WEBVTT

00:00:00.000 --> 00:00:18.279
<i>35C3 preroll music</i>

00:00:18.279 --> 00:00:22.850
Herald: And I have one last announcement before
we begin this talk. This is a personal

00:00:22.850 --> 00:00:27.850
announcement to whoever slapped this
sticker saying "for rectal use only" onto


00:00:27.850 --> 00:00:30.710
my microphone.
<i>loud laughing</i>

00:00:30.710 --> 00:00:34.450
Microphones are not supposed to be used
this way.

00:00:34.450 --> 00:00:42.440
<i>applause</i>

00:00:42.440 --> 00:00:46.019
Please trust me. I am very familiar with
microphones.

00:00:46.019 --> 00:00:51.629
<i>laughing</i>
I know how they are supposed to be used.

00:00:51.629 --> 00:00:57.929
However our next speaker is going to tell
you about things that are supposed to be

00:00:57.929 --> 00:01:06.340
used this way and about how to secure and
protect those things. So please welcome

00:01:06.340 --> 00:01:12.260
the honor and the talk you all came here
to see. The Internet of dongs. A round of

00:01:12.260 --> 00:01:21.790
applause.
<i>applause</i>

00:01:21.790 --> 00:01:27.000
Okay so hello everyone. My name is Werner.
I'm working for a SEC consult as an IT

00:01:27.000 --> 00:01:33.140
security consultant. And besides
penetrating all the things at the SEC

00:01:33.140 --> 00:01:38.200
consult's vulnerability lab, I have been
studying information security for the last

00:01:38.200 --> 00:01:44.490
five years at the University of Applied
Sciences St. Pölten back in Austria and

00:01:44.490 --> 00:01:49.520
about a year ago I was facing a massive
challenge. Some people might know this

00:01:49.520 --> 00:01:54.800
challenge This challenge was to select a
proper topic for my master's thesis.

00:01:54.800 --> 00:02:01.530
<i>loud laughing</i>
You might know there are always those

00:02:01.530 --> 00:02:06.549
predefined topics by the universities.
Some of them are quite interesting. They

00:02:06.549 --> 00:02:10.970
are taken - yeah - most of the time quite
fast by the other students and you are

00:02:10.970 --> 00:02:15.760
left with the boring topics and I thought
to myself, I don't want to stress myself I

00:02:15.760 --> 00:02:21.239
just want to define a topic by myself. And
that was the challenge. So the first thing

00:02:21.239 --> 00:02:25.690
I did to get a better overview of the
topics was to take a look at the topics my

00:02:25.690 --> 00:02:29.990
colleagues have chosen and created a word
cloud out of that. So we have basically

00:02:29.990 --> 00:02:34.510
all the interesting topics there we have
bitcoins, we have GDPR, we have cyber

00:02:34.510 --> 00:02:41.460
cyber cyber, we have DevOps management,
malware. But some of you might have

00:02:41.460 --> 00:02:46.860
allready noticed it. There is one topic
missing at my colleagues thesises which is

00:02:46.860 --> 00:02:53.629
very very important in the year 2018 and
that's the Internet of Things. So I guess

00:02:53.629 --> 00:02:57.500
I don't have to explain here at the
Congress what the Internet of Things is.

00:02:57.500 --> 00:03:01.900
It's basically the interconnection of all
the devices which were analog a few years

00:03:01.900 --> 00:03:09.099
ago, with each other and even worse over
the Internet. I thought maybe I can

00:03:09.099 --> 00:03:13.720
combine the knowledge gathered at SEC
consult and conduct a penetration test in

00:03:13.720 --> 00:03:18.019
this Internet of Things. The problem here
is still there are like millions of

00:03:18.019 --> 00:03:22.019
products and I just have to write one
thesis, so I have to select one

00:03:22.019 --> 00:03:27.720
subcategory in this Internet of Things to
conduct a penetration test on. Of course

00:03:27.720 --> 00:03:32.689
the first thing which came to my mind
where smart home devices we already had a

00:03:32.689 --> 00:03:37.430
lot of interesting talks about smart home
devices. There are like smart coffee

00:03:37.430 --> 00:03:45.760
machines, smart lawnmowers, light bulbs,
thermometers and stuff like that. But this

00:03:45.760 --> 00:03:50.560
category has two problems. So, first of
all there is already a lot of research

00:03:50.560 --> 00:03:56.799
done. And the other problem is the impact.
So, I don't want to downplay the

00:03:56.799 --> 00:04:01.390
vulnerabilities which were found there,
but when there are vulnerabilities found I

00:04:01.390 --> 00:04:07.570
mean, yeah, if there is a DDoS on your
lawnmower you can just go out through your

