0:00:00.000,0:00:14.985
34c3 intro
0:00:14.985,0:00:23.670
Herald: So, to our next talk... Sit and[br]relax, you know what that means. Glass of
0:00:23.670,0:00:30.599
wine or mate, your favorite easy chair,[br]and of course your latest WIFI enabled toy
0:00:30.599,0:00:36.099
compromising your intimate moments.[br]Barbara Wimmer, as free author and
0:00:36.099,0:00:40.649
journalist, will tell you more about the[br]Internet of Fails,
0:00:40.649,0:00:47.190
will tell you more about where IoT goes[br]wrong. She's a free author and journalist
0:00:47.190,0:00:57.440
at futurezone.at, (DORF?), and will in the[br]near future release one or two public
0:00:57.440,0:01:11.769
stories and a book. Applause![br]applause
0:01:11.769,0:01:15.780
Barbara Wimmer: Hello everybody. I'm[br]waiting for my slides to appear on the
0:01:15.780,0:01:23.740
screen. Where are my slides please? That's[br]not my slides.
0:01:37.420,0:01:48.630
Oh, thank you very much. So welcome to the[br]talk Internet of Fails when IoT has gone
0:01:48.630,0:01:59.140
wrong. This is a very negative topic title[br]actually and you're getting a lot of
0:01:59.140,0:02:06.710
negative stories in this next hour but I[br]don't want to talk only about negative
0:02:06.710,0:02:13.610
things so you can see "FAIL" as a "first[br]attempt in learning". So actually at the
0:02:13.610,0:02:19.030
end of the talk I want to talk about[br]solutions as well and I don't want to
0:02:19.030,0:02:27.290
provide only bad and negative examples[br]because that's what we hear every day. And
0:02:27.290,0:02:33.500
this is perfect for the congress motto[br]"tuwat" because this is all about let's
0:02:33.500,0:02:44.770
tuwat together. So nobody, most of you in[br]this room don't will not know me. So I'm
0:02:44.770,0:02:51.850
going to introduce myself a little bit and[br]why I'm talking to you about this topic,
0:02:51.850,0:02:58.040
because that's probably what everybody[br]asks me when I appear somewhere and say oh
0:02:58.040,0:03:07.490
I give talks about IoT. And so actually I[br]work as an IT journalist for more than 12
0:03:07.490,0:03:17.490
years. And I got in contact with internet[br]of things in 2014 when I talked to the
0:03:17.490,0:03:26.430
local CERT.at team in Austria. I'm from[br]Vienna. And they first told me that the
0:03:26.430,0:03:32.420
first refrigerator was caught that was[br]sending out spam mails and that was in
0:03:32.420,0:03:42.470
2014 and actually that was really a funny[br]story back then and we were laughing about
0:03:42.470,0:03:48.530
it but at the same time we already knew[br]that there is something coming up which is
0:03:48.530,0:03:59.870
quite going to be a huge development and[br]so from back then I watched the whole IoT
0:03:59.870,0:04:09.150
development in terms of security and[br]privacy. And in the next 45min you will
0:04:09.150,0:04:19.219
hear a lot of stuff about IoT, and where[br]the problem with IoT is currently and
0:04:19.219,0:04:26.400
examples of fails in terms of security and[br]privacy. But like I mentioned before I
0:04:26.400,0:04:31.760
wanna talk about solutions and when we[br]talk about solutions it will not be like
0:04:31.760,0:04:38.019
only one side, like only the consumer,[br]only the IT-security, only developers.
0:04:38.019,0:04:46.740
Actually what I'm going not to provide is[br]detailed IT-security stuff. So if you
0:04:46.740,0:04:53.789
wanna focus more on any story that I'm[br]talking about I'm mentioning most of the
0:04:53.789,0:05:01.709
the sources in the slides and if you[br]really wanna know this example got up,
0:05:01.709,0:05:06.559
please look it up if you're really[br]interested deeply into it. I'm a
0:05:06.559,0:05:12.889
journalist and not an IT-security person[br]so please don't expect me to go into
0:05:12.889,0:05:19.770
details in this talk. Thats why it's also[br]in the ethics talk - ethics section of the
0:05:19.770,0:05:28.759
congress and not the security part. So[br]coming to the internet of things I want to
0:05:28.759,0:05:39.759
start with a few numbers because these[br]numbers show the development of IoT. In
0:05:39.759,0:05:48.700
2016 we had 6.3 billions of devices out[br]there. This year we already had 8.3
0:05:48.700,0:05:58.830
billion of devices and in 2020 we will -[br]we are going to have 20.4 billion
0:05:58.830,0:06:05.159
connected devices out there. So the[br]numbers are from Gartner Institute from
0:06:05.159,0:06:13.699
January and I have one more slide with[br]more accurate data from June this year and
0:06:13.699,0:06:23.400
actually this slide shows that the[br]development is actually really growing.
