<i>34c3 intro</i>

Herald: So, to our next talk... Sit and
relax, you know what that means. Glass of

wine or mate, your favorite easy chair,
and of course your latest WIFI enabled toy

compromising your intimate moments.
Barbara Wimmer, as free author and

journalist, will tell you more about the
Internet of Fails,

will tell you more about where IoT goes
wrong. She's a free author and journalist

at futurezone.at, (DORF?), and will in the
near future release one or two public

stories and a book. Applause!
<i>applause</i>

Barbara Wimmer: Hello everybody. I'm
waiting for my slides to appear on the

screen. Where are my slides please? That's
not my slides.

Oh, thank you very much. So welcome to the
talk Internet of Fails when IoT has gone

wrong. This is a very negative topic title
actually and you're getting a lot of

negative stories in this next hour but I
don't want to talk only about negative

things so you can see "FAIL" as a "first
attempt in learning". So actually at the

end of the talk I want to talk about
solutions as well and I don't want to

provide only bad and negative examples
because that's what we hear every day. And

this is perfect for the congress motto
"tuwat" because this is all about let's

tuwat together. So nobody, most of you in
this room don't will not know me. So I'm

going to introduce myself a little bit and
why I'm talking to you about this topic,

because that's probably what everybody
asks me when I appear somewhere and say oh

I give talks about IoT. And so actually I
work as an IT journalist for more than 12

years. And I got in contact with internet
of things in 2014 when I talked to the

local CERT.at team in Austria. I'm from
Vienna. And they first told me that the

first refrigerator was caught that was
sending out spam mails and that was in

2014 and actually that was really a funny
story back then and we were laughing about

it but at the same time we already knew
that there is something coming up which is

quite going to be a huge development and
so from back then I watched the whole IoT

development in terms of security and
privacy. And in the next 45min you will

hear a lot of stuff about IoT, and where
the problem with IoT is currently and

examples of fails in terms of security and
privacy. But like I mentioned before I

wanna talk about solutions and when we
talk about solutions it will not be like

only one side, like only the consumer,
only the IT-security, only developers.

Actually what I'm going not to provide is
detailed IT-security stuff. So if you

wanna focus more on any story that I'm
talking about I'm mentioning most of the

the sources in the slides and if you
really wanna know this example got up,

please look it up if you're really
interested deeply into it. I'm a

journalist and not an IT-security person
so please don't expect me to go into

details in this talk. Thats why it's also
in the ethics talk - ethics section of the

congress and not the security part. So
coming to the internet of things I want to

start with a few numbers because these
numbers show the development of IoT. In

2016 we had 6.3 billions of devices out
there. This year we already had 8.3

billion of devices and in 2020 we will -
we are going to have 20.4 billion

connected devices out there. So the
numbers are from Gartner Institute from

January and I have one more slide with
more accurate data from June this year and

actually this slide shows that the
development is actually really growing.

17% more compared to the previous year.
And by 2021 global IoT spending is

expected to reach about 1.4 trillion
dollars. So maybe some you are asking

yourself: What is the internet of things?
Maybe some of you expected I'm only

talking about a smart home, because IoT is
often related to the smart home. And we're

having all the smart devices that we put
into our living rooms, but that's actually

not the main focus because it's more about
the connected everything. Which means

toys, sex toys, home automation,
lightbulbs, surveillance cameras,

thermostats, but also digital assistants
and wearables. So I wanna start with a few

examples of classical internet of things
stuff which is actually a smart coffee

maker. That's ... so what is smart about a
coffee maker? It only gets ... it doesn't

get smart when you regulate your coffee
machine by app because what's smart about

that? You can just press the button on the
machine. But when you connect your coffee

machine with fitness and sleeping trackers
the coffee machine already knows when you

get up if you need a strong or soft coffee
in the morning and so that might sound

comfortable for some of us, but it also
has a lot of dangers inside, because you

never know that the data is really safe
and only stays with you. Maybe your

insurance company get them one day. So you
all know Cars -probably-, the film, and