00:04:07.570 --> 00:04:11.660
garden and mowe the lawn yourself. It's
not that big of a deal. So I thought I

00:04:11.660 --> 00:04:18.440
have to select a subcategory where the
impact is a little bit more critical. And

00:04:18.440 --> 00:04:25.120
I came up with the following devices. So,
for example: Smart dolls. There was this

00:04:25.120 --> 00:04:30.081
doll Kyla. Some of you might know it.
Someone found out that it has a built in

00:04:30.081 --> 00:04:35.170
microphone and the data was sent to some
dubious service in some dubious countries

00:04:35.170 --> 00:04:38.820
and it was even declared as an illegal
telecommunication device. It had to be

00:04:38.820 --> 00:04:43.480
destroyed. Or there is a lot of
interesting research at baby monitors. A

00:04:43.480 --> 00:04:47.050
colleague of mine wrote a very interesting
blog post, you should take a look at it.

00:04:47.050 --> 00:04:54.190
Or devices which affect our body. So, for
example smart pacemakers. They were

00:04:54.190 --> 00:04:58.390
developed by St. Jude Medical, that's the
biggest manufacturer of pacemakers in the

00:04:58.390 --> 00:05:04.040
world. And they built a pacemaker which is
programmable via Bluetooth. But yeah, they

00:05:04.040 --> 00:05:08.330
forgot authentication, which is quite a
big of a problem when everyone is able to

00:05:08.330 --> 00:05:17.100
reprogram your pacemaker. So as we can
see, at this categories the impact would

00:05:17.100 --> 00:05:21.720
be quite critical but there is again a lot
of research done. So the deadline was

00:05:21.720 --> 00:05:28.010
coming closer and closer. I had to hand in
some kind of topic for my master thesis. I

00:05:28.010 --> 00:05:32.010
was doing a lot of brainstorming with
myself and then suddenly it came to my

00:05:32.010 --> 00:05:38.000
mind. There is one category out there
where the impact would be very critical.

00:05:38.000 --> 00:05:41.990
And there is not a lot of research done
and that's the Internet of dildos. So

00:05:41.990 --> 00:05:48.670
that's basically the integration of sex
toys into the Internet of Things where we

00:05:48.670 --> 00:05:55.740
interconnect the dildos with each other
and over the Internet. But before I'm

00:05:55.740 --> 00:06:01.870
going to show you what I've found in this
internet of dildos, we have to talk about

00:06:01.870 --> 00:06:07.250
history, because you might think now
that's something new. But that's not true

00:06:07.250 --> 00:06:13.350
because the Internet of dildos as we know
it is existing for about 50 to 60 years.

00:06:13.350 --> 00:06:18.120
And as always when there are new
inventions or interesting ideas, they

00:06:18.120 --> 00:06:23.510
first appear in movies and that also
applies to the Internet of dildos. So,

00:06:23.510 --> 00:06:27.710
those are quite old movies, we have for
example Barbarella or Flash Gordon or

00:06:27.710 --> 00:06:34.500
Orgazmo. And in those movies, those are
real movies - it's not a joke.

00:06:34.500 --> 00:06:38.530
<i>laughing</i>
The Internet of dildos appeared first in

00:06:38.530 --> 00:06:43.730
this movies. So for example at Barbarella
the evil guy used a device called the

00:06:43.730 --> 00:06:50.460
Orgasmotron to cause so high levels of
arousal in humanity, to kill people. So

00:06:50.460 --> 00:06:54.770
basically the Internet to dildos was in
the 60s and 70s a weapon of mass

00:06:54.770 --> 00:06:58.840
destruction
<i>loud laughing</i>

00:06:58.840 --> 00:07:08.590
and not the weapon of mass pleasure, as it
should be. So a few years later a whole

00:07:08.590 --> 00:07:14.990
research area was formed. This research
area is called teledildonics and that's

00:07:14.990 --> 00:07:19.300
also not a joke again.
<i>laughing</i>

00:07:19.300 --> 00:07:25.690
And it was first mentioned by Ted Nelson.
He is a technical philosopher and he coins

00:07:25.690 --> 00:07:32.360
quite well-known terms like Transclusion,
Virtuality and Intertwingularity and

00:07:32.360 --> 00:07:36.020
Teledildonics. And he mentioned this term
at first in a book called Computer

00:07:36.020 --> 00:07:41.310
Lib/Dream Machines. Very interesting book
by the way. You should read it. And in

00:07:41.310 --> 00:07:48.890
this book he did interviews with people
who had yeah innovative and interesting

00:07:48.890 --> 00:07:54.390
ideas for the time but the technology was
not just ready yet. He did an interview

00:07:54.390 --> 00:08:00.580
with a guy called How Wachspress and How
Wachspress developed a device or had the

00:08:00.580 --> 00:08:05.310
idea for a device called auditac. When you
Google for auditac you find quite an

00:08:05.310 --> 00:08:10.730
ancient website called auditac.com. And
when you dig a little bit deeper you can

00:08:10.730 --> 00:08:16.160
find out that he's still looking to find a
manufacturer to sell his sonic stimulator.

