35C3 preroll music
Herald: And I have one last announcement before
we begin this talk. This is a personal
announcement to whoever slapped this
sticker saying "for rectal use only" onto
my microphone.
loud laughing
Microphones are not supposed to be used
this way.
applause
Please trust me. I am very familiar with
microphones.
laughing
I know how they are supposed to be used.
However our next speaker is going to tell
you about things that are supposed to be
used this way and about how to secure and
protect those things. So please welcome
the honor and the talk you all came here
to see. The Internet of dongs. A round of
applause.
applause
Okay so hello everyone. My name is Werner.
I'm working for a SEC consult as an IT
security consultant. And besides
penetrating all the things at the SEC
consult's vulnerability lab, I have been
studying information security for the last
five years at the University of Applied
Sciences St. Pölten back in Austria and
about a year ago I was facing a massive
challenge. Some people might know this
challenge This challenge was to select a
proper topic for my master's thesis.
loud laughing
You might know there are always those
predefined topics by the universities.
Some of them are quite interesting. They
are taken - yeah - most of the time quite
fast by the other students and you are
left with the boring topics and I thought
to myself, I don't want to stress myself I
just want to define a topic by myself. And
that was the challenge. So the first thing
I did to get a better overview of the
topics was to take a look at the topics my
colleagues have chosen and created a word
cloud out of that. So we have basically
all the interesting topics there we have
bitcoins, we have GDPR, we have cyber
cyber cyber, we have DevOps management,
malware. But some of you might have
allready noticed it. There is one topic
missing at my colleagues thesises which is
very very important in the year 2018 and
that's the Internet of Things. So I guess
I don't have to explain here at the
Congress what the Internet of Things is.
It's basically the interconnection of all
the devices which were analog a few years
ago, with each other and even worse over
the Internet. I thought maybe I can
combine the knowledge gathered at SEC
consult and conduct a penetration test in
this Internet of Things. The problem here
is still there are like millions of
products and I just have to write one
thesis, so I have to select one
subcategory in this Internet of Things to
conduct a penetration test on. Of course
the first thing which came to my mind
where smart home devices we already had a
lot of interesting talks about smart home
devices. There are like smart coffee
machines, smart lawnmowers, light bulbs,
thermometers and stuff like that. But this
category has two problems. So, first of
all there is already a lot of research
done. And the other problem is the impact.
So, I don't want to downplay the
vulnerabilities which were found there,
but when there are vulnerabilities found I
mean, yeah, if there is a DDoS on your
lawnmower you can just go out through your
garden and mowe the lawn yourself. It's
not that big of a deal. So I thought I
have to select a subcategory where the
impact is a little bit more critical. And
I came up with the following devices. So,
for example: Smart dolls. There was this
doll Kyla. Some of you might know it.
Someone found out that it has a built in
microphone and the data was sent to some
dubious service in some dubious countries
and it was even declared as an illegal
telecommunication device. It had to be
destroyed. Or there is a lot of
interesting research at baby monitors. A
colleague of mine wrote a very interesting
blog post, you should take a look at it.
Or devices which affect our body. So, for
example smart pacemakers. They were
developed by St. Jude Medical, that's the
biggest manufacturer of pacemakers in the
world. And they built a pacemaker which is
programmable via Bluetooth. But yeah, they
forgot authentication, which is quite a
big of a problem when everyone is able to
reprogram your pacemaker. So as we can
see, at this categories the impact would
be quite critical but there is again a lot
of research done. So the deadline was
coming closer and closer. I had to hand in
some kind of topic for my master thesis. I
was doing a lot of brainstorming with
myself and then suddenly it came to my
mind. There is one category out there
where the impact would be very critical.
And there is not a lot of research done
and that's the Internet of dildos. So
that's basically the integration of sex
toys into the Internet of Things where we
interconnect the dildos with each other
and over the Internet. But before I'm
going to show you what I've found in this
internet of dildos, we have to talk about
history, because you might think now
that's something new. But that's not true
because the Internet of dildos as we know
it is existing for about 50 to 60 years.
