> 00:32:46.700
 Amcrest has actually reached out to people like Matt and I and they've offered a research

00:32:46.700 --> 00:32:50.020
 fee for purchasing their camera and reviewing.

00:32:50.020 --> 00:32:52.140
 They never asked for an online review.

00:32:52.140 --> 00:32:57.100
 They only asked for us to review and send them our feedback, right?

00:32:57.100 --> 00:33:05.380
 And this is an example of a 4K camera that they sent us and the product cost $80 but

00:33:05.380 --> 00:33:11.500
 the research fee was $140, which is another good way to do it.

00:33:11.500 --> 00:33:15.700
 Not only that but we were still able to pass the emails around the cabal and so we all

00:33:15.700 --> 00:33:21.260
 have Amcrest cameras now, which is great.

00:33:21.260 --> 00:33:24.440
 The feedback we gave them we think is valuable too.

00:33:24.440 --> 00:33:28.860
 One of the things that we -- this is a little difficult to see here but hopefully the stream

00:33:28.860 --> 00:33:30.540
 can see it in the videos later.

00:33:30.540 --> 00:33:39.380
 But there's a red -- there's a red lens on this camera and a red lighting area for the

00:33:39.380 --> 00:33:41.600
 infrared at nighttime.

00:33:41.600 --> 00:33:43.600
 The product doesn't actually have it.

00:33:43.600 --> 00:33:44.600
 But the picture has it.

00:33:44.600 --> 00:33:47.780
 So, like, that's something that we were able to call out.

00:33:47.780 --> 00:33:52.500
 When you open the box up, it actually looks a lot cleaner than the picture that they're

00:33:52.500 --> 00:33:54.660
 using for the product does.

00:33:54.660 --> 00:34:00.260
 So we were able to call it out, give them feedback, and that's a good symbiotic relationship,

00:34:00.260 --> 00:34:01.260
 right?

00:34:01.260 --> 00:34:06.740
 Where we're able to give them good and honest feedback but we don't have to then go and

00:34:06.740 --> 00:34:12.580
 leave them a five-star review and inflate their online reviews.

00:34:12.580 --> 00:34:14.860
 That said, I'd be happy to give this a five-star review.

00:34:14.860 --> 00:34:18.780
 It was a good product.

00:34:18.780 --> 00:34:23.460
 Some sources that we didn't mention in the slide deck.

00:34:23.460 --> 00:34:28.300
 KU.NZ, this is a blog.

00:34:28.300 --> 00:34:33.460
 This gentleman actually researched the mesh router before I did.

00:34:33.460 --> 00:34:38.020
 And so a lot of the same things that he found, we found.

00:34:38.020 --> 00:34:39.580
 But that's a good one.

00:34:39.580 --> 00:34:43.580
 Also all the icons that we got are from the noun project and the flat icon.

00:34:43.580 --> 00:34:48.740
 It's all, you know, sourced, free icons.

00:34:48.740 --> 00:34:49.740
 Thank you for your time.

00:34:49.740 --> 00:34:53.540
 And we'll go ahead and take some questions.

00:34:53.540 --> 00:34:55.540
 [ Applause ]

00:34:55.540 --> 00:35:00.500
 >> So, yeah.

00:35:00.500 --> 00:35:02.380
 Thank you a lot for a great talk.

00:35:02.380 --> 00:35:04.420
 The questions are going to be there.

00:35:04.420 --> 00:35:07.180
 So please line up.

00:35:07.180 --> 00:35:13.060
 If you're like want to make the questions from the Internet, the obvious channels from

00:35:13.060 --> 00:35:17.700
 Fediverse and Matrix are taking questions as well.

00:35:17.700 --> 00:35:18.700
 >> Yeah.

00:35:18.700 --> 00:35:22.740
 Can you guys tell me what's the most expensive item you got?

00:35:22.740 --> 00:35:26.020
 >> So there were two things that I got that were kind of noteworthy.

00:35:26.020 --> 00:35:31.220
 I got a robot vacuum that was around $200.

00:35:31.220 --> 00:35:33.900
 And still works pretty well.

00:35:33.900 --> 00:35:34.900
 Don't trust it at all.

00:35:34.900 --> 00:35:36.460
 But it works well.

00:35:36.460 --> 00:35:37.460
 It's in my shop.

00:35:37.460 --> 00:35:39.020
 It cleans the floor out there.