00:08:16.160 --> 00:08:21.410
Sounds already quite interesting and even
has a patent and a small graphic for it.

00:08:21.410 --> 00:08:27.070
So it's basically a radio with one input
and two outputs. One input of course the

00:08:27.070 --> 00:08:31.610
antenna and the two outputs are one for
the headphones and the other output is for

00:08:31.610 --> 00:08:35.659
this sonic stimulator, which is inserted
from below in the human life-form.

00:08:35.659 --> 00:08:41.599
<i>laughing</i>
You even can find the patent on Google

00:08:41.599 --> 00:08:45.100
Patents and he writes there in his
abstract: Random or controlled

00:08:45.100 --> 00:08:49.370
electronically synthesized signals are
converted to sound waves that are directly

00:08:49.370 --> 00:08:54.220
coupled to the skin of a life form, yeah
such as a human body for example, to

00:08:54.220 --> 00:09:02.149
stimulate the skin or internal portions of
the life-form. So as we can see the ideas

00:09:02.149 --> 00:09:07.490
were there, but the technology was just
not ready in the 1970s and 1980s, but now

00:09:07.490 --> 00:09:13.069
we're in the year 2018 and we are
definitely ready for a penetration testing

00:09:13.069 --> 00:09:19.940
the Internet of dildos. And before I'm
going to talk about the test devices and

00:09:19.940 --> 00:09:24.250
the vulnerabilities, I'm going to make a
promise now. I will try to keep this as

00:09:24.250 --> 00:09:30.230
serious as possible. I will try to keep
the, I will call it the IPM stimulendous

00:09:30.230 --> 00:09:36.589
per minutes as low as possible. Yeah, and
now I just want to talk about the test

00:09:36.589 --> 00:09:40.880
devices because those are very important.
So I selected three test devices for my

00:09:40.880 --> 00:09:46.019
master's thesis. On the right side we have
the - that's not a joke again -

00:09:46.019 --> 00:09:49.280
Vibratissimo Panty Buster. That's the real
name.

00:09:49.280 --> 00:09:53.909
<i>laughing</i>
In the middle we have the MagicMotion

00:09:53.909 --> 00:10:00.920
Flamingo and on the left side we have the
RealLove Lydia. So the devices on the left

00:10:00.920 --> 00:10:05.209
side and in the middle have one thing in
common. They are manufactured in China.

00:10:05.209 --> 00:10:10.319
The device in the red right side is
manufactured in Germany. So, I have to

00:10:10.319 --> 00:10:14.899
admit I was a little bit biased because I
thought I am going to take a look at the

00:10:14.899 --> 00:10:19.719
Chinese devices first, because there will
be a lot of low hanging fruits. Question

00:10:19.719 --> 00:10:24.170
to the audience now: Who believes that I
found most of the vulnerabilities in the

00:10:24.170 --> 00:10:30.250
Chinese devices? Raise your hand.
<i>laughing</i>

00:10:30.250 --> 00:10:37.030
Who believes that have found most of the
vulnerabilities in the german device? Who

00:10:37.030 --> 00:10:40.180
believes that have found vulnerabilities
everywhere?

00:10:40.180 --> 00:10:44.910
<i>loud laughing</i>
Yeah you're basically all right. But when

00:10:44.910 --> 00:10:49.910
I took a look at the German device, I
found so many really really critical

00:10:49.910 --> 00:10:54.430
vulnerabilities that I immediately stopped
there and wrote my whole thesis about the

00:10:54.430 --> 00:10:58.299
Panty Buster.
<i>laughing</i>

00:10:58.299 --> 00:11:03.500
Okay, so the Panty Buster itself is just
one product out of a whole product line. I

00:11:03.500 --> 00:11:07.730
just bought the Panty Buster because it
was the cheapest one. They are basically

00:11:07.730 --> 00:11:13.310
using all the same backends, the same iOS
and Android apps. And yeah, the Panty

00:11:13.310 --> 00:11:19.100
Buster is basically a device which is
connected via Bluetooth to a smartphone

00:11:19.100 --> 00:11:23.990
and it can be used for example for long
distance relationships. But there is way

00:11:23.990 --> 00:11:29.459
more behind those apps, because there's
like a whole social media network built

00:11:29.459 --> 00:11:35.470
in. You can make group chats
<i>laughing</i>

00:11:35.470 --> 00:11:40.149
You can create image galleries, you can
maintain friends lists.

