Our Time in a Product Review Cabal: And the malware and backdoors that came with it.
2023-08-16 , Milliways
Language: English

What did you do during the pandemic? We started a Product Review Cabal. Follow our journey from getting a postcard in a product box to us exhausting all of our many online retailer sock accounts. We’ll teach you how we got free packages nearly every day… but there’s a catch. Most of the products arrive with malware, backdoors, or glaring vulnerabilities.

In our talk, we plan to detail a subset of these vulnerable products, how to detect issues, and how to mitigate them. From cameras to light switches, from routers to vacuum cleaners, the product list is expansive. There’s nothing these vendors won’t copy, and nothing they won’t offer up for reviews. The story is a good conversation starter, but be sure to stay for the tear-down and technical analysis. A blend of social engineering, hardware hackery, and software vulnerabilities - this discussion has something for everyone!


  1. Introduction
  2. Speedy (free) delivery!
  3. Other Vendors?
  4. Escalation
  5. Can I Bring a Friend?
  6. But what about the products? Too good to be true?
  7. Scanning and analysis showed vulnerabilities left and right.
  8. So, how do we fix it and make this stuff usable?
  9. Oh and there was some really weird stuff offered (if time allows)...
  10. Things start to go sideways...
  11. Conclusion
  12. And yes, we deleted our reviews.

Content Notes

Fake Reviews
Chinese Products

Adam Schaal is an Application Security manager at a large online retailer with an extensive background in both development and application security. He has experienced both sides of making and breaking applications. Adam enjoys contributing to information security projects such as the CTF platform redctf and the malicious cable implant O.MG-Cable. He is also very active in his local security community as a founder of Kernelcon, a mid-size information security conference, and DEF CON 402.

Matt Virus (real name) is an IoT engineer @ Cisco (15+ years), an above-average father of 2, a farmer, a fan of loud angry rock music, and a hardware junkie with tons of experience with build/hack projects. Whatever “it” is — it can be disassembled and examined…it can be made more secure, more functional and more useful. No fear of burned fingers, desks set on fire, or escape of the magic smoke here. Former DoD forensic/malware analyst, believer of local control and auditability of software/firmware. Lover of all things containerized and API-enabled, blackbelt in google-fu, passionate about facilitation, enablement, and helping people reach beyond their technical comfort zone. Founder of hackspace.io.