00:35:39.020 --> 00:35:45.980
 And then the other thing that was a little more like $250 US dollars is a DVR system.

00:35:45.980 --> 00:35:48.420
 It had the central DVR.

00:35:48.420 --> 00:35:50.460
 Had to put your own hard drive in it.

00:35:50.460 --> 00:35:52.740
 But then it had five cameras.

00:35:52.740 --> 00:35:58.420
 And the cameras, it was all on between the cameras and the DVR.

00:35:58.420 --> 00:35:59.420
 And it worked really well.

00:35:59.420 --> 00:36:06.820
 But the review that was submitted for that product actually got flagged as fake and got

00:36:06.820 --> 00:36:08.780
 deleted.

00:36:08.780 --> 00:36:14.100
 In the lag time between when I reached out to the vendor to request the refund, they

00:36:14.100 --> 00:36:17.340
 said oh, your review that you sent the screen shot of does not exist.

00:36:17.340 --> 00:36:19.980
 And I was like, ugh, it is what it is.

00:36:19.980 --> 00:36:20.980
 So I had to send that back.

00:36:20.980 --> 00:36:27.220
 But yeah, the vacuum was $200 and the DVR system was around $250.

00:36:27.220 --> 00:36:31.420
 >> The most expensive thing that I got was actually probably that mesh router which was

00:36:31.420 --> 00:36:34.260
 around $200 as well.

00:36:34.260 --> 00:36:41.780
 There was a clear cap on at least when I was going through it on the dollar amount that

00:36:41.780 --> 00:36:44.740
 they would go which was usually $250.

00:36:44.740 --> 00:36:53.580
 If it got above $200, they were very demanding on the type of review and the type of account

00:36:53.580 --> 00:36:56.020
 that you had to have in order to post the review.

00:36:56.020 --> 00:37:01.560
 A lot of these people required that you have an account with that online retailer for over

00:37:01.560 --> 00:37:06.860
 two years before you could post a review on something that was expensive.

00:37:06.860 --> 00:37:11.440
 >> And on the expensive things, like one other thing that we didn't mention is they would

00:37:11.440 --> 00:37:15.540
 have these stipulations like you must have a long standing account, you must have this.

00:37:15.540 --> 00:37:18.340
 But then they would try to sweeten the deal a little bit.

00:37:18.340 --> 00:37:24.300
 They would say and we'll refund plus a 10% commission.

00:37:24.300 --> 00:37:27.160
 A 10% uplift for your trouble.

00:37:27.160 --> 00:37:33.880
 And then sometimes you would tell a vendor, no, that's a lot of work and I can't do that.

00:37:33.880 --> 00:37:37.440
 They would say, well, what if we paid you half up front and then you post the review

00:37:37.440 --> 00:37:38.660
 and we pay you the other half.

00:37:38.660 --> 00:37:43.840
 So they would get really aggressive and try to get you to buy the higher dollar products.

00:37:43.840 --> 00:37:47.320
 >> I got a projector that was about $200 too.

00:37:47.320 --> 00:37:49.280
 And they're sweetening the deal.

00:37:49.280 --> 00:37:51.960
 Was a projection screen which I thought was really good.

00:37:51.960 --> 00:37:53.720
 I was like, oh, yeah, that sounds great.

00:37:53.720 --> 00:37:56.000
 So they sent me a big sheet of paper.

00:37:56.000 --> 00:37:57.000
 >> Okay.

00:37:57.000 --> 00:38:02.280
 We've got to have the next question from there as well.

00:38:02.280 --> 00:38:03.920
 >> Thanks for the talk, guys.

00:38:03.920 --> 00:38:07.720
 My first question is what do you think the main motivation for this type of behavior

00:38:07.720 --> 00:38:08.720
 is?

00:38:08.720 --> 00:38:13.280
 Is it profiteering, e-crime, state sponsored, or is it a mix of them all?

00:38:13.280 --> 00:38:14.280
 >> Yeah.

00:38:14.280 --> 00:38:18.680
 So I think that there, even within what we did, there were multiple motives.

00:38:18.680 --> 00:38:25.120
 I think that like TreatLife was trying to be the number one company.

00:38:25.120 --> 00:38:31.280
 If you would go on online retailers and search for smart home, smart switch, smart dimmer,

00:38:31.280 --> 00:38:33.860
 TreatLife wanted to be the number one product.