0:06:23.400,0:06:32.400
17% more compared to the previous year.[br]And by 2021 global IoT spending is
0:06:32.400,0:06:42.389
expected to reach about 1.4 trillion[br]dollars. So maybe some you are asking
0:06:42.389,0:06:49.809
yourself: What is the internet of things?[br]Maybe some of you expected I'm only
0:06:49.809,0:06:59.669
talking about a smart home, because IoT is[br]often related to the smart home. And we're
0:06:59.669,0:07:06.139
having all the smart devices that we put[br]into our living rooms, but that's actually
0:07:06.139,0:07:12.740
not the main focus because it's more about[br]the connected everything. Which means
0:07:12.740,0:07:19.239
toys, sex toys, home automation,[br]lightbulbs, surveillance cameras,
0:07:19.239,0:07:28.569
thermostats, but also digital assistants[br]and wearables. So I wanna start with a few
0:07:28.569,0:07:37.580
examples of classical internet of things[br]stuff which is actually a smart coffee
0:07:37.580,0:07:45.430
maker. That's ... so what is smart about a[br]coffee maker? It only gets ... it doesn't
0:07:45.430,0:07:51.429
get smart when you regulate your coffee[br]machine by app because what's smart about
0:07:51.429,0:07:58.189
that? You can just press the button on the[br]machine. But when you connect your coffee
0:07:58.189,0:08:05.750
machine with fitness and sleeping trackers[br]the coffee machine already knows when you
0:08:05.750,0:08:13.179
get up if you need a strong or soft coffee[br]in the morning and so that might sound
0:08:13.179,0:08:20.469
comfortable for some of us, but it also[br]has a lot of dangers inside, because you
0:08:20.469,0:08:25.709
never know that the data is really safe[br]and only stays with you. Maybe your
0:08:25.709,0:08:37.429
insurance company get them one day. So you[br]all know Cars -probably-, the film, and
0:08:37.429,0:08:46.040
this is McLightning Queen and it got a toy[br]nowadays which is sold for 350 dollars -
0:08:46.040,0:08:55.490
no sorry, euros - and this car is able to[br]sit next to you and watch the film with
0:08:55.490,0:09:02.310
you and is going to comment the film.[br]laughter
0:09:02.310,0:09:09.740
And it is - this sounds very funny - but -[br]and it is funny - but it means that it has
0:09:09.740,0:09:15.130
a microphone integrated which is waiting[br]for the terms in the film on the right
0:09:15.130,0:09:22.750
stories and then it makes comments. And[br]the microphone can only be turned off by
0:09:22.750,0:09:30.810
app so there's no physical button to turn[br]it off and actually another thing is when
0:09:30.810,0:09:36.410
you first ... when you actually got this[br]present for Christmas, which is a really
0:09:36.410,0:09:46.589
expensive present with 350 euros, it's[br]actually first updating for more than
0:09:46.589,0:10:01.230
35min before you can even use it. The next[br]example - you're already laughing - is
0:10:01.230,0:10:09.120
internet of ... I call it internet of shit[br]because you can't say anything else to
0:10:09.120,0:10:16.350
that example. It's a toilet IoT sensor[br]which is actually a smart, small little
0:10:16.350,0:10:25.269
box which is put into the toilet. And this[br]box has sensors. It's an Intel box but I
0:10:25.269,0:10:34.760
don't know and this box has sensors and[br]these sensors help analyzing the stool.
0:10:34.760,0:10:44.360
And this data that is collected is going[br]to send into the cloud. And actually this
0:10:44.360,0:10:49.550
could be very useful for people who are[br]having chronical diseases like Colitis
0:10:49.550,0:10:59.319
Ulcerosa or other chronical diseases with[br]the digestion stuff but it is mainly
0:10:59.319,0:11:05.480
designed for healthy people who want to[br]make better nutrition and reduce their
0:11:05.480,0:11:13.870
stress levels with the stool analysis. And[br]maybe it sounds good at the beginning but
0:11:13.870,0:11:21.709
this data that is collected could also be[br]used for other things in the future. So
0:11:21.709,0:11:30.889
it's a perfect example for internet of[br]shit. But there is another internet of
0:11:30.889,0:11:37.970
shit which is a twitter account that[br]collects all these funny little stories.
0:11:37.970,0:11:44.920
It's not from me, so I'm not behind that.[br]I tried to reach the person but I never
0:11:44.920,0:11:50.730
got a replay so I can't tell you anything[br]about them but they collect examples - if
0:11:50.730,0:11:55.579
you don't follow them now and are[br]interested in this topic you might do
0:11:55.579,0:12:05.410
after this talk - so after presenting a[br]couple of IoT examples with the good and a
0:12:05.410,0:12:13.089
bit of the bad sides I first wanna focus a[br]little bit on the problem because as I
0:12:13.089,0:12:20.149
said before you might now think that[br]everything is nice, comfortable, why
0:12:20.149,0:12:26.690
shouldn't we do that and stuff like that.[br]So the problem is that most of the vendors
0:12:26.690,0:12:33.730
that are doing IoT stuff now, that start[br]to connect everything, they are creating
0:12:33.730,0:12:41.350
manually operated devices without[br]connectivity for long years and they had a
0:12:41.350,0:12:48.060
lot of knowledge in terms of materials,[br]ergonomics, mechanical engineering but
0:12:48.060,0:12:58.199
almost zero in the fields of IT security.[br]Actually I don't say that without having
0:12:58.199,0:13:06.959
talked to vendors that have said exactly[br]that when I interviewed them. Like there
0:13:06.959,0:13:14.509
was a lightbulb vendor from Austria who is[br]a really big vendor who is making
0:13:14.509,0:13:22.399
lightbulbs for years and years and years[br]and actually they started to make
0:13:22.399,0:13:34.610
connected lightbulbs in 2015 and when they[br]did that they ... and I asked them "Oh how
0:13:34.610,0:13:44.959
big is your IT security department?" "1[br]Person". So they didn't actually have the
0:13:44.959,0:13:51.579
knowledge that IT security might be more[br]important when they connect - when they
0:13:51.579,0:14:00.079
start to connect things. And actually the[br]result is that these vendors are making