this is McLightning Queen and it got a toy
nowadays which is sold for 350 dollars -

no sorry, euros - and this car is able to
sit next to you and watch the film with

you and is going to comment the film.
<i>laughter</i>

And it is - this sounds very funny - but -
and it is funny - but it means that it has

a microphone integrated which is waiting
for the terms in the film on the right

stories and then it makes comments. And
the microphone can only be turned off by

app so there's no physical button to turn
it off and actually another thing is when

you first ... when you actually got this
present for Christmas, which is a really

expensive present with 350 euros, it's
actually first updating for more than

35min before you can even use it. The next
example - you're already laughing - is

internet of ... I call it internet of shit
because you can't say anything else to

that example. It's a toilet IoT sensor
which is actually a smart, small little

box which is put into the toilet. And this
box has sensors. It's an Intel box but I

don't know and this box has sensors and
these sensors help analyzing the stool.

And this data that is collected is going
to send into the cloud. And actually this

could be very useful for people who are
having chronical diseases like Colitis

Ulcerosa or other chronical diseases with
the digestion stuff but it is mainly

designed for healthy people who want to
make better nutrition and reduce their

stress levels with the stool analysis. And
maybe it sounds good at the beginning but

this data that is collected could also be
used for other things in the future. So

it's a perfect example for internet of
shit. But there is another internet of

shit which is a twitter account that
collects all these funny little stories.

It's not from me, so I'm not behind that.
I tried to reach the person but I never

got a replay so I can't tell you anything
about them but they collect examples - if

you don't follow them now and are
interested in this topic you might do

after this talk - so after presenting a
couple of IoT examples with the good and a

bit of the bad sides I first wanna focus a
little bit on the problem because as I

said before you might now think that
everything is nice, comfortable, why

shouldn't we do that and stuff like that.
So the problem is that most of the vendors

that are doing IoT stuff now, that start
to connect everything, they are creating

manually operated devices without
connectivity for long years and they had a

lot of knowledge in terms of materials,
ergonomics, mechanical engineering but

almost zero in the fields of IT security.
Actually I don't say that without having

talked to vendors that have said exactly
that when I interviewed them. Like there

was a lightbulb vendor from Austria who is
a really big vendor who is making

lightbulbs for years and years and years
and actually they started to make

connected lightbulbs in 2015 and when they
did that they ... and I asked them "Oh how

big is your IT security department?" "1
Person". So they didn't actually have the

knowledge that IT security might be more
important when they connect - when they

start to connect things. And actually the
result is that these vendors are making

the same sort of security errors than the
high tech industry was dealing with 15

years ago. So the early 2000s called and
want their web security, their lack of

security back. So there are all kinds of
problems we already know from past:

hardcoded passwords, unsecure bluetooth
connections, permanent cloud server

connections and a lot of other stuff. So
we're going to have from all these 20

billion devices out there, there will be a
lot of unsecure devices and the problem is

that they are collecting to a botnet and
are starting DDoS attacks and we are going

to have internet outages. For those who
are not familiar with the terms I made a

really really really short explanation so
that you are also understanding what I am

talking about. A botnet is a network of
private computers infected with malicious

software and controlled as a group without
the owners knowledge. Like the example of

the refrigerator that was sending out spam
I told you about earlier. This

refrigerator sent out ... one refrigerator
was sending out 750.000 spam mails by the

way. So the botnet, that has a botnet
owner of course, because it's not only a

zombie botnet, and the botnet owner can
control this network of infected computers

by issuing commands to perform malicious
activities like DDoS attacks. So DDoS is a

distributed denial of Service attack and
actually that's an attempt to stop

legitimate users form accessing the data
normally available on a website. And this

actually can lead to completely shutdown
of a service. And we had this already so