And as always when there are new
inventions or interesting ideas, they
first appear in movies and that also
applies to the Internet of dildos. So,
those are quite old movies, we have for
example Barbarella or Flash Gordon or
Orgazmo. And in those movies, those are
real movies - it's not a joke.
laughing
The Internet of dildos appeared first in
this movies. So for example at Barbarella
the evil guy used a device called the
Orgasmotron to cause so high levels of
arousal in humanity, to kill people. So
basically the Internet to dildos was in
the 60s and 70s a weapon of mass
destruction
loud laughing
and not the weapon of mass pleasure, as it
should be. So a few years later a whole
research area was formed. This research
area is called teledildonics and that's
also not a joke again.
laughing
And it was first mentioned by Ted Nelson.
He is a technical philosopher and he coins
quite well-known terms like Transclusion,
Virtuality and Intertwingularity and
Teledildonics. And he mentioned this term
at first in a book called Computer
Lib/Dream Machines. Very interesting book
by the way. You should read it. And in
this book he did interviews with people
who had yeah innovative and interesting
ideas for the time but the technology was
not just ready yet. He did an interview
with a guy called How Wachspress and How
Wachspress developed a device or had the
idea for a device called auditac. When you
Google for auditac you find quite an
ancient website called auditac.com. And
when you dig a little bit deeper you can
find out that he's still looking to find a
manufacturer to sell his sonic stimulator.
Sounds already quite interesting and even
has a patent and a small graphic for it.
So it's basically a radio with one input
and two outputs. One input of course the
antenna and the two outputs are one for
the headphones and the other output is for
this sonic stimulator, which is inserted
from below in the human life-form.
laughing
You even can find the patent on Google
Patents and he writes there in his
abstract: Random or controlled
electronically synthesized signals are
converted to sound waves that are directly
coupled to the skin of a life form, yeah
such as a human body for example, to
stimulate the skin or internal portions of
the life-form. So as we can see the ideas
were there, but the technology was just
not ready in the 1970s and 1980s, but now
we're in the year 2018 and we are
definitely ready for a penetration testing
the Internet of dildos. And before I'm
going to talk about the test devices and
the vulnerabilities, I'm going to make a
promise now. I will try to keep this as
serious as possible. I will try to keep
the, I will call it the IPM stimulendous
per minutes as low as possible. Yeah, and
now I just want to talk about the test
devices because those are very important.
So I selected three test devices for my
master's thesis. On the right side we have
the - that's not a joke again -
Vibratissimo Panty Buster. That's the real
name.
laughing
In the middle we have the MagicMotion
Flamingo and on the left side we have the
RealLove Lydia. So the devices on the left
side and in the middle have one thing in
common. They are manufactured in China.
The device in the red right side is
manufactured in Germany. So, I have to
admit I was a little bit biased because I
thought I am going to take a look at the
Chinese devices first, because there will
be a lot of low hanging fruits. Question
to the audience now: Who believes that I
found most of the vulnerabilities in the
Chinese devices? Raise your hand.
laughing
Who believes that have found most of the
vulnerabilities in the german device? Who
believes that have found vulnerabilities
everywhere?
loud laughing
Yeah you're basically all right. But when
I took a look at the German device, I
found so many really really critical
vulnerabilities that I immediately stopped
there and wrote my whole thesis about the
Panty Buster.
laughing
Okay, so the Panty Buster itself is just
one product out of a whole product line. I
just bought the Panty Buster because it
was the cheapest one. They are basically
using all the same backends, the same iOS
and Android apps. And yeah, the Panty
Buster is basically a device which is
connected via Bluetooth to a smartphone
and it can be used for example for long
distance relationships. But there is way
more behind those apps, because there's
like a whole social media network built
in. You can make group chats
laughing
You can create image galleries, you can
maintain friends lists.
loud laughing
Yeah, that's real. That's real. It's not a
joke.
