Leave a bad review? This IoT garage door opener maker may brick your device

Well, that’s one way to create excitement in the market…

Leave a bad review? This IoT garage door opener maker may brick your device

The maker of an Internet of Things (IoT) garage door opener bricked a customer's device after they posted a negative review on the product's forum board.

First a little background. In the spotlight is a device known as Garadget.

According to its Indiegogo page, Garadget communicates with its cloud server via a user's Wi-Fi network. It attaches to the bottom of a regular garage door opener. From this position, it can supposedly open and close a garage door when a user issues a command using the corresponding Android or iOS app by beaming a laser off a reflective pad.

Here's a promo for the device:

The developer of Garadget is a man named Denis Grisak. He says he "traded most of [his] spare time and personal budget for the excitement of designing a new product." It's therefore no surprise he's enthusiastic about the device's public release.

Even so, that's no excuse for how Grisak treated one customer.

On 1 April, a user by the name of R Martin left the following review on Garadget's community forum:

"Just installed and attempting to register a door when the app started doing this. Have uninstalled and reinstalled iphone app, powered phone off/on - wondering what kind of piece of shi* I just purchased here... [censorship added]"

That same day, he left a bad review of the device on Amazon. He wasn't the only one. Other Amazon users left equally poor reviews of Garadget weeks and months before he did.

Bad amazon reviews

But that apparently didn't stop Grisak from taking Martin's reviews personally.

In response, Grisak left this response on the community board:

"Martin,

"The abusive language here and in your negative Amazon review, submitted minutes after experiencing a technical difficulty, only demonstrates your poor impulse control. I'm happy to provide the technical support to the customers on my Saturday night but I'm not going to tolerate any tantrums.

"At this time your only option is return Garadget to Amazon for refund. Your unit ID 2f0036... will be denied server connection."

The device needs to communicate with the cloud server to work. By denying access to those servers, the Garadget grump "bricked," or rendered as useless as an expensive brick, Martin's unit. That's bad enough. In posting his response, however, Grisak forgot that the rest of the web was watching. Within no time, his post had gone viral on Hacker News and had received thousands of retweets on Twitter.

It's no surprise we're now seeing product reviews like this one:

"Would normally have recommended this device but unfortunately this device relies on manufacturer's cloud services and if you do something trivial to piss off the manufacturer they will brick your device. Look elsewhere."

Grisak's device isn't unique in being buggy. As we all know, most IoT products act up and/or suffer from vulnerabilities. (Some worse than others.) But customer relations can make or break a company, especially when exchanges are publicly available on the web. It looks like Garadget's developer is learning this the hard way. Let's hope other manufacturers don't make the same mistake.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

3 Responses

  1. Clifford Ross

    April 7, 2017 at 12:12 am #

    Where's the follow up article about Amazon dropping this guy's products because of what he did in response to a bad review. ? Or any response from Amazon.

  2. Arnold Schmidt

    April 8, 2017 at 4:01 pm #

    One aspect if this bricking hasn't been talked about. If the owner who complained hadn't managed to change or set the password, then I assume Grisak accessed the device just using it's IP and fed it some "hidden" set of instructions to disable it. On the other hand, if the password had been changed then I suspect that he had to access it using a hidden telnet port that uses a fixed, programmed in password in order to brick it. If this is the case, I personally wouldn't buy any device from this company because, like a lot of IoT devices, the telnet port makes it supremely vulnerable to being hacked by just about anybody. Is there any more info on how he got into the device to brick available?

    • Vasili Arkhipov in reply to Arnold Schmidt.

      April 26, 2017 at 8:02 pm #

      It sounds like Grisak identified the device being used by the individual who posted the scathing review and blocked incoming connections on the server. Per the article, as the device is dependent on the cloud service, blocking access to the cloud service is the same as bricking the device as it is rendered useless.

Leave a Reply