[HN Gopher] Bad Smart Watch Authentication
___________________________________________________________________
Bad Smart Watch Authentication
Author : _Microft
Score : 92 points
Date : 2025-02-09 18:18 UTC (3 days ago)
(HTM) web link (sprocketfox.io)
(TXT) w3m dump (sprocketfox.io)
| arijun wrote:
| I wish there was a concept of paid expert reviews on
| Amazon/everywhere. A general review system works well (ignoring
| review gaming) when your concern is "Does this shirt fit?" or
| "What's the build quality?", but fails when one expert review of
| "This device is fundamentally unsound," gets drowned out by
| reviews on the more easily testable aspects ("The band is really
| comfortable!").
|
| A great example would be when Benson Leung was testing USB-C
| cables on Amazon to see which were standards compliant.
| ge96 wrote:
| In my experience too when posting a negative review it can get
| removed (this was about replacement batteries for lenovo
| laptops).
| fph wrote:
| We need to use Unicode steganography to hide the message
| "this smartwatch sucks" into an innocent-looking review.
| scblock wrote:
| How does this help anyone?
| gr3ml1n wrote:
| The suggestion is that negative reviews are suppressed.
| Communicating a negative review through a facially
| positive review would help avoid that.
| 6LLvveMx2koXfwn wrote:
| But this is a negative review that is literally _not
| hidden_ , to the extent that it is being discussed openly
| on a site about a completely unrelated topic.
| redleader55 wrote:
| Apparently something similar is used by Chinese customers
| reviewing restaurants. They would make a food sign from
| food pieces that spells "crap food" in slang, but otherwise
| leave a stellar review for the restaurant.
| barbazoo wrote:
| It sounds like they're hesitant to leave a bad review,
| why is that?
| DecentShoes wrote:
| I had a review removed on Amazon for mentioning that the
| company bribed me for a fake positive review.
| HnUser12 wrote:
| Isn't amazon vine paid review?
| CrazyStat wrote:
| Vine is compensated with free products to review, but I don't
| think they're paid beyond that.
|
| They are also not experts, generally.
| HnUser12 wrote:
| Ah ok, thanks!
| michaelt wrote:
| I considered doing this once, a few years ago, but I couldn't
| figure out a way to make it work.
|
| It's pretty frustrating that when you're shopping for a laptop,
| nobody can tell you it'll suspend properly under Linux. Or when
| you're shopping for a bike light nobody can tell you whether
| over the summer it'll self-discharge to the point it bricks
| itself due to cell imbalance. Or when you're shopping for a
| microsd card, nobody can tell you.... you get the picture.
|
| But to produce honest reviews, I couldn't accept free review
| units, kickbacks or affiliate money. And people shopping for
| laptops and bike lights don't need a $$$-per-month subscription
| to my newsletter/channel/patreon, they just need a few yes-or-
| no answers.
|
| And there's a huge amount of churn in products on sites like
| Amazon; you wouldn't just pay for 40 bike lights, review them
| all, and solve the problem forever. Different models and brands
| appear all the time.
|
| And even then, just because when I reviewed that microsd card
| and found it had great performance, nothing stops the
| manufacturer substituting cheaper components later on, without
| changing the part number; it's not like there was a
| specification _promising_ the performance I observed in my
| review.
| mansandersson wrote:
| I get your point. But ever so often you stumble upon someone
| actually doing exactly that within their particular interest
| domain, such as the guy in Netherlands who buys and tests
| bike lights
|
| https://swhs.home.xs4all.nl/fiets/tests/verlichting/index_en.
| ..
| ThinkingGuy wrote:
| TornadoGuard: https://xkcd.com/937/
| thrownblown wrote:
| Project Farm!
| pirates wrote:
| Seconding this, Project Farm absolutely rules. I'm not the
| target demographic for probably half the stuff he reviews but
| I'm always impressed with his videos.
|
| That said I'm a little curious if any kind of Gell-Mann
| effect is going on since he never reviews products that I
| already have extensive experience with. I'm wondering if
| anyone has watched any of his reviews and came away feeling
| like he did a really poor job.
| WorldMaker wrote:
| Find a business model for Consumer Reports that better fits
| this century and add things that should be obvious like "Search
| by ASIN" to their website?
| asynchronousx wrote:
| Great writeup, didn't expect "bad authentication" to actually be
| _zero_ authentication, that's absurd.
| mightysashiman wrote:
| now if one could do some reverse engineering on Garmin watches
| and enable an opensource alternative to Garmin Connect, that
| would be marvellous.
| ulf-77723 wrote:
| What's wrong with Connect from your perspective? My only
| concern with it is that it's slow
| cge wrote:
| One problem with it is it requires a constant network
| connection for everything, which is baffling for software
| designed for devices where major intended uses involve being
| in situations with poor or no network connection.
| barbazoo wrote:
| Do you need Connect to use the device though? I was under
| the impression Connect is used for sync.
| saltcured wrote:
| You can't do things like sync the watch to the phone and
| look at visualizations on the bigger phone screen while
| you're offline.
|
| It's weird how much they still maintain a difference
| between a "fitness" watch and an "outdoors" watch and the
| supporting software.
|
| It's the silly bifurcation between Garmin Connect and
| Garmin Explore software and online service worlds. It
| seems like an arbitrary accident of corporate history and
| leaky abstractions.
| rft wrote:
| Garmin watches are partially supported by Gadgetbridge [1]. I
| have not used it, but it seems to at least support basic data
| for many Garmin watches.
|
| [1] https://gadgetbridge.org/gadgets/wearables/garmin/
| m463 wrote:
| I would love to be able to update firmware on my garmin watch,
| but I think that's all tied up in connect (which I don't use)
| somehow.
| cogman10 wrote:
| Now, I'm not going to say this is great, but honestly it seems
| pretty close to a "who cares?" situation.
|
| We are talking about a device with no internet connection that
| can only be accessed by someone in the same proximity to
| yourself.
|
| Perhaps don't buy this watch if you live in a crowded location
| and take public transport a lot. For everyone else, seems really
| unlikely that the people you interact with will have setup a
| malicious attack for your watch brand. I don't think wardriving
| smart watches is a thing.
|
| I'd only suggest that if the watch supports putting a credit card
| on it that you rethink doing that.
| throitallaway wrote:
| I get a little nervous about my Pixel watch. None of those
| watches have been updated since November and there are likely
| some juicy CVEs hanging out on them.
|
| https://developers.google.com/android/ota-watch
| PostOnce wrote:
| "My watch is a security risk and my refrigerator uses 3
| gigabytes of data a day."
|
| "I can't access my todo list because azure is down"
|
| We should go back to analog. We're wasting our time.
___________________________________________________________________
(page generated 2025-02-12 23:01 UTC)