00:38:33.860 --> 00:38:38.320
 And the way you get to be the number one search result is by selling the most volume.

00:38:38.320 --> 00:38:42.600
 And selling volume to people who will maybe write reviews but more just selling volume,

00:38:42.600 --> 00:38:43.600
 period.

00:38:43.600 --> 00:38:47.480
 So I think TreatLife was trying to trend in the searches.

00:38:47.480 --> 00:38:53.560
 And I think that maybe other vendors had different motives as far as data collection and marketing

00:38:53.560 --> 00:38:55.360
 and selling data.

00:38:55.360 --> 00:38:57.160
 So I think both.

00:38:57.160 --> 00:38:58.160
 >> Yeah.

00:38:58.160 --> 00:39:01.440
 I think some of the -- so there's an external company, right?

00:39:01.440 --> 00:39:08.120
 There are external companies that actually do -- there's external companies that actually

00:39:08.120 --> 00:39:09.620
 mark -- that do this.

00:39:09.620 --> 00:39:14.000
 And they'll sell and they'll market and they'll get you reviews, et cetera.

00:39:14.000 --> 00:39:17.860
 And what they're -- they're going for profit, right?

00:39:17.860 --> 00:39:23.960
 But if I'm a bad actor and I want my back doors in as many devices as possible, I hire

00:39:23.960 --> 00:39:26.520
 them to then go do that.

00:39:26.520 --> 00:39:30.000
 So there's two different kind of motives I see.

00:39:30.000 --> 00:39:31.000
 But good question.

00:39:31.000 --> 00:39:32.000
 Thank you.

00:39:32.000 --> 00:39:33.000
 >> Okay.

00:39:33.000 --> 00:39:34.840
 We have a next question from the Internet, please.

00:39:34.840 --> 00:39:35.840
 >> Yep.

00:39:35.840 --> 00:39:39.840
 The Internet asks, how can someone start or get involved in such a --

00:39:39.840 --> 00:39:46.640
 >> The first rule of Fight Club is we don't talk about Fight Club.

00:39:46.640 --> 00:39:47.640
 >> Yeah.

00:39:47.640 --> 00:39:51.320
 Good question.

00:39:51.320 --> 00:39:57.340
 >> There are still products that have those types of postcards in them.

00:39:57.340 --> 00:40:03.600
 Maybe just try to find some or maybe send me a note on Twitter and I can help you.

00:40:03.600 --> 00:40:06.920
 >> The postcards are the entry for us.

00:40:06.920 --> 00:40:10.720
 So if you're buying those products, they'll come online.

00:40:10.720 --> 00:40:11.720
 Yep.

00:40:11.720 --> 00:40:12.720
 Please go ahead.

00:40:12.720 --> 00:40:16.880
 >> I had a quick question about you said you were reporting those products sometimes.

00:40:16.880 --> 00:40:20.960
 Was that to the eShops themselves or to some kind of government agency?

00:40:20.960 --> 00:40:23.200
 And did you get any reply from any of them?

00:40:23.200 --> 00:40:24.200
 >> The online retailers.

00:40:24.200 --> 00:40:25.200
 Yeah.

00:40:25.200 --> 00:40:26.320
 The online retailers.

00:40:26.320 --> 00:40:31.240
 And then usually we'd have them deleted and report it.

00:40:31.240 --> 00:40:34.240
 And so the replies were nothing or minimal.

00:40:34.240 --> 00:40:35.240
 >> Yeah.

00:40:35.240 --> 00:40:36.240
 Just automated response generally.

00:40:36.240 --> 00:40:37.240
 >> Yeah.

00:40:37.240 --> 00:40:38.240
 Thank you.

00:40:38.240 --> 00:40:39.240
 We will get back to you.

00:40:39.240 --> 00:40:41.040
 And then we never hear back.

00:40:41.040 --> 00:40:44.120
 Good question, though.

00:40:44.120 --> 00:40:45.480
 >> Okay.

00:40:45.480 --> 00:40:51.920
 We have still time for a couple of questions if somebody has some.

00:40:51.920 --> 00:40:55.440
 If not, please give a huge applause to Adam and Matt.

00:40:55.440 --> 00:40:56.440
 Thank you.

00:40:56.440 --> 00:40:57.440
 >> Thank you.

00:40:57.440 --> 00:41:03.080
 >> And thank you again to the Millieways crew for putting this on.

00:41:03.840 --> 00:41:08.320
 [ Music ]