00:11:40.149 --> 00:11:45.140
<i>loud laughing</i>
Yeah, that's real. That's real. It's not a

00:11:45.140 --> 00:11:49.620
joke.
<i>applause</i>

00:11:49.620 --> 00:11:56.290
Yeah. And now we're going to analyze this
Panty Buster and take it down to the last

00:11:56.290 --> 00:12:01.080
parts. Yeah we're going to analyze the
software. I'm going to tell you a little

00:12:01.080 --> 00:12:05.660
bit about the transport layer and the
hardware of course. So I'd like to start

00:12:05.660 --> 00:12:09.100
with the software. So, the first
vulnerability we have to talk about this

00:12:09.100 --> 00:12:13.320
is so-called information disclosure. So
you might think nah boring, just some

00:12:13.320 --> 00:12:18.019
random version numbers. Yeah that's true
most of the time information disclosures

00:12:18.019 --> 00:12:24.670
are boring. But in this case it's really
critical because I found a so-called

00:12:24.670 --> 00:12:29.779
.DS_STORE file the web root. A .DS_STORE
file is basically a meta data file which

00:12:29.779 --> 00:12:35.810
is created by the MacOS finder and it
contains a lot of metadata, like files and

00:12:35.810 --> 00:12:40.579
folder names. So when you find such a file
in a web root you have basically a side

00:12:40.579 --> 00:12:45.819
channel directory listing. This .DS_STORE
file has a proprietary format but as for

00:12:45.819 --> 00:12:52.309
all problems in life, there is a Python
module to decode it. Yeah. And I decoded

00:12:52.309 --> 00:12:55.790
that .DS_STORE file and I was presented
with the following contents. So it's

00:12:55.790 --> 00:12:59.489
basically a side channel directory listing
of the web root. There are a lot of

00:12:59.489 --> 00:13:04.720
interesting files and folders so for
example: old page example, I have no idea

00:13:04.720 --> 00:13:09.319
why it's there in the productive
environment. There is a database folder

00:13:09.319 --> 00:13:14.170
but the most interesting folder is the
config folder. So whenever we get to the

00:13:14.170 --> 00:13:20.339
config folder, there was real directory
listing enabled and there was one file in

00:13:20.339 --> 00:13:31.969
there and it was called config.php.inc
with the following contents. So basically

00:13:31.969 --> 00:13:38.049
I had now access to the database hostname,
the database names usernames and

00:13:38.049 --> 00:13:43.029
passwords. The problem now was that as we
can see the database host is just

00:13:43.029 --> 00:13:47.800
localhost, there might be a chance that
it's not directly reachable via the

00:13:47.800 --> 00:13:51.570
Internet. And we have to find the so-
called exposed administrative interface to

00:13:51.570 --> 00:13:58.339
connect to the database. Yeah of course
the first thing I did was to do a

00:13:58.339 --> 00:14:05.499 line:1
portscan.
<i>laughing</i>

00:14:05.499 --> 00:14:17.450
<i>applause</i>
A lot of interesting ports. Sadly no SQL

00:14:17.450 --> 00:14:25.360
ports. But some of you might remember
this, let's call it weird brown orange web

00:14:25.360 --> 00:14:32.620
application, called phpMyAdmin and I found
a subdomain which contained the phpMyAdmin

00:14:32.620 --> 00:14:36.430
installation and I was able to use those
credentials to connect directly to the

00:14:36.430 --> 00:14:52.029
database and get access to all the data.
<i>applause</i>

00:14:52.029 --> 00:14:57.100
So I basically had access now to the real
life addresses, to messages in clear text

00:14:57.100 --> 00:15:04.639
which were exchanged, images, videos and a
lot of other stuff. So, yeah. And what

00:15:04.639 --> 00:15:10.420
hurt me the most was the following slide,
because the passwords were stored in clear

00:15:10.420 --> 00:15:20.259
text and that's really not necessary in
the 21st century. Okay. So in real life

00:15:20.259 --> 00:15:28.180
about 30 minutes have passed by
<i>loud laughing</i>

00:15:28.180 --> 00:15:32.599
and I tried to do a write up as fast as
possible and submitted to the german CERT-

00:15:32.599 --> 00:15:38.029
Bund. And yeah a few minutes later, I got
a really interesting call from the german

00:15:38.029 --> 00:15:42.209
CERT-Bund. They told me that the already
informed the manufacturer and they're

00:15:42.209 --> 00:15:47.649
already trying to fix those problems. So
my problem was now that I still had to

00:15:47.649 --> 00:15:53.070
write my master thesis and I just have
content for about 30 pages now and I need

00:15:53.070 --> 00:15:57.529
like hundred pages. So I did a little bit
of more research and found way more

00:15:57.529 --> 00:16:01.681
vulnerabilities of course. And the next
vulnerability I'm going to talk about is

00:16:01.681 --> 00:16:06.749
the so-called insecure Direct Object
reference. Sounds cryptic, but it isn't.