I'm not talking about something in the far
future but we had this in 2016 and most

people already recognized it but it didn't
recognized why - their twitter accounts

did not work, they couldn't use Reddit, or
Spotify, or they couldn't pay with PayPal

at the moment. And behind that attack was
Mirai so several other major services were

offline because an infrastructure provider
was attacked by zombie IoT devices. And

this was one year ago and now one year
later Mirai botnet infections are still

widespread so not every zombie device is
already secured so there are still some

around and not so little and actually
there is a study saying that every

unsecured - no every botnet infection
that's there - every security hole thats

there is staying there for at least 7
years which means that all the unsecure

devices which are out now could get
infected and could stay infected for 7

years. So that's why it's very important
that we are going to do something really

quickly and not starting like in 2020. So
Mirai was supposed to continue in 2017 and

actually a lot of DDoS attacks similar
attacks like Mirai happened in 2017. This

as an example could unleash at any moment
which was in November one few days later

exactly this attack was unleashed, so it
happened. In 2017 we also had a huge

increase in DDoS attacks 91% increase from
Q1 and it's going to increase more. I have

to take a short sip, sorry.
Now we're coming back to examples. One

really good example is the university that
was attacked by it's own vending machines

and smart lightbulbs and 5000 other IoT
devices. This was very very difficult to

get fixed because they couldn't get the
university network down so they had to

find a really difficult solution to get it
back up. And actually how did they even

notice about it? Because the students
complained that the internet was going so

slow. Another example which has nothing to
do with DDoS attacks anymore but with IoT

sensors - actually - in a fishtank in an
American casino - north American casino

there were sensors measuring the
temperature of the aquarium and the

fishtank - that the fishes didn't die -
and these sensors were sending the data to

a PC of this casino and this PC was the
same - was using the same network than the

sensors so actually the cybercriminals
could access to this data of the casino

and were stealing them and sending them to
their own servers in Finland. And the

amount was about 10GB of data. Another
example which is actually one of my most -

I don't know why but it's the example I
personally like most of the whole examples

that are collected in 2017. So there was a
surveillance camera bought by a

netherlands woman. Actually she wanted to
surveil her dog when she was out at work

but what did this camera do? It did
surveil the dog when she was out at work,

but when she was at home the camera
followed her through the room and was

watching her all over the place. And it
had a microphone integrated and one day it

started to talk with her and it said "hola
señorita". And this woman was so

frightened that she actually started to
record that because she thought that

nobody will buy this story. All will think
I’m crazy but this camera actually did not

surveil the dog but was hacked and
surveiled her. And it was a very cheap

camera by the way. She bought it in a
supermarket but we don't know the name of

the vendor in this case. So coming for a
very cheap camera to a very hightech

camera the cameras you see here is one
that is actually build in a lot of

companies and there was a security hole
found by some Vienna security specialists

from SEC consult and actually they
demonstrated me how they could actually

hack into this camera and how they could
make it possible that this camera shows

pictures of an empty room in a bank so the
pictures from the empty room in the bank

were shown to me and in reality the bank
was robbed - ok, not in reality. But it

could have been robbed. So thats actually
sounding a little bit like a movie scene

and actually this camera which is sold as
a security camera is kind of useless when

it doesn't have security and it doesn't
really show the picture. And the problem

with this camera was hardcoded passwords.
And the hardcoded password got fixed after

so it was responsible disclosure process
and this camera is safe now. So I'm coming

to a different example now. And this now
finally explains why this toy is sitting

here. Before my talk everybody was telling
me "Ah, you brought your favorite toy, to

protect you during your talk." and I was
laughing "Oh no. No no no no, it one of

the most unsecure devices out there." But
before we come to this in special I'm

going to talk a little bit about connected
toys. So the Germany Stiftung Warentest

had made a study regarding connected toys.
The people were testing them and actually

all of their tested bears, robot dogs and
dolls were very very unsecure and some of

them were even critical and are extremely
critical and others were critical. And

actually what was the problem with the
toys and also with this? They were using -