applause
Yeah. And now we're going to analyze this
Panty Buster and take it down to the last
parts. Yeah we're going to analyze the
software. I'm going to tell you a little
bit about the transport layer and the
hardware of course. So I'd like to start
with the software. So, the first
vulnerability we have to talk about this
is so-called information disclosure. So
you might think nah boring, just some
random version numbers. Yeah that's true
most of the time information disclosures
are boring. But in this case it's really
critical because I found a so-called
.DS_STORE file the web root. A .DS_STORE
file is basically a meta data file which
is created by the MacOS finder and it
contains a lot of metadata, like files and
folder names. So when you find such a file
in a web root you have basically a side
channel directory listing. This .DS_STORE
file has a proprietary format but as for
all problems in life, there is a Python
module to decode it. Yeah. And I decoded
that .DS_STORE file and I was presented
with the following contents. So it's
basically a side channel directory listing
of the web root. There are a lot of
interesting files and folders so for
example: old page example, I have no idea
why it's there in the productive
environment. There is a database folder
but the most interesting folder is the
config folder. So whenever we get to the
config folder, there was real directory
listing enabled and there was one file in
there and it was called config.php.inc
with the following contents. So basically
I had now access to the database hostname,
the database names usernames and
passwords. The problem now was that as we
can see the database host is just
localhost, there might be a chance that
it's not directly reachable via the
Internet. And we have to find the so-
called exposed administrative interface to
connect to the database. Yeah of course
the first thing I did was to do a
portscan.
laughing
applause
A lot of interesting ports. Sadly no SQL
ports. But some of you might remember
this, let's call it weird brown orange web
application, called phpMyAdmin and I found
a subdomain which contained the phpMyAdmin
installation and I was able to use those
credentials to connect directly to the
database and get access to all the data.
applause
So I basically had access now to the real
life addresses, to messages in clear text
which were exchanged, images, videos and a
lot of other stuff. So, yeah. And what
hurt me the most was the following slide,
because the passwords were stored in clear
text and that's really not necessary in
the 21st century. Okay. So in real life
about 30 minutes have passed by
loud laughing
and I tried to do a write up as fast as
possible and submitted to the german CERT-
Bund. And yeah a few minutes later, I got
a really interesting call from the german
CERT-Bund. They told me that the already
informed the manufacturer and they're
already trying to fix those problems. So
my problem was now that I still had to
write my master thesis and I just have
content for about 30 pages now and I need
like hundred pages. So I did a little bit
of more research and found way more
vulnerabilities of course. And the next
vulnerability I'm going to talk about is
the so-called insecure Direct Object
reference. Sounds cryptic, but it isn't.
It's basically always a vulnerability
which is consisting of two sub problems.
So the first problem is, when someone
uploads resources to a backend those
resources are most of the time renamed, to
like a random string which shouldn't be
guessable. The first problem would be if
it would be guessable. But the second
thing is, there should be authorization
checks in place. So if someone is able to
guess those unique identifiers, there
should still be some like process which
should check if the user should even be
able to download these resources. And in
this case, yeah, it was just really easy
to guess the identifiers and there was no
authorization whatsoever. And I had to
learn this the hard way, literally. There
is a feature in the smartphone apps,
called galleries. So you can create
galleries, you can set the visibility to
no one is able to see it, just your
friends are able to see it , everyone is
able to see it. You can even set a
password on those galleries. Yeah. And
just for a test I created a gallery with a
few cats and when you request the gallery,
you see the following request. It's
userManager.php blah blah blah username
password and some ID. And I thought maybe
I should change this ID. And I was
presented with a dick pic.
laughing
Yeah, the problem behind this is quite
easy. Everything which is stored on the
server is renamed to a global counter. The
global counter is incremented by one after
every upload. And there are no
authorization checks whatsoever, because
the images are just stored in a server, so
it doesn't matter if you set a password or
set the visibility. That's just nonsense
to do. OK. So the next vulnerability. Yeah
I call it improper authentication. To be
honest it was just a weird authentication.
At SEC consult I saw already a lot of
different ways of implementing
authentication. Some are good some are
bad, but it can be fixed. But in this case
it was just weird, I've never seen
something like that. It's basically like
HTTP basic authentication but a little bit
worse.
laughing
So normally authentication works as
follows. You're sending a username and
password to a server and if this process
is successful you get some kind of
authorization information like a cookie or
an API token. You can use this cookie or
API token to authorize all the other
requests. In this case every request
contains just username and password and
clear text to authenticate through
requests. That's just weird to be honest.