00:16:06.749 --> 00:16:11.290
It's basically always a vulnerability
which is consisting of two sub problems.

00:16:11.290 --> 00:16:16.569
So the first problem is, when someone
uploads resources to a backend those

00:16:16.569 --> 00:16:22.730
resources are most of the time renamed, to
like a random string which shouldn't be

00:16:22.730 --> 00:16:28.180
guessable. The first problem would be if
it would be guessable. But the second

00:16:28.180 --> 00:16:32.360
thing is, there should be authorization
checks in place. So if someone is able to

00:16:32.360 --> 00:16:39.800
guess those unique identifiers, there
should still be some like process which

00:16:39.800 --> 00:16:47.670
should check if the user should even be
able to download these resources. And in

00:16:47.670 --> 00:16:54.810
this case, yeah, it was just really easy
to guess the identifiers and there was no

00:16:54.810 --> 00:17:04.340
authorization whatsoever. And I had to
learn this the hard way, literally. There

00:17:04.340 --> 00:17:08.800
is a feature in the smartphone apps,
called galleries. So you can create

00:17:08.800 --> 00:17:13.470
galleries, you can set the visibility to
no one is able to see it, just your

00:17:13.470 --> 00:17:17.460
friends are able to see it , everyone is
able to see it. You can even set a

00:17:17.460 --> 00:17:23.550
password on those galleries. Yeah. And
just for a test I created a gallery with a

00:17:23.550 --> 00:17:27.990
few cats and when you request the gallery,
you see the following request. It's

00:17:27.990 --> 00:17:34.760
userManager.php blah blah blah username
password and some ID. And I thought maybe

00:17:34.760 --> 00:17:39.020
I should change this ID. And I was
presented with a dick pic.

00:17:39.020 --> 00:17:43.440
<i>laughing</i>
Yeah, the problem behind this is quite

00:17:43.440 --> 00:17:48.330
easy. Everything which is stored on the
server is renamed to a global counter. The

00:17:48.330 --> 00:17:53.350
global counter is incremented by one after
every upload. And there are no

00:17:53.350 --> 00:17:57.761
authorization checks whatsoever, because
the images are just stored in a server, so

00:17:57.761 --> 00:18:02.180
it doesn't matter if you set a password or
set the visibility. That's just nonsense

00:18:02.180 --> 00:18:10.340
to do. OK. So the next vulnerability. Yeah
I call it improper authentication. To be

00:18:10.340 --> 00:18:16.470
honest it was just a weird authentication.
At SEC consult I saw already a lot of

00:18:16.470 --> 00:18:20.750
different ways of implementing
authentication. Some are good some are

00:18:20.750 --> 00:18:24.200
bad, but it can be fixed. But in this case
it was just weird, I've never seen

00:18:24.200 --> 00:18:29.380
something like that. It's basically like
HTTP basic authentication but a little bit

00:18:29.380 --> 00:18:33.220
worse.
<i>laughing</i>

00:18:33.220 --> 00:18:37.250
So normally authentication works as
follows. You're sending a username and

00:18:37.250 --> 00:18:41.810
password to a server and if this process
is successful you get some kind of

00:18:41.810 --> 00:18:46.470
authorization information like a cookie or
an API token. You can use this cookie or

00:18:46.470 --> 00:18:53.510
API token to authorize all the other
requests. In this case every request

00:18:53.510 --> 00:18:57.420
contains just username and password and
clear text to authenticate through

00:18:57.420 --> 00:19:04.520
requests. That's just weird to be honest.
And also if your password is compromised,

00:19:04.520 --> 00:19:07.980
it will also mean that you have to change
your username because it's part of the

00:19:07.980 --> 00:19:14.370
authentication information. So weird,
weird implementation. Okay the next

00:19:14.370 --> 00:19:19.900
vulnerability is called the remote
pleasure version 1.0. It's 1.0 because

00:19:19.900 --> 00:19:25.660
there is a 2.0 .
<i>laughing</i>

00:19:25.660 --> 00:19:30.670
There is a feature in those apps where you
can create remote control links. They can

00:19:30.670 --> 00:19:36.310
be sent via SMS or email and everyone who
is in possession of those links can

00:19:36.310 --> 00:19:42.930
directly control the devices. There is no
extra confirmation needed. We'll take a

00:19:42.930 --> 00:19:53.180
look at the email now. There is a button
in the email called Quick Control and

00:19:53.180 --> 00:20:02.880
there is an ID again. Yeah the thing is
it's just a global counter again. And what

00:20:02.880 --> 00:20:06.990
an attacker can do now is download the
app, create his own quick control link,

00:20:06.990 --> 00:20:10.990
decrement the ID and pleasure just random
strangers on the Internet.