they are using bluetooth connections. And
these bluetooth connections are not

secured by a password or a PIN code. So
every smartphone user close enough could

connect to the toy and listen to children
or ask questions or threaten them and

another problem are the data collecting
apps related to this stuff. So actually

this little unicorn has an app where you
can send the messages. So what does this

actually? It can play messages and you can
- as a child you can record messages and

send it to you mom or your dad. And when
you play messages you never - the heart

blinks. So actually there's a message
waiting for you now. And I'm not sure if

it's the same that I recorded earlier
before. Maybe now it is, maybe at the end

of the talk when I press the button again
it might not be. And so everybody can - so

this - err sorry - This device does have
an app where you can send the message to.

And it also has a children interface and
where you are using the children interface

you're seeing that there are ads
integrated. And in the children's

interface there were ads for porn and
ehm... ...other stuff, which are not

really in the best hands of a child. And
this is also what Stiftung Warentest has

actually - yeah has actually found out.
The data is also used to send to third

party companies and they put trackers to
control the online behavior of their

parents. This is also done with this
device. So the Stiftung Warentest advises

a not connectible dumb teddy might be the
smarter choice in the future. And before I

finally press this button - you're
probably curious now - but first I'm going

to talk a little bit about Cayla. You
probably have heard of Cayla as a very

unsecure doll. Actually it got forbidden
in Germany by law. It is judged as a

prohibited broadcasting station. And
parents who do not destroy it will be

actually fined. And I tried to buy Cayla
in Austria and didn't get the doll. So

actually it should be really off the
market in the German speaking area. And

actually that is also a result of a
campaign from Norway called Toyfail, which

is a Norwegian consumer organization who
are actually - this is Cayla. You can see

her now. Which is actually going to the
European Parliament to make them

understand how unsecure toys is doing a
lot of harm and how we should put more

security into toys. And I've brought a
short little video and I hope we can hear

the audio here as well. We will see.
No. You don't hear anything.

But this doesn't matter because they
have...

Sign Language Interpreter: subtitles
Barbara: subtitles.

Person (Video): There's not added any kind
of security. With simple steps I can talk

through the doll and listen to other
people.

Person through doll (Video): No one wants
others to speak directly through the doll.

Barbara: He's speaking now at the moment.
Doll: <i>inaudible</i>

Person: And you may think... [see video
subs] ... Cayla, can I trust you?

Doll: I don't know.
<i>laughter</i>

<i>applause</i>
Barbara: Yeah and we don't trust Cayla and

we also don't trust our little unicorn.
<i>button clicking</i>

<i>laughter</i>
<i>crying baby in background</i>

Barbara: Ok, somebody has hacked it.
<i>laughter</i>

Yes.
Unicorn Toy: Hello, Chaos Communication

Congress.
Barbara: Ok, that's what I recorded

earlier. But there is some time left.
Maybe, maybe... but you're all sitting too

far actually and nobody of you brought
your computer, so... but we will see, we

will try it later on. So but actually you
shouldn't trust this unicorn, because this

unicorn is from the company called
Cloudpets, which is a - no sorry It's a

toy called Cloudpet and the company is
Spiraltoys from the US. So this is

Cloudpet and there are cats and dogs and
unicorns and it's very ugly but it's a

unicorn. And actually now I'm already
talking a lot about this. Why I'm

explaining you now. There already was a
data breach with this toy so the

children's messages in Cloudpets data
actually was stolen and was public on the

internet. 2 million voice messages
recorded on the cuddly toys has been

discovered free on the internet. And
actually Spiraltoys say that there was no

data breach but the data was there, so...
Thats also why I brought this, it was

still very easily available and actually
as I said before the app for child the

interface shows porn ads, so I would not
recommend that for your child. Actually

there are already a lot of institutions
out there which are warning for connected

toys also the consumer group Which? which
actually did a study about this and other