0:14:00.079,0:14:05.519
the same sort of security errors than the[br]high tech industry was dealing with 15
0:14:05.519,0:14:14.269
years ago. So the early 2000s called and[br]want their web security, their lack of
0:14:14.269,0:14:23.700
security back. So there are all kinds of[br]problems we already know from past:
0:14:23.700,0:14:28.709
hardcoded passwords, unsecure bluetooth[br]connections, permanent cloud server
0:14:28.709,0:14:38.920
connections and a lot of other stuff. So[br]we're going to have from all these 20
0:14:38.920,0:14:45.709
billion devices out there, there will be a[br]lot of unsecure devices and the problem is
0:14:45.709,0:14:53.410
that they are collecting to a botnet and[br]are starting DDoS attacks and we are going
0:14:53.410,0:15:02.579
to have internet outages. For those who[br]are not familiar with the terms I made a
0:15:02.579,0:15:07.550
really really really short explanation so[br]that you are also understanding what I am
0:15:07.550,0:15:14.709
talking about. A botnet is a network of[br]private computers infected with malicious
0:15:14.709,0:15:21.749
software and controlled as a group without[br]the owners knowledge. Like the example of
0:15:21.749,0:15:29.060
the refrigerator that was sending out spam[br]I told you about earlier. This
0:15:29.060,0:15:35.870
refrigerator sent out ... one refrigerator[br]was sending out 750.000 spam mails by the
0:15:35.870,0:15:43.029
way. So the botnet, that has a botnet[br]owner of course, because it's not only a
0:15:43.029,0:15:50.430
zombie botnet, and the botnet owner can[br]control this network of infected computers
0:15:50.430,0:15:57.611
by issuing commands to perform malicious[br]activities like DDoS attacks. So DDoS is a
0:15:57.611,0:16:04.300
distributed denial of Service attack and[br]actually that's an attempt to stop
0:16:04.300,0:16:10.459
legitimate users form accessing the data[br]normally available on a website. And this
0:16:10.459,0:16:19.590
actually can lead to completely shutdown[br]of a service. And we had this already so
0:16:19.590,0:16:30.070
I'm not talking about something in the far[br]future but we had this in 2016 and most
0:16:30.070,0:16:37.639
people already recognized it but it didn't[br]recognized why - their twitter accounts
0:16:37.639,0:16:43.750
did not work, they couldn't use Reddit, or[br]Spotify, or they couldn't pay with PayPal
0:16:43.750,0:16:52.850
at the moment. And behind that attack was[br]Mirai so several other major services were
0:16:52.850,0:17:03.230
offline because an infrastructure provider[br]was attacked by zombie IoT devices. And
0:17:03.230,0:17:11.579
this was one year ago and now one year[br]later Mirai botnet infections are still
0:17:11.579,0:17:21.400
widespread so not every zombie device is[br]already secured so there are still some
0:17:21.400,0:17:26.829
around and not so little and actually[br]there is a study saying that every
0:17:26.829,0:17:35.800
unsecured - no every botnet infection[br]that's there - every security hole thats
0:17:35.800,0:17:42.910
there is staying there for at least 7[br]years which means that all the unsecure
0:17:42.910,0:17:50.890
devices which are out now could get[br]infected and could stay infected for 7
0:17:50.890,0:17:56.680
years. So that's why it's very important[br]that we are going to do something really
0:17:56.680,0:18:10.170
quickly and not starting like in 2020. So[br]Mirai was supposed to continue in 2017 and
0:18:10.170,0:18:20.220
actually a lot of DDoS attacks similar[br]attacks like Mirai happened in 2017. This
0:18:20.220,0:18:29.870
as an example could unleash at any moment[br]which was in November one few days later
0:18:29.870,0:18:41.650
exactly this attack was unleashed, so it[br]happened. In 2017 we also had a huge
0:18:41.650,0:18:54.400
increase in DDoS attacks 91% increase from[br]Q1 and it's going to increase more. I have
0:18:54.400,0:19:09.290
to take a short sip, sorry.[br]Now we're coming back to examples. One
0:19:09.290,0:19:15.720
really good example is the university that[br]was attacked by it's own vending machines
0:19:15.720,0:19:26.250
and smart lightbulbs and 5000 other IoT[br]devices. This was very very difficult to
0:19:26.250,0:19:31.740
get fixed because they couldn't get the[br]university network down so they had to
0:19:31.740,0:19:38.260
find a really difficult solution to get it[br]back up. And actually how did they even
0:19:38.260,0:19:42.650
notice about it? Because the students[br]complained that the internet was going so
0:19:42.650,0:19:53.240
slow. Another example which has nothing to[br]do with DDoS attacks anymore but with IoT
0:19:53.240,0:20:03.480
sensors - actually - in a fishtank in an[br]American casino - north American casino
0:20:03.480,0:20:12.140
there were sensors measuring the[br]temperature of the aquarium and the
0:20:12.140,0:20:18.900
fishtank - that the fishes didn't die -[br]and these sensors were sending the data to
0:20:18.900,0:20:28.500
a PC of this casino and this PC was the[br]same - was using the same network than the
0:20:28.500,0:20:37.870
sensors so actually the cybercriminals[br]could access to this data of the casino
0:20:37.870,0:20:43.210
and were stealing them and sending them to[br]their own servers in Finland. And the
0:20:43.210,0:20:56.500
amount was about 10GB of data. Another[br]example which is actually one of my most -
0:20:56.500,0:21:03.490
I don't know why but it's the example I[br]personally like most of the whole examples
0:21:03.490,0:21:11.190
that are collected in 2017. So there was a[br]surveillance camera bought by a
0:21:11.190,0:21:22.060
netherlands woman. Actually she wanted to[br]surveil her dog when she was out at work
0:21:22.060,0:21:29.840
but what did this camera do? It did[br]surveil the dog when she was out at work,
0:21:29.840,0:21:37.260
but when she was at home the camera[br]followed her through the room and was
0:21:37.260,0:21:44.410
watching her all over the place. And it[br]had a microphone integrated and one day it
0:21:44.410,0:21:51.680
started to talk with her and it said "hola[br]señorita". And this woman was so