00:20:10.990 --> 00:20:25.310
<i>applause</i>
Okay I will show you guys a video now,

00:20:25.310 --> 00:20:31.750
where I'm doing exactly that.
<i>laughing</i>

00:20:31.750 --> 00:20:36.010
So when the video is going to start...
It's going to start, perfect. On the right

00:20:36.010 --> 00:20:41.420
side we're going to see an attacker device
which is just connected to the normal

00:20:41.420 --> 00:20:46.240
mobile network. And the attacker creates
his own quick control link and decrements

00:20:46.240 --> 00:20:50.790
the ID. On the left side we can see
another smartphone which is connected to

00:20:50.790 --> 00:20:58.840
Wi-Fi, to have Internet access and via
Bluetooth, to the smart sex toy. This

00:20:58.840 --> 00:21:05.420
attacker device should now be able to
control - yeah, you can see that now, in a

00:21:05.420 --> 00:21:22.860
few seconds. That's just what I explained.
<i>silence</i>

00:21:22.860 --> 00:21:26.420
<i>laughing</i>
There is no confirmation whatsoever so you

00:21:26.420 --> 00:21:32.540
can directly control all the devices.
Okay, I have to stop talking about

00:21:32.540 --> 00:21:37.120
software now. There is a lot more like
cross-scripting, HTTPs problems, outdated

00:21:37.120 --> 00:21:41.370
software, but there is not enough time
left now so we have to talk about the

00:21:41.370 --> 00:21:45.201
transport layer. Before I'm going to tell
you something about the vulnerabilities I

00:21:45.201 --> 00:21:51.990
have identified, I will tell you something
about Bluetooth low energy in general, the

00:21:51.990 --> 00:21:57.670
security basics and how authentication and
encryption works on a very high level. So

00:21:57.670 --> 00:22:03.460
you can imagine that Bluetooth Low Energy
basically works like a web API. So it's

00:22:03.460 --> 00:22:08.080
very high level explanation. You have API
endpoints. Those are the service

00:22:08.080 --> 00:22:12.070
characteristics and you have properties
where you can read and write to. So for

00:22:12.070 --> 00:22:18.470
example the device name can be read or
written to change the device name. There's

00:22:18.470 --> 00:22:22.190
also a lot of other characteristics which
will be very important when it comes to

00:22:22.190 --> 00:22:28.220
remote pleasure version 2.0 a little bit
later. So that's a very high level

00:22:28.220 --> 00:22:32.300
explanation, i know, but we don't have
enough time left. Talking about the

00:22:32.300 --> 00:22:39.010
security basics Bluetooth Low Energy is
using AES-CCM that's counter CBC with Mac.

00:22:39.010 --> 00:22:44.581
That's basically considered secure but as
we know, security also depends on the key

00:22:44.581 --> 00:22:50.450
material and the key exchange. At
Bluetooth Low Energy the key exchanged is

00:22:50.450 --> 00:22:54.200
defined as the pairing methods. For
Bluetooth Low Energy we have five pairing

00:22:54.200 --> 00:22:59.650
methods. We have just "No Pairing". So
yeah we basically throw packets into the

00:22:59.650 --> 00:23:05.770
air and if a device is nearby it tries to
do something with those packets. We have

00:23:05.770 --> 00:23:09.060
"Just Works", we have "Out of Band
Pairing", "Passkey" and "Numeric

00:23:09.060 --> 00:23:15.510
Comparison". I don't have to tell you the
details now. You all know those. It's

00:23:15.510 --> 00:23:19.370
numeric comparison, where we compare
numbers to exchange the key material. You

00:23:19.370 --> 00:23:24.800
have the Passkey, which is yeah like
always 0000 or 1234. We have Out of Band

00:23:24.800 --> 00:23:29.720
Pairing, where the key material is
exchanged via NFC for example and we have

00:23:29.720 --> 00:23:34.500
just works, that's really secure, where
the keys just set to zero and can be of

00:23:34.500 --> 00:23:41.940
course be brute forced with ease, but it
just works of course. So out of those five

00:23:41.940 --> 00:23:51.320
methods, what does the audience think the
sex toy is using? Is it using no pairing?

00:23:51.320 --> 00:23:59.290
Raise your hands. Is it using any of the
other more or less secure methods? Yeah.