like also the Furby connected they
analyzed, the German Stiftung Warentest,

the Austrian Verein für
Konsumenteninformation, the Norwegian

consumer council, and the FBI. The list is
to be continued. So consider if you really

need a connected toy for your child or
yourself because the next section is about

sex toys.
<i>laughter</i>

<i>applause</i>
<i>squeaky horn</i>

<i>more laughter and applause</i>
I am not... It's not necessary say a lot

about this example. It's actually a
connected vibrator that has a build-in

camera and this camera is very very very
unsafe. Also this toy is really expensive,

so you can't say "Eh, it's only the cheap
stuff that is so unsecure." Also the high-

tech stuff can be really unsecure. I mean
this vibrator costs 250 dollars so it's

very expensive and it has a build-in web-
connected endoscope and they found out

that it's massively insecure. The password
of this... And if you forgot to change it

it's a few more players than expected that
might be watching your newest video about

your private sex adventures. There was
another example actually in this - sorry

go back one more time to this example -
there's a very funny video on it on

youtube about it, maybe you wanna watch
it. I didn't bring it because I couldn't

reach the makers of it. So I'm going to
the next example which is about a case of

sex toy company that actually admits to
recording users remote sex sessions and it

called it a "minor bug". It was this love
sensor remote app you can see the icon

here and actually this is a vibrator and
an app and the vibrator controlling app

was recording all the sex sounds, all the
sounds you're making when you're using

this vibrator and stores them on the phone
without your knowledge. And the company

says that no information or data was sent
to the servers so this audio file exists

only temporarily and only your device. And
they already had an update so actually

this is not as funny as the other story
but still it's an example of how unsecure

sex stuff can be. So there are lot of lot
of more sex examples out there. One you

should actually definitely search for
after - please don't search for now, but

after this talk. You could google or
duckduckgo or whatever you use the terms

"blowjob injection". And please add
"security" because otherwise you will land

on other sites.
<i>laughter</i>

And this was a female security expert who
was doing this research about a device

which actually was supposed to your
girlfriend could make you a special

blowjob program, your special blowjob and
this could be hacked so somebody else's

blowjob might appear instead your own.
<i>laughter</i>

So there's also a story about a map of
buttplugs in Berlin that are unsecure.

Also if you're interested in that please
also search for that story. Because it's

funny to talk about this, but I also wanna
talk little bit about things that we could

actually do. And one of the projects in
this part is actually doing something

thats called the "internet of dongs
project - hacking sex toys for security

and privacy". And as you can see it's
supported by PornHub, which in this case

means that they get money from PornHub
that they can buy sex toys for their

research. So PornHub is sponsoring them.
Actually I did for talk to the guy who is

behind this project. He's called
Randomman. That's a render of him and this

is the website by the way. So he told me
he's currently - they're currently a team

of about 15-20 people out there that are
doing their security research in their own

spare time. And they are not getting any
money for it and they also don't want to

get any money but they are already looking
for more security experts that wanna join

the team and also they have also an
ethical codex and stuff like that and

actually one of the most important things
that he was telling me is that he doesn't

want that you should stay off connected
sex toys at all, but to find the security

holes that we are all able to use them if
we want without any fear. So yeah, you can

get in contact with him if you're
interested. Coming to a different section

now. You can see I'm switching from
security to security and privacy and now

I'm landed on the privacy section. This is
Google Home. And we all know that there is

also Amazon Echo and digital assistants
are also smart IoT devices and this is why

I wanna talk a very very short time about
them because I'm sure a lot of people got

those devices for Christmas. Actually
there was a big increase of digital

assistants in the last year int this
quarter 3 of 2016 there were only 900.000

of such devices sold and in the quarter 3
2017 we had more than 7.4 million of those

devices sold. So there's a huge increase
and we don't even have the numbers of the