And also if your password is compromised,
it will also mean that you have to change
your username because it's part of the
authentication information. So weird,
weird implementation. Okay the next
vulnerability is called the remote
pleasure version 1.0. It's 1.0 because
there is a 2.0 .
laughing
There is a feature in those apps where you
can create remote control links. They can
be sent via SMS or email and everyone who
is in possession of those links can
directly control the devices. There is no
extra confirmation needed. We'll take a
look at the email now. There is a button
in the email called Quick Control and
there is an ID again. Yeah the thing is
it's just a global counter again. And what
an attacker can do now is download the
app, create his own quick control link,
decrement the ID and pleasure just random
strangers on the Internet.
applause
Okay I will show you guys a video now,
where I'm doing exactly that.
laughing
So when the video is going to start...
It's going to start, perfect. On the right
side we're going to see an attacker device
which is just connected to the normal
mobile network. And the attacker creates
his own quick control link and decrements
the ID. On the left side we can see
another smartphone which is connected to
Wi-Fi, to have Internet access and via
Bluetooth, to the smart sex toy. This
attacker device should now be able to
control - yeah, you can see that now, in a
few seconds. That's just what I explained.
silence
laughing
There is no confirmation whatsoever so you
can directly control all the devices.
Okay, I have to stop talking about
software now. There is a lot more like
cross-scripting, HTTPs problems, outdated
software, but there is not enough time
left now so we have to talk about the
transport layer. Before I'm going to tell
you something about the vulnerabilities I
have identified, I will tell you something
about Bluetooth low energy in general, the
security basics and how authentication and
encryption works on a very high level. So
you can imagine that Bluetooth Low Energy
basically works like a web API. So it's
very high level explanation. You have API
endpoints. Those are the service
characteristics and you have properties
where you can read and write to. So for
example the device name can be read or
written to change the device name. There's
also a lot of other characteristics which
will be very important when it comes to
remote pleasure version 2.0 a little bit
later. So that's a very high level
explanation, i know, but we don't have
enough time left. Talking about the
security basics Bluetooth Low Energy is
using AES-CCM that's counter CBC with Mac.
That's basically considered secure but as
we know, security also depends on the key
material and the key exchange. At
Bluetooth Low Energy the key exchanged is
defined as the pairing methods. For
Bluetooth Low Energy we have five pairing
methods. We have just "No Pairing". So
yeah we basically throw packets into the
air and if a device is nearby it tries to
do something with those packets. We have
"Just Works", we have "Out of Band
Pairing", "Passkey" and "Numeric
Comparison". I don't have to tell you the
details now. You all know those. It's
numeric comparison, where we compare
numbers to exchange the key material. You
have the Passkey, which is yeah like
always 0000 or 1234. We have Out of Band
Pairing, where the key material is
exchanged via NFC for example and we have
just works, that's really secure, where
the keys just set to zero and can be of
course be brute forced with ease, but it
just works of course. So out of those five
methods, what does the audience think the
sex toy is using? Is it using no pairing?
Raise your hands. Is it using any of the
other more or less secure methods? Yeah.
It's using no pairing.
laughing
That means that the Android and iOS apps
just throw the packets into the air and if
a device is nearby, it starts to vibrate
laughing
and that's of course easily exploitable
you can just sniff the real traffic and
repeat it. I did exactly that using a so-
called Bluetooth Low Energy sniffer. I
used a bluefruit device, it works very
well and I placed it between the sex toy
and the smartphone app. I sniffed the
traffic using wireshark and I found some
interesting end points or handles. There
is the 1F handle which is like an
initialization handle and there is the
handle 25, where you can send values from
00 to FF to set the vibration intensity.
Yeah and now it's time for a little bit of
War-dildoing. I wrote a small Python proof
of concept which basically scans the air
for Bluetooth low energy devices. If it
finds a device. It tries to or tries to
find out if it is a sex toy and if yes.
Yeah it basically turns it on to 100%, to
FF.
laughing
So the next thing I want to talk about is
not that funny. So please don't laugh now
because when we released this, a lot of
people on Twitter asked "Is this rape?",
so serious topic. For example the evil
attacker is using my War-dildoing script
in the metro, in the U-Bahn in Vienna. And
he would just pleasure random strangers.