00:23:59.290 --> 00:24:03.060
It's using no pairing.
<i>laughing</i>

00:24:03.060 --> 00:24:06.790
That means that the Android and iOS apps
just throw the packets into the air and if

00:24:06.790 --> 00:24:13.420
a device is nearby, it starts to vibrate
<i>laughing</i>

00:24:13.420 --> 00:24:17.250
and that's of course easily exploitable
you can just sniff the real traffic and

00:24:17.250 --> 00:24:22.410
repeat it. I did exactly that using a so-
called Bluetooth Low Energy sniffer. I

00:24:22.410 --> 00:24:26.580
used a bluefruit device, it works very
well and I placed it between the sex toy

00:24:26.580 --> 00:24:32.240
and the smartphone app. I sniffed the
traffic using wireshark and I found some

00:24:32.240 --> 00:24:38.970
interesting end points or handles. There
is the 1F handle which is like an

00:24:38.970 --> 00:24:45.230
initialization handle and there is the
handle 25, where you can send values from

00:24:45.230 --> 00:24:51.930
00 to FF to set the vibration intensity.
Yeah and now it's time for a little bit of

00:24:51.930 --> 00:25:02.840
War-dildoing. I wrote a small Python proof
of concept which basically scans the air

00:25:02.840 --> 00:25:08.390
for Bluetooth low energy devices. If it
finds a device. It tries to or tries to

00:25:08.390 --> 00:25:15.340
find out if it is a sex toy and if yes.
Yeah it basically turns it on to 100%, to

00:25:15.340 --> 00:25:18.450
FF.
<i>laughing</i>

00:25:18.450 --> 00:25:25.900
So the next thing I want to talk about is
not that funny. So please don't laugh now

00:25:25.900 --> 00:25:32.000
because when we released this, a lot of
people on Twitter asked "Is this rape?",

00:25:32.000 --> 00:25:39.230
so serious topic. For example the evil
attacker is using my War-dildoing script

00:25:39.230 --> 00:25:46.220
in the metro, in the U-Bahn in Vienna. And
he would just pleasure random strangers.

00:25:46.220 --> 00:25:52.950
Is this rape? In Austria we have two
different things. We have rape and sexual

00:25:52.950 --> 00:25:57.560
assault and they have two preconditions.
So that's violence - eh three

00:25:57.560 --> 00:26:02.720
preconditions. We have violence, threats
or deprivation of liberty, which is just

00:26:02.720 --> 00:26:07.820
not the case in this scenario. But we have
a special paragraph called, phew that's

00:26:07.820 --> 00:26:12.450
really hard to translate that. It's called
the Po-Grapsch paragraph. I know that's a

00:26:12.450 --> 00:26:15.960
little bit different in Germany and I'm
not a law expert so it just kept the

00:26:15.960 --> 00:26:22.240
Austrian laws which could be verified by
tourists. According to this paragraph this

00:26:22.240 --> 00:26:27.460
would be an unwanted sexual act, via a
third party object. So it's not rape, but

00:26:27.460 --> 00:26:35.020
it's an unwanted sexual act. Okay. The
hardware. Last but not least. The biggest

00:26:35.020 --> 00:26:40.190
problem is that firmware updates are not
possible. That was confirmed by the

00:26:40.190 --> 00:26:46.990
manufacturer. The problem here is a lot of
vulnerabilities can just be fixed by doing

00:26:46.990 --> 00:26:54.070
firmware updates and the manufacturer came
up with the idea, that the end users can

00:26:54.070 --> 00:26:58.520
send in their smart sex toys to do a
firmware update and I'm quite sure that

00:26:58.520 --> 00:27:04.550
nobody's sending in their used devices to
conduct a firmware update. The other

00:27:04.550 --> 00:27:09.450
problems are debug interfaces. They just
forgot to remove it or deactivate their

00:27:09.450 --> 00:27:15.740
serial interfaces on the sex toys. It's
just really easy to extract the firmware

00:27:15.740 --> 00:27:21.970
and do a little bit of more research on
the firmware. Okay. So you might now think

00:27:21.970 --> 00:27:27.070
I still want to use smart sex toys. What
can I do? Yeah the tin foil is not

00:27:27.070 --> 00:27:31.100
working.
<i>loud laughing</i>

00:27:31.100 --> 00:27:41.280
<i>applause</i>
But there are a lot of interesting open

00:27:41.280 --> 00:27:47.410
source projects out there. So first of all
the most famous project is the Internet of

00:27:47.410 --> 00:27:52.310
Dongs project. There is a really
interesting person behind that. He's

00:27:52.310 --> 00:27:56.610
called RenderMan. You can find him on
Twitter. He invented this project to make

00:27:56.610 --> 00:28:01.240
this whole Internet of Dongs a little bit
safer. And he's doing like penetration

00:28:01.240 --> 00:28:06.620
tests and stuff like that and he's even
handing out DVS. So that's the equivalent

00:28:06.620 --> 00:28:13.870
to CVS. Then we have buttplug.io and
metafetish. They are developing open

00:28:13.870 --> 00:28:18.680
source firmwares for a lot of different
sex toys and they're independent from all

00:28:18.680 --> 00:28:22.290
the manufacturers. And there is also
something called Onion Dildonics

00:28:22.290 --> 00:28:29.910
<i>laughing</i>
which has the goal of rerouting all the

00:28:29.910 --> 00:28:36.400
smart sex toy traffic over the TOR network
to make it a little bit more safer.