Christmas time. Yeah you have seen it. so
why I wanna talk about it, because when

you put this kind of stuff in your home it
might be very comfortable at the beginning

because you don't have to look up the
weather information you can - you don't

have to read your emails you can make the
device read your own emails you can use

them to program your list of what you're
going to buy and stuff like that but

that's how they learn a lot about the
users habits and their personalties and

those devices will learn more and more
information about you and this information

does not stay in your own home it actually
is going to send to the servers of amazon

and google and I don't need to tell you
what amazon an google are doing with this

data. current at least currently they are
only collecting it but that's very

valuable and they turn around and use it
or sell it in various ways to monetize

that information in one of the future
days. So all digital assistants send the

voice controls that are made after "Ok,
Google" or "Alexa" to their servers and

the data will be saved there and it was
not possible for me to find out for how

long and at which servers. It's not in
their terms of conditions and I couldn't

find it anywhere. So also the German data
privacy delegate Andrea Voßhoff didn't

find this information. She criticized that
"It is not easy for users to understand

how, to what extent and where the
information collected is processed. Also,

it is not clear how long the data will be
stored." So if you still want those

devices in your home now there are at
least physical mute button with google

home and amazon echo and you can also
change the settings to control the data so

all the data that is collected is regulary
deleted from the servers but of course you

never know in how may backups it's
collected as well. So yes it's only

recording after this voice control but
both devices already got hacked and yeah I

didn't amazon echo got hacked in 2016 and
google mini got hacked in 2017 of course

both problems got fixed and when I say got
hacked it means that the devices in your

home were listening to the conversations
all the time. So I'm coming -

unfortunately the funny examples are over.
I'm coming to the part where I wanna speak

about what we can do against the lack of
security and lack of privacy with the

internet of things. So we are currently
having the status quo where we are having an

information asymmetry between the vendor
and the customer. Currently the

manufacturers do not need to provide a
sample information but(?) how security of

a device such as how long it will receive
security updates. so when we buy a device

we never know... oh is it going to be safe
or not. So what we need ... actually what

we need. I did write a couple of things -
I write down a couple of things here which

are partly stolen by the green MEP Jan
Philipp Albrecht from his program because

he's dealing a lot with that kind of
question what we can do with his work and

I'm also - I also was stealing some of
those suggestions from the Renderman from

the Internet of Dongs project, he also had
some helpful tips. And I also stole some

of the information from security experts I
talked in interviews all of the time

because we never talk only about the bad
things we always - we all want to get the

internet of things safer at the end. So
some of them suggested that we could need

an security star rating system similar to
the energy labeling. And when we talk

about security star ratings that could
mean that we use a label. When a device

gets security updates for free for the
next five years it gets the A++ label, if

it's no updates at all and it stays
unsecure it gets the baddest rating or

such things. Actually vendors should also
be forced to close security holes instead

of ignoring them. And they should provide
the security researchers with email

addresses where we can easily report
security flaws because sometimes the

hardest part of the game is to actually
find the right contact to send out the

information about what is unsecure and
what's not. What we also need is a

mandatory offline mode for electronical
devices so this device at least has a

button where you can turn it off. so it
doesn't listen to you permanently. And we

need that for all devices - all connected
devices. Also an airbag and seatbelt for

the digital age and we also have to talk
about product liability and a clear update

policy. so there are also good examples
that we are having now. Actually all what

I was talking about here is regulation.
Regulation that is not existing at the

moment. But there is some regulation that
is existing in the kind of data which is

the GDPR the General Data Protection
Regulation which is coming up in May 2018

and it has included some really really
really helpful things: privacy by design

and privacy by default. And more
possibilities for law enforcement. And

this is very very important because it
doesn't say that because we are going to

have a regulation about privacy by design
and privacy by default this is really done

by the vendors. Actually when is was
interviewing some of them they already

told me that it's not their plan to
integrate that in their products they are

going to wait until they are sued. They
say "Oh, we don't need it. why should we

do it worked now - nope." So that's why
the law enforcement comes into place and

maybe some of you know Max Schrems, he's
also speaking here in two days about

something else though and he a data
protection activist. And he says that

everything that goes will be done in this
phase we are now, but if vendors won't

observe the law we have to remind them to
do it. So this is how he looks like and he