Is this rape? In Austria we have two
different things. We have rape and sexual
assault and they have two preconditions.
So that's violence - eh three
preconditions. We have violence, threats
or deprivation of liberty, which is just
not the case in this scenario. But we have
a special paragraph called, phew that's
really hard to translate that. It's called
the Po-Grapsch paragraph. I know that's a
little bit different in Germany and I'm
not a law expert so it just kept the
Austrian laws which could be verified by
tourists. According to this paragraph this
would be an unwanted sexual act, via a
third party object. So it's not rape, but
it's an unwanted sexual act. Okay. The
hardware. Last but not least. The biggest
problem is that firmware updates are not
possible. That was confirmed by the
manufacturer. The problem here is a lot of
vulnerabilities can just be fixed by doing
firmware updates and the manufacturer came
up with the idea, that the end users can
send in their smart sex toys to do a
firmware update and I'm quite sure that
nobody's sending in their used devices to
conduct a firmware update. The other
problems are debug interfaces. They just
forgot to remove it or deactivate their
serial interfaces on the sex toys. It's
just really easy to extract the firmware
and do a little bit of more research on
the firmware. Okay. So you might now think
I still want to use smart sex toys. What
can I do? Yeah the tin foil is not
working.
loud laughing
applause
But there are a lot of interesting open
source projects out there. So first of all
the most famous project is the Internet of
Dongs project. There is a really
interesting person behind that. He's
called RenderMan. You can find him on
Twitter. He invented this project to make
this whole Internet of Dongs a little bit
safer. And he's doing like penetration
tests and stuff like that and he's even
handing out DVS. So that's the equivalent
to CVS. Then we have buttplug.io and
metafetish. They are developing open
source firmwares for a lot of different
sex toys and they're independent from all
the manufacturers. And there is also
something called Onion Dildonics
laughing
which has the goal of rerouting all the
smart sex toy traffic over the TOR network
to make it a little bit more safer.
applause
OK. There is one more thing. I had a lot
of calls together with the manufacturer
and the german CERT-Bund. And one call was
outstanding because we were discussing the
remote pleasure vulnerabilities. And we
tried to explain the manufacturer that
it's not good that you can basically out
of the box pleasure everyone on the
Internet or if you're nearby. We told them
that it should be at least like an opt in
feature, where you can switch on this
feature in the apps, but the manufacturer
said no that's not possible because, at
least they believed that, most of our
customers are in swinger clubs and you
don't know beforehand who is in the
swinger club. So there is just no optin,
in a swing club, because you're basically
always in. Thank you.
applause
Herald Angel: Secretary of Education you
are now taking questions. We have five
microphones two in the front and three in
the back. So please line up and ask
whatever you want. So apparently people on
Twitter are engaged in a drinking game
where they were drinking every time you
said penetration testing.
loud laughing
applause
Herald: In the meantime we have a question
from microphone number two.
Question: Did you come across anything
with the patent trolls in teledildonics?
Answer: I came across what sorry?
Q: patent trolls. There is a issue with
the teledildonics patent and some
companies have been threatened to go out
of business because of frivolous lawsuits.
A: Yes. Yes there was the I guess it was
called the teledildonics appreciation day
in August because the patent ended. So you
can basically use the term wherever you
want.
Herald: Thank you. Microphone number three
please.
Q: So this was very funny obviously. And
you showed us the really low hanging
fruit. On the website in the database you
would have been able to see the social
graph of the users. I don't know if you
have managed to look at other devices. Can
you elaborate a little bit more on
something that I believe more serious.
Which is the profiling of users behavior,
social networks and so on?
A: So of course it didn't take a look of
all the data because it was so critical in
my opinion, that I directly contacted the
CERT-Bund. So I can't give you any
information about the data of course. I
also took a look at like things like
tracking and stuff like that and in this
case there was not a lot of tracking going
on at the german sex toys. But when you
compared it to the Chinese sex toys, there
is way more tracking and stuff like that
going on. But I didn't took like a
detailed look into that.
Herald: Thank you. Thank you again for
the educational and entertaining talk
and hopefully a lot of rounds of applause.
applause
35c3 postroll music
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!