00:28:36.400 --> 00:28:48.680
<i>applause</i>
OK. There is one more thing. I had a lot

00:28:48.680 --> 00:28:57.260
of calls together with the manufacturer
and the german CERT-Bund. And one call was

00:28:57.260 --> 00:29:02.180
outstanding because we were discussing the
remote pleasure vulnerabilities. And we

00:29:02.180 --> 00:29:07.870
tried to explain the manufacturer that
it's not good that you can basically out

00:29:07.870 --> 00:29:13.640
of the box pleasure everyone on the
Internet or if you're nearby. We told them

00:29:13.640 --> 00:29:17.220
that it should be at least like an opt in
feature, where you can switch on this

00:29:17.220 --> 00:29:24.470
feature in the apps, but the manufacturer
said no that's not possible because, at

00:29:24.470 --> 00:29:28.890
least they believed that, most of our
customers are in swinger clubs and you

00:29:28.890 --> 00:29:33.230
don't know beforehand who is in the
swinger club. So there is just no optin,

00:29:33.230 --> 00:29:39.320
in a swing club, because you're basically
always in. Thank you.

00:29:39.320 --> 00:29:56.800
<i>applause</i>
Herald Angel: Secretary of Education you

00:29:56.800 --> 00:30:01.100
are now taking questions. We have five
microphones two in the front and three in

00:30:01.100 --> 00:30:08.350
the back. So please line up and ask
whatever you want. So apparently people on

00:30:08.350 --> 00:30:11.590
Twitter are engaged in a drinking game
where they were drinking every time you

00:30:11.590 --> 00:30:14.760
said penetration testing.
<i>loud laughing</i>

00:30:14.760 --> 00:30:21.330
<i>applause</i>
Herald: In the meantime we have a question

00:30:21.330 --> 00:30:24.880
from microphone number two.
Question: Did you come across anything

00:30:24.880 --> 00:30:28.760
with the patent trolls in teledildonics?
Answer: I came across what sorry?

00:30:28.760 --> 00:30:34.900
Q: patent trolls. There is a issue with
the teledildonics patent and some

00:30:34.900 --> 00:30:40.200
companies have been threatened to go out
of business because of frivolous lawsuits.

00:30:40.200 --> 00:30:45.210
A: Yes. Yes there was the I guess it was
called the teledildonics appreciation day

00:30:45.210 --> 00:30:50.910
in August because the patent ended. So you
can basically use the term wherever you

00:30:50.910 --> 00:30:55.770
want.
Herald: Thank you. Microphone number three

00:30:55.770 --> 00:31:01.900
please.
Q: So this was very funny obviously. And

00:31:01.900 --> 00:31:08.640
you showed us the really low hanging
fruit. On the website in the database you

00:31:08.640 --> 00:31:14.740
would have been able to see the social
graph of the users. I don't know if you

00:31:14.740 --> 00:31:19.620
have managed to look at other devices. Can
you elaborate a little bit more on

00:31:19.620 --> 00:31:27.430
something that I believe more serious.
Which is the profiling of users behavior,

00:31:27.430 --> 00:31:33.720
social networks and so on?
A: So of course it didn't take a look of

00:31:33.720 --> 00:31:37.230
all the data because it was so critical in
my opinion, that I directly contacted the

00:31:37.230 --> 00:31:42.360
CERT-Bund. So I can't give you any
information about the data of course. I

00:31:42.360 --> 00:31:46.090
also took a look at like things like
tracking and stuff like that and in this

00:31:46.090 --> 00:31:51.890
case there was not a lot of tracking going
on at the german sex toys. But when you

00:31:51.890 --> 00:31:55.570
compared it to the Chinese sex toys, there
is way more tracking and stuff like that

00:31:55.570 --> 00:32:01.570
going on. But I didn't took like a
detailed look into that.

00:32:01.570 --> 00:32:08.700
Herald: Thank you. Thank you again for
the educational and entertaining talk

00:32:08.700 --> 00:32:14.751
and hopefully a lot of rounds of applause.

00:32:14.751 --> 00:32:18.561
<i>applause</i>

00:32:18.561 --> 00:32:24.146
<i>35c3 postroll music</i>

00:32:24.146 --> 00:32:41.000
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!