says that with this new regulation we can,
as a customer, ask for compensation when

data breaches occur. We couldn't do that
so easily now but with this new regulation

it will get a lot of easier. And if 4
billion people sue a company and ask for

compensation that could be a bit expensive
at the end. So if you are not able to sue

anybody yourself, which is not cheap so
nobody - not everybody will secure

companies you can support organizations
that help you with that like the new

organization from Max Schrems called "None
of Your Business" maybe you have seen this

already, I'm not saying that you should
support especially (???) this

organization but his plan is to actually
do that stuff I explained earlier: sue

companies that are not abiding to the law.
So if you wanna visit the website they

currently collecting money. What else can
consumers do? That are no easy tips but we

can't do much except a few easy things.
Does this product really need an internet

connection? Is it possible to turn it off?
Is it still working after that? What do we

find about it on the internet? Can we
reach the vendor? Does the vendor reply

when I have a question? Do we get more
information? Sometimes also clicktivism

helps to stop vendors making stupid
decisions. Here is another example from

the vacuum robot cleaning machine Roomba
who wanted to sell the data that is

collected from the home from the vacuum
cleaner and actually there was a huge huge

huge shitstorm after he was announcing
that - the CEO that was announcing that.

And after the shitstrorm the CEO said "Ok,
no nono. We're not collecting. We're not

selling your data. No no." So sometimes
this helps as well and of course follow

the basics in IT-security please update
everything that has updates, separate

networks from IoT products and use safe
passwords, support open hardware, open

software, products where the data is
stored locally is always better than in

the cloud and if you're tech savvy enough
start - which I think you are here - start

building your own tools. Because you have
the control. And what can developers do?

Support privacy by design, security by
design, think about it from the beginning

because you can change it and take
responsibility. And IT security can also

do some stuff or continue to do some
stuff. Point the vendor to the problems,

make helping IT security stronger, keep
reporting the flaws, publish your

research, help develop standards, labels
and seat belts and support each others

work to a stronger voice about this. So
I'm coming to the end of my talk now and

to the topic back to the internet of
fails: How many must be killed in the

Internet of Deadly Things train wrecks?
This is actually an article I was reading

with a huge interest myself because it was
starting to deal with making comparisons

to the great age of railway construction
that was likewise riddled with decades of

disasters before the introduction of
effective signaling and failsafe breaks.

And it was also comparisoned with the
automotive industry where the mandatory

fitting of seatbelts designing the bodies
of cars to reduce injury to pedestrians,

airbag and measures to reduce air
pollution were not introduced not early

enough. So this guy was asked: Do we
really need to kill a few people first?

And he said: Unfortunately that will happen.
So he says: Safety and security standards

for the internet of things can't come soon
enough. I agree with that. With that we

need standards really soon. So I am at the
end of my talk and if we have some time

left I'm waiting for your questions,
ideas, and input now. Otherwise I will

thank you very much for your attention.

<i>applause</i>

Herald: Thank you Barbara. A very warm
applause.

So a small information: If you want to
exit the room please exit the room to your

left over there. So, questions?
I see one question from the Signal Angel.

Q: Hello, ok. The internet wants to know,
well those companies don't have any IoT

security whatsoever or basically none, so
what can we do to make them have more?

B: What we as who, as consumers?
Q: Yeah, basically.

B: Yeah, actually I would - what I said
was I would write them and ask for

standards. I would - I think it can be the
first step that we can write emails or

call them and say "Well, what kind of
security is build in this device, can you

tell me? Otherwise I won't buy your
product."

Herald: Thank you. Any other question? Ok,
in this case again: Thank you Barbara for

your nice talk.
<i>applause</i>

A very warm round of applause. Thanks.

<i>34c3 outro</i>

subtitles created by c3subtitles.de
in the year 2018. Join, and help us!