0:21:51.680,0:21:59.890
frightened that she actually started to[br]record that because she thought that
0:21:59.890,0:22:08.290
nobody will buy this story. All will think[br]I’m crazy but this camera actually did not
0:22:08.290,0:22:15.580
surveil the dog but was hacked and[br]surveiled her. And it was a very cheap
0:22:15.580,0:22:21.870
camera by the way. She bought it in a[br]supermarket but we don't know the name of
0:22:21.870,0:22:29.330
the vendor in this case. So coming for a[br]very cheap camera to a very hightech
0:22:29.330,0:22:40.140
camera the cameras you see here is one[br]that is actually build in a lot of
0:22:40.140,0:22:48.180
companies and there was a security hole[br]found by some Vienna security specialists
0:22:48.180,0:22:53.240
from SEC consult and actually they[br]demonstrated me how they could actually
0:22:53.240,0:23:03.450
hack into this camera and how they could[br]make it possible that this camera shows
0:23:03.450,0:23:13.240
pictures of an empty room in a bank so the[br]pictures from the empty room in the bank
0:23:13.240,0:23:20.240
were shown to me and in reality the bank[br]was robbed - ok, not in reality. But it
0:23:20.240,0:23:29.210
could have been robbed. So thats actually[br]sounding a little bit like a movie scene
0:23:29.210,0:23:37.530
and actually this camera which is sold as[br]a security camera is kind of useless when
0:23:37.530,0:23:42.840
it doesn't have security and it doesn't[br]really show the picture. And the problem
0:23:42.840,0:23:53.970
with this camera was hardcoded passwords.[br]And the hardcoded password got fixed after
0:23:53.970,0:24:02.690
so it was responsible disclosure process[br]and this camera is safe now. So I'm coming
0:24:02.690,0:24:11.800
to a different example now. And this now[br]finally explains why this toy is sitting
0:24:11.800,0:24:19.670
here. Before my talk everybody was telling[br]me "Ah, you brought your favorite toy, to
0:24:19.670,0:24:26.140
protect you during your talk." and I was[br]laughing "Oh no. No no no no, it one of
0:24:26.140,0:24:36.570
the most unsecure devices out there." But[br]before we come to this in special I'm
0:24:36.570,0:24:46.790
going to talk a little bit about connected[br]toys. So the Germany Stiftung Warentest
0:24:46.790,0:24:54.650
had made a study regarding connected toys.[br]The people were testing them and actually
0:24:54.650,0:25:04.820
all of their tested bears, robot dogs and[br]dolls were very very unsecure and some of
0:25:04.820,0:25:12.779
them were even critical and are extremely[br]critical and others were critical. And
0:25:12.779,0:25:22.370
actually what was the problem with the[br]toys and also with this? They were using -
0:25:22.370,0:25:28.210
they are using bluetooth connections. And[br]these bluetooth connections are not
0:25:28.210,0:25:34.360
secured by a password or a PIN code. So[br]every smartphone user close enough could
0:25:34.360,0:25:42.630
connect to the toy and listen to children[br]or ask questions or threaten them and
0:25:42.630,0:25:49.670
another problem are the data collecting[br]apps related to this stuff. So actually
0:25:49.670,0:25:58.640
this little unicorn has an app where you[br]can send the messages. So what does this
0:25:58.640,0:26:07.790
actually? It can play messages and you can[br]- as a child you can record messages and
0:26:07.790,0:26:17.460
send it to you mom or your dad. And when[br]you play messages you never - the heart
0:26:17.460,0:26:24.690
blinks. So actually there's a message[br]waiting for you now. And I'm not sure if
0:26:24.690,0:26:32.710
it's the same that I recorded earlier[br]before. Maybe now it is, maybe at the end
0:26:32.710,0:26:42.730
of the talk when I press the button again[br]it might not be. And so everybody can - so
0:26:42.730,0:26:49.840
this - err sorry - This device does have[br]an app where you can send the message to.
0:26:49.840,0:26:55.730
And it also has a children interface and[br]where you are using the children interface
0:26:55.730,0:27:02.660
you're seeing that there are ads[br]integrated. And in the children's
0:27:02.660,0:27:13.230
interface there were ads for porn and[br]ehm... ...other stuff, which are not
0:27:13.230,0:27:20.320
really in the best hands of a child. And[br]this is also what Stiftung Warentest has
0:27:20.320,0:27:31.140
actually - yeah has actually found out.[br]The data is also used to send to third
0:27:31.140,0:27:35.700
party companies and they put trackers to[br]control the online behavior of their
0:27:35.700,0:27:42.700
parents. This is also done with this[br]device. So the Stiftung Warentest advises
0:27:42.700,0:27:51.290
a not connectible dumb teddy might be the[br]smarter choice in the future. And before I
0:27:51.290,0:27:56.530
finally press this button - you're[br]probably curious now - but first I'm going
0:27:56.530,0:28:07.420
to talk a little bit about Cayla. You[br]probably have heard of Cayla as a very
0:28:07.420,0:28:14.880
unsecure doll. Actually it got forbidden[br]in Germany by law. It is judged as a
0:28:14.880,0:28:22.080
prohibited broadcasting station. And[br]parents who do not destroy it will be
0:28:22.080,0:28:28.710
actually fined. And I tried to buy Cayla[br]in Austria and didn't get the doll. So
0:28:28.710,0:28:35.050
actually it should be really off the[br]market in the German speaking area. And
0:28:35.050,0:28:43.500
actually that is also a result of a[br]campaign from Norway called Toyfail, which
0:28:43.500,0:28:49.800
is a Norwegian consumer organization who[br]are actually - this is Cayla. You can see
0:28:49.800,0:29:00.110
her now. Which is actually going to the[br]European Parliament to make them
0:29:00.110,0:29:07.830
understand how unsecure toys is doing a[br]lot of harm and how we should put more
0:29:07.830,0:29:17.130
security into toys. And I've brought a[br]short little video and I hope we can hear
0:29:17.130,0:29:27.810
the audio here as well. We will see.[br]No. You don't hear anything.
0:29:27.810,0:29:31.660
But this doesn't matter because they[br]have...
0:29:31.660,0:29:35.960
Sign Language Interpreter: subtitles[br]Barbara: subtitles.
0:29:35.960,0:29:40.530
Person (Video): There's not added any kind[br]of security. With simple steps I can talk
0:29:40.530,0:29:44.990
through the doll and listen to other[br]people.
0:29:44.990,0:29:47.740
Person through doll (Video): No one wants[br]others to speak directly through the doll.
0:29:47.740,0:29:56.790
Barbara: He's speaking now at the moment.[br]Doll: inaudible
0:29:56.790,0:30:38.900
Person: And you may think... [see video[br]subs] ... Cayla, can I trust you?
0:30:38.900,0:30:44.010
Doll: I don't know.[br]laughter
0:30:44.010,0:30:58.150
applause[br]Barbara: Yeah and we don't trust Cayla and
0:30:58.150,0:31:07.910
we also don't trust our little unicorn.[br]button clicking
0:31:07.910,0:31:25.040
laughter[br]crying baby in background
0:31:25.040,0:31:34.810
Barbara: Ok, somebody has hacked it.[br]laughter
0:31:34.810,0:31:42.920
Yes.[br]Unicorn Toy: Hello, Chaos Communication
0:31:42.920,0:31:48.000
Congress.[br]Barbara: Ok, that's what I recorded
0:31:48.000,0:31:57.140
earlier. But there is some time left.[br]Maybe, maybe... but you're all sitting too
0:31:57.140,0:32:04.120
far actually and nobody of you brought[br]your computer, so... but we will see, we
0:32:04.120,0:32:10.040
will try it later on. So but actually you[br]shouldn't trust this unicorn, because this
0:32:10.040,0:32:22.360
unicorn is from the company called[br]Cloudpets, which is a - no sorry It's a
0:32:22.360,0:32:29.680
toy called Cloudpet and the company is[br]Spiraltoys from the US. So this is
0:32:29.680,0:32:39.110
Cloudpet and there are cats and dogs and[br]unicorns and it's very ugly but it's a
0:32:39.110,0:32:48.640
unicorn. And actually now I'm already[br]talking a lot about this. Why I'm
0:32:48.640,0:32:57.550
explaining you now. There already was a[br]data breach with this toy so the
0:32:57.550,0:33:05.610
children's messages in Cloudpets data[br]actually was stolen and was public on the
0:33:05.610,0:33:13.740
internet. 2 million voice messages[br]recorded on the cuddly toys has been
0:33:13.740,0:33:25.060
discovered free on the internet. And[br]actually Spiraltoys say that there was no
0:33:25.060,0:33:33.631
data breach but the data was there, so...[br]Thats also why I brought this, it was
0:33:33.631,0:33:40.360
still very easily available and actually[br]as I said before the app for child the
0:33:40.360,0:33:51.250
interface shows porn ads, so I would not[br]recommend that for your child. Actually
0:33:51.250,0:33:55.600
there are already a lot of institutions[br]out there which are warning for connected
0:33:55.600,0:34:03.490
toys also the consumer group Which? which[br]actually did a study about this and other
0:34:03.490,0:34:10.000
like also the Furby connected they[br]analyzed, the German Stiftung Warentest,
0:34:10.000,0:34:13.949
the Austrian Verein für[br]Konsumenteninformation, the Norwegian
0:34:13.949,0:34:22.429
consumer council, and the FBI. The list is[br]to be continued. So consider if you really
0:34:22.429,0:34:31.480
need a connected toy for your child or[br]yourself because the next section is about
0:34:31.480,0:34:37.979
sex toys.[br]laughter
0:34:37.979,0:34:49.900
applause[br]squeaky horn
0:34:49.900,0:34:57.170
more laughter and applause[br]I am not... It's not necessary say a lot
0:34:57.170,0:35:04.330
about this example. It's actually a[br]connected vibrator that has a build-in
0:35:04.330,0:35:18.870
camera and this camera is very very very[br]unsafe. Also this toy is really expensive,
0:35:18.870,0:35:24.670
so you can't say "Eh, it's only the cheap[br]stuff that is so unsecure." Also the high-
0:35:24.670,0:35:32.480
tech stuff can be really unsecure. I mean[br]this vibrator costs 250 dollars so it's
0:35:32.480,0:35:42.610
very expensive and it has a build-in web-[br]connected endoscope and they found out
0:35:42.610,0:35:55.640
that it's massively insecure. The password[br]of this... And if you forgot to change it
0:35:55.640,0:36:01.740
it's a few more players than expected that[br]might be watching your newest video about
0:36:01.740,0:36:09.950
your private sex adventures. There was[br]another example actually in this - sorry
0:36:09.950,0:36:14.640
go back one more time to this example -[br]there's a very funny video on it on
0:36:14.640,0:36:20.490
youtube about it, maybe you wanna watch[br]it. I didn't bring it because I couldn't
0:36:20.490,0:36:31.600
reach the makers of it. So I'm going to[br]the next example which is about a case of
0:36:31.600,0:36:39.040
sex toy company that actually admits to[br]recording users remote sex sessions and it
0:36:39.040,0:36:48.110
called it a "minor bug". It was this love[br]sensor remote app you can see the icon
0:36:48.110,0:36:56.050
here and actually this is a vibrator and[br]an app and the vibrator controlling app
0:36:56.050,0:37:03.080
was recording all the sex sounds, all the[br]sounds you're making when you're using
0:37:03.080,0:37:09.610
this vibrator and stores them on the phone[br]without your knowledge. And the company
0:37:09.610,0:37:15.600
says that no information or data was sent[br]to the servers so this audio file exists
0:37:15.600,0:37:21.570
only temporarily and only your device. And[br]they already had an update so actually
0:37:21.570,0:37:28.280
this is not as funny as the other story[br]but still it's an example of how unsecure
0:37:28.280,0:37:38.450
sex stuff can be. So there are lot of lot[br]of more sex examples out there. One you
0:37:38.450,0:37:45.780
should actually definitely search for[br]after - please don't search for now, but
0:37:45.780,0:37:55.250
after this talk. You could google or[br]duckduckgo or whatever you use the terms
0:37:55.250,0:38:04.280
"blowjob injection". And please add[br]"security" because otherwise you will land
0:38:04.280,0:38:07.920
on other sites.[br]laughter
0:38:07.920,0:38:18.360
And this was a female security expert who[br]was doing this research about a device
0:38:18.360,0:38:24.760
which actually was supposed to your[br]girlfriend could make you a special
0:38:24.760,0:38:31.050
blowjob program, your special blowjob and[br]this could be hacked so somebody else's
0:38:31.050,0:38:39.120
blowjob might appear instead your own.[br]laughter
0:38:39.120,0:38:47.520
So there's also a story about a map of[br]buttplugs in Berlin that are unsecure.
0:38:47.520,0:38:56.460
Also if you're interested in that please[br]also search for that story. Because it's
0:38:56.460,0:39:01.450
funny to talk about this, but I also wanna[br]talk little bit about things that we could
0:39:01.450,0:39:08.890
actually do. And one of the projects in[br]this part is actually doing something
0:39:08.890,0:39:14.480
thats called the "internet of dongs[br]project - hacking sex toys for security
0:39:14.480,0:39:22.190
and privacy". And as you can see it's[br]supported by PornHub, which in this case
0:39:22.190,0:39:29.030
means that they get money from PornHub[br]that they can buy sex toys for their
0:39:29.030,0:39:41.680
research. So PornHub is sponsoring them.[br]Actually I did for talk to the guy who is
0:39:41.680,0:39:49.510
behind this project. He's called[br]Randomman. That's a render of him and this
0:39:49.510,0:39:57.210
is the website by the way. So he told me[br]he's currently - they're currently a team
0:39:57.210,0:40:05.600
of about 15-20 people out there that are[br]doing their security research in their own
0:40:05.600,0:40:10.980
spare time. And they are not getting any[br]money for it and they also don't want to
0:40:10.980,0:40:17.670
get any money but they are already looking[br]for more security experts that wanna join
0:40:17.670,0:40:24.440
the team and also they have also an[br]ethical codex and stuff like that and
0:40:24.440,0:40:32.180
actually one of the most important things[br]that he was telling me is that he doesn't
0:40:32.180,0:40:41.110
want that you should stay off connected[br]sex toys at all, but to find the security
0:40:41.110,0:40:54.760
holes that we are all able to use them if[br]we want without any fear. So yeah, you can
0:40:54.760,0:41:02.710
get in contact with him if you're[br]interested. Coming to a different section
0:41:02.710,0:41:14.110
now. You can see I'm switching from[br]security to security and privacy and now
0:41:14.110,0:41:23.900
I'm landed on the privacy section. This is[br]Google Home. And we all know that there is
0:41:23.900,0:41:32.869
also Amazon Echo and digital assistants[br]are also smart IoT devices and this is why
0:41:32.869,0:41:38.810
I wanna talk a very very short time about[br]them because I'm sure a lot of people got
0:41:38.810,0:41:46.290
those devices for Christmas. Actually[br]there was a big increase of digital
0:41:46.290,0:41:56.630
assistants in the last year int this[br]quarter 3 of 2016 there were only 900.000
0:41:56.630,0:42:11.040
of such devices sold and in the quarter 3[br]2017 we had more than 7.4 million of those
0:42:11.040,0:42:17.180
devices sold. So there's a huge increase[br]and we don't even have the numbers of the
0:42:17.180,0:42:29.110
Christmas time. Yeah you have seen it. so[br]why I wanna talk about it, because when
0:42:29.110,0:42:36.510
you put this kind of stuff in your home it[br]might be very comfortable at the beginning
0:42:36.510,0:42:41.520
because you don't have to look up the[br]weather information you can - you don't
0:42:41.520,0:42:47.250
have to read your emails you can make the[br]device read your own emails you can use
0:42:47.250,0:42:55.880
them to program your list of what you're[br]going to buy and stuff like that but
0:42:55.880,0:43:02.380
that's how they learn a lot about the[br]users habits and their personalties and
0:43:02.380,0:43:07.480
those devices will learn more and more[br]information about you and this information
0:43:07.480,0:43:16.350
does not stay in your own home it actually[br]is going to send to the servers of amazon
0:43:16.350,0:43:22.720
and google and I don't need to tell you[br]what amazon an google are doing with this
0:43:22.720,0:43:31.170
data. current at least currently they are[br]only collecting it but that's very
0:43:31.170,0:43:39.760
valuable and they turn around and use it[br]or sell it in various ways to monetize
0:43:39.760,0:43:48.760
that information in one of the future[br]days. So all digital assistants send the
0:43:48.760,0:43:54.440
voice controls that are made after "Ok,[br]Google" or "Alexa" to their servers and
0:43:54.440,0:44:00.850
the data will be saved there and it was[br]not possible for me to find out for how
0:44:00.850,0:44:07.460
long and at which servers. It's not in[br]their terms of conditions and I couldn't
0:44:07.460,0:44:15.600
find it anywhere. So also the German data[br]privacy delegate Andrea Voßhoff didn't
0:44:15.600,0:44:21.580
find this information. She criticized that[br]"It is not easy for users to understand
0:44:21.580,0:44:28.340
how, to what extent and where the[br]information collected is processed. Also,
0:44:28.340,0:44:37.300
it is not clear how long the data will be[br]stored." So if you still want those
0:44:37.300,0:44:45.369
devices in your home now there are at[br]least physical mute button with google
0:44:45.369,0:44:52.150
home and amazon echo and you can also[br]change the settings to control the data so
0:44:52.150,0:45:00.400
all the data that is collected is regulary[br]deleted from the servers but of course you
0:45:00.400,0:45:08.490
never know in how may backups it's[br]collected as well. So yes it's only
0:45:08.490,0:45:22.480
recording after this voice control but[br]both devices already got hacked and yeah I
0:45:22.480,0:45:32.370
didn't amazon echo got hacked in 2016 and[br]google mini got hacked in 2017 of course
0:45:32.370,0:45:39.610
both problems got fixed and when I say got[br]hacked it means that the devices in your
0:45:39.610,0:45:54.000
home were listening to the conversations[br]all the time. So I'm coming -
0:45:54.000,0:46:01.110
unfortunately the funny examples are over.[br]I'm coming to the part where I wanna speak
0:46:01.110,0:46:09.960
about what we can do against the lack of[br]security and lack of privacy with the
0:46:09.960,0:46:18.560
internet of things. So we are currently[br]having the status quo where we are having an
0:46:18.560,0:46:23.510
information asymmetry between the vendor[br]and the customer. Currently the
0:46:23.510,0:46:29.100
manufacturers do not need to provide a[br]sample information but(?) how security of
0:46:29.100,0:46:36.900
a device such as how long it will receive[br]security updates. so when we buy a device
0:46:36.900,0:46:52.150
we never know... oh is it going to be safe[br]or not. So what we need ... actually what
0:46:52.150,0:47:00.300
we need. I did write a couple of things -[br]I write down a couple of things here which
0:47:00.300,0:47:10.410
are partly stolen by the green MEP Jan[br]Philipp Albrecht from his program because
0:47:10.410,0:47:18.300
he's dealing a lot with that kind of[br]question what we can do with his work and
0:47:18.300,0:47:27.590
I'm also - I also was stealing some of[br]those suggestions from the Renderman from
0:47:27.590,0:47:34.520
the Internet of Dongs project, he also had[br]some helpful tips. And I also stole some
0:47:34.520,0:47:40.000
of the information from security experts I[br]talked in interviews all of the time
0:47:40.000,0:47:45.080
because we never talk only about the bad[br]things we always - we all want to get the
0:47:45.080,0:47:52.690
internet of things safer at the end. So[br]some of them suggested that we could need
0:47:52.690,0:48:01.070
an security star rating system similar to[br]the energy labeling. And when we talk
0:48:01.070,0:48:13.130
about security star ratings that could[br]mean that we use a label. When a device
0:48:13.130,0:48:19.551
gets security updates for free for the[br]next five years it gets the A++ label, if
0:48:19.551,0:48:24.900
it's no updates at all and it stays[br]unsecure it gets the baddest rating or
0:48:24.900,0:48:32.330
such things. Actually vendors should also[br]be forced to close security holes instead
0:48:32.330,0:48:39.620
of ignoring them. And they should provide[br]the security researchers with email
0:48:39.620,0:48:45.850
addresses where we can easily report[br]security flaws because sometimes the
0:48:45.850,0:48:52.330
hardest part of the game is to actually[br]find the right contact to send out the
0:48:52.330,0:49:01.450
information about what is unsecure and[br]what's not. What we also need is a
0:49:01.450,0:49:09.480
mandatory offline mode for electronical[br]devices so this device at least has a
0:49:09.480,0:49:19.710
button where you can turn it off. so it[br]doesn't listen to you permanently. And we
0:49:19.710,0:49:28.090
need that for all devices - all connected[br]devices. Also an airbag and seatbelt for
0:49:28.090,0:49:35.160
the digital age and we also have to talk[br]about product liability and a clear update
0:49:35.160,0:49:46.090
policy. so there are also good examples[br]that we are having now. Actually all what
0:49:46.090,0:49:54.920
I was talking about here is regulation.[br]Regulation that is not existing at the
0:49:54.920,0:50:05.080
moment. But there is some regulation that[br]is existing in the kind of data which is
0:50:05.080,0:50:12.870
the GDPR the General Data Protection[br]Regulation which is coming up in May 2018
0:50:12.870,0:50:20.170
and it has included some really really[br]really helpful things: privacy by design
0:50:20.170,0:50:27.750
and privacy by default. And more[br]possibilities for law enforcement. And
0:50:27.750,0:50:36.090
this is very very important because it[br]doesn't say that because we are going to
0:50:36.090,0:50:43.330
have a regulation about privacy by design[br]and privacy by default this is really done
0:50:43.330,0:50:47.800
by the vendors. Actually when is was[br]interviewing some of them they already
0:50:47.800,0:50:55.270
told me that it's not their plan to[br]integrate that in their products they are
0:50:55.270,0:51:03.820
going to wait until they are sued. They[br]say "Oh, we don't need it. why should we
0:51:03.820,0:51:16.090
do it worked now - nope." So that's why[br]the law enforcement comes into place and
0:51:16.090,0:51:21.430
maybe some of you know Max Schrems, he's[br]also speaking here in two days about
0:51:21.430,0:51:28.490
something else though and he a data[br]protection activist. And he says that
0:51:28.490,0:51:33.780
everything that goes will be done in this[br]phase we are now, but if vendors won't
0:51:33.780,0:51:44.601
observe the law we have to remind them to[br]do it. So this is how he looks like and he
0:51:44.601,0:51:51.770
says that with this new regulation we can,[br]as a customer, ask for compensation when
0:51:51.770,0:51:57.790
data breaches occur. We couldn't do that[br]so easily now but with this new regulation
0:51:57.790,0:52:05.160
it will get a lot of easier. And if 4[br]billion people sue a company and ask for
0:52:05.160,0:52:16.160
compensation that could be a bit expensive[br]at the end. So if you are not able to sue
0:52:16.160,0:52:24.590
anybody yourself, which is not cheap so[br]nobody - not everybody will secure
0:52:24.590,0:52:32.140
companies you can support organizations[br]that help you with that like the new
0:52:32.140,0:52:39.150
organization from Max Schrems called "None[br]of Your Business" maybe you have seen this
0:52:39.150,0:52:45.980
already, I'm not saying that you should[br]support especially (???) this
0:52:45.980,0:52:52.020
organization but his plan is to actually[br]do that stuff I explained earlier: sue
0:52:52.020,0:52:59.270
companies that are not abiding to the law.[br]So if you wanna visit the website they
0:52:59.270,0:53:13.350
currently collecting money. What else can[br]consumers do? That are no easy tips but we
0:53:13.350,0:53:20.280
can't do much except a few easy things.[br]Does this product really need an internet
0:53:20.280,0:53:28.000
connection? Is it possible to turn it off?[br]Is it still working after that? What do we
0:53:28.000,0:53:36.590
find about it on the internet? Can we[br]reach the vendor? Does the vendor reply
0:53:36.590,0:53:45.030
when I have a question? Do we get more[br]information? Sometimes also clicktivism
0:53:45.030,0:53:53.179
helps to stop vendors making stupid[br]decisions. Here is another example from
0:53:53.179,0:54:00.010
the vacuum robot cleaning machine Roomba[br]who wanted to sell the data that is
0:54:00.010,0:54:08.350
collected from the home from the vacuum[br]cleaner and actually there was a huge huge
0:54:08.350,0:54:14.080
huge shitstorm after he was announcing[br]that - the CEO that was announcing that.
0:54:14.080,0:54:20.270
And after the shitstrorm the CEO said "Ok,[br]no nono. We're not collecting. We're not
0:54:20.270,0:54:28.490
selling your data. No no." So sometimes[br]this helps as well and of course follow
0:54:28.490,0:54:35.940
the basics in IT-security please update[br]everything that has updates, separate
0:54:35.940,0:54:45.270
networks from IoT products and use safe[br]passwords, support open hardware, open
0:54:45.270,0:54:50.890
software, products where the data is[br]stored locally is always better than in
0:54:50.890,0:54:58.050
the cloud and if you're tech savvy enough[br]start - which I think you are here - start
0:54:58.050,0:55:09.110
building your own tools. Because you have[br]the control. And what can developers do?
0:55:09.110,0:55:14.710
Support privacy by design, security by[br]design, think about it from the beginning
0:55:14.710,0:55:22.150
because you can change it and take[br]responsibility. And IT security can also
0:55:22.150,0:55:30.010
do some stuff or continue to do some[br]stuff. Point the vendor to the problems,
0:55:30.010,0:55:36.240
make helping IT security stronger, keep[br]reporting the flaws, publish your
0:55:36.240,0:55:43.270
research, help develop standards, labels[br]and seat belts and support each others
0:55:43.270,0:55:52.100
work to a stronger voice about this. So[br]I'm coming to the end of my talk now and
0:55:52.100,0:55:57.920
to the topic back to the internet of[br]fails: How many must be killed in the
0:55:57.920,0:56:04.730
Internet of Deadly Things train wrecks?[br]This is actually an article I was reading
0:56:04.730,0:56:12.750
with a huge interest myself because it was[br]starting to deal with making comparisons
0:56:12.750,0:56:17.550
to the great age of railway construction[br]that was likewise riddled with decades of
0:56:17.550,0:56:25.820
disasters before the introduction of[br]effective signaling and failsafe breaks.
0:56:25.820,0:56:30.140
And it was also comparisoned with the[br]automotive industry where the mandatory
0:56:30.140,0:56:36.650
fitting of seatbelts designing the bodies[br]of cars to reduce injury to pedestrians,
0:56:36.650,0:56:42.330
airbag and measures to reduce air[br]pollution were not introduced not early
0:56:42.330,0:56:51.369
enough. So this guy was asked: Do we[br]really need to kill a few people first?
0:56:51.369,0:56:58.400
And he said: Unfortunately that will happen.[br]So he says: Safety and security standards
0:56:58.400,0:57:06.349
for the internet of things can't come soon[br]enough. I agree with that. With that we
0:57:06.349,0:57:15.960
need standards really soon. So I am at the[br]end of my talk and if we have some time
0:57:15.960,0:57:22.210
left I'm waiting for your questions,[br]ideas, and input now. Otherwise I will
0:57:22.210,0:57:25.370
thank you very much for your attention.
0:57:25.370,0:57:28.370
applause
0:57:28.370,0:57:33.890
Herald: Thank you Barbara. A very warm[br]applause.
0:57:33.890,0:57:37.630
So a small information: If you want to[br]exit the room please exit the room to your
0:57:37.630,0:57:47.770
left over there. So, questions?[br]I see one question from the Signal Angel.
0:57:47.770,0:57:54.040
Q: Hello, ok. The internet wants to know,[br]well those companies don't have any IoT
0:57:54.040,0:58:03.370
security whatsoever or basically none, so[br]what can we do to make them have more?
0:58:03.370,0:58:07.710
B: What we as who, as consumers?[br]Q: Yeah, basically.
0:58:07.710,0:58:15.220
B: Yeah, actually I would - what I said[br]was I would write them and ask for
0:58:15.220,0:58:25.720
standards. I would - I think it can be the[br]first step that we can write emails or
0:58:25.720,0:58:32.851
call them and say "Well, what kind of[br]security is build in this device, can you
0:58:32.851,0:58:40.139
tell me? Otherwise I won't buy your[br]product."
0:58:40.139,0:58:50.270
Herald: Thank you. Any other question? Ok,[br]in this case again: Thank you Barbara for
0:58:50.270,0:58:53.250
your nice talk.[br]applause
0:58:53.250,0:58:59.774
A very warm round of applause. Thanks.
0:58:59.774,0:59:05.287
34c3 outro
0:59:05.287,0:59:20.741
subtitles created by c3subtitles.de[br]in the year 2018. Join, and help us!