-
35C3 preroll music
-
Herald: And I have one last announcement before
we begin this talk. This is a personal
-
announcement to whoever slapped this
sticker saying "for rectal use only" onto
-
my microphone.
loud laughing
-
Microphones are not supposed to be used
this way.
-
applause
-
Please trust me. I am very familiar with
microphones.
-
laughing
I know how they are supposed to be used.
-
However our next speaker is going to tell
you about things that are supposed to be
-
used this way and about how to secure and
protect those things. So please welcome
-
the honor and the talk you all came here
to see. The Internet of dongs. A round of
-
applause.
applause
-
Okay so hello everyone. My name is Werner.
I'm working for a SEC consult as an IT
-
security consultant. And besides
penetrating all the things at the SEC
-
consult's vulnerability lab, I have been
studying information security for the last
-
five years at the University of Applied
Sciences St. Pölten back in Austria and
-
about a year ago I was facing a massive
challenge. Some people might know this
-
challenge This challenge was to select a
proper topic for my master's thesis.
-
loud laughing
You might know there are always those
-
predefined topics by the universities.
Some of them are quite interesting. They
-
are taken - yeah - most of the time quite
fast by the other students and you are
-
left with the boring topics and I thought
to myself, I don't want to stress myself I
-
just want to define a topic by myself. And
that was the challenge. So the first thing
-
I did to get a better overview of the
topics was to take a look at the topics my
-
colleagues have chosen and created a word
cloud out of that. So we have basically
-
all the interesting topics there we have
bitcoins, we have GDPR, we have cyber
-
cyber cyber, we have DevOps management,
malware. But some of you might have
-
allready noticed it. There is one topic
missing at my colleagues thesises which is
-
very very important in the year 2018 and
that's the Internet of Things. So I guess
-
I don't have to explain here at the
Congress what the Internet of Things is.
-
It's basically the interconnection of all
the devices which were analog a few years
-
ago, with each other and even worse over
the Internet. I thought maybe I can
-
combine the knowledge gathered at SEC
consult and conduct a penetration test in
-
this Internet of Things. The problem here
is still there are like millions of
-
products and I just have to write one
thesis, so I have to select one
-
subcategory in this Internet of Things to
conduct a penetration test on. Of course
-
the first thing which came to my mind
where smart home devices we already had a
-
lot of interesting talks about smart home
devices. There are like smart coffee
-
machines, smart lawnmowers, light bulbs,
thermometers and stuff like that. But this
-
category has two problems. So, first of
all there is already a lot of research
-
done. And the other problem is the impact.
So, I don't want to downplay the
-
vulnerabilities which were found there,
but when there are vulnerabilities found I
-
mean, yeah, if there is a DDoS on your
lawnmower you can just go out through your
-
garden and mowe the lawn yourself. It's
not that big of a deal. So I thought I
-
have to select a subcategory where the
impact is a little bit more critical. And
-
I came up with the following devices. So,
for example: Smart dolls. There was this
-
doll Kyla. Some of you might know it.
Someone found out that it has a built in
-
microphone and the data was sent to some
dubious service in some dubious countries
-
and it was even declared as an illegal
telecommunication device. It had to be
-
destroyed. Or there is a lot of
interesting research at baby monitors. A
-
colleague of mine wrote a very interesting
blog post, you should take a look at it.
-
Or devices which affect our body. So, for
example smart pacemakers. They were
-
developed by St. Jude Medical, that's the
biggest manufacturer of pacemakers in the
-
world. And they built a pacemaker which is
programmable via Bluetooth. But yeah, they
-
forgot authentication, which is quite a
big of a problem when everyone is able to
-
reprogram your pacemaker. So as we can
see, at this categories the impact would
-
be quite critical but there is again a lot
of research done. So the deadline was
-
coming closer and closer. I had to hand in
some kind of topic for my master thesis. I
-
was doing a lot of brainstorming with
myself and then suddenly it came to my
-
mind. There is one category out there
where the impact would be very critical.
-
And there is not a lot of research done
and that's the Internet of dildos. So
-
that's basically the integration of sex
toys into the Internet of Things where we
-
interconnect the dildos with each other
and over the Internet. But before I'm
-
going to show you what I've found in this
internet of dildos, we have to talk about
-
history, because you might think now
that's something new. But that's not true
-
because the Internet of dildos as we know
it is existing for about 50 to 60 years.
-
And as always when there are new
inventions or interesting ideas, they
-
first appear in movies and that also
applies to the Internet of dildos. So,
-
those are quite old movies, we have for
example Barbarella or Flash Gordon or
-
Orgazmo. And in those movies, those are
real movies - it's not a joke.
-
laughing
The Internet of dildos appeared first in
-
this movies. So for example at Barbarella
the evil guy used a device called the
-
Orgasmotron to cause so high levels of
arousal in humanity, to kill people. So
-
basically the Internet to dildos was in
the 60s and 70s a weapon of mass
-
destruction
loud laughing
-
and not the weapon of mass pleasure, as it
should be. So a few years later a whole
-
research area was formed. This research
area is called teledildonics and that's
-
also not a joke again.
laughing
-
And it was first mentioned by Ted Nelson.
He is a technical philosopher and he coins
-
quite well-known terms like Transclusion,
Virtuality and Intertwingularity and
-
Teledildonics. And he mentioned this term
at first in a book called Computer
-
Lib/Dream Machines. Very interesting book
by the way. You should read it. And in
-
this book he did interviews with people
who had yeah innovative and interesting
-
ideas for the time but the technology was
not just ready yet. He did an interview
-
with a guy called How Wachspress and How
Wachspress developed a device or had the
-
idea for a device called auditac. When you
Google for auditac you find quite an
-
ancient website called auditac.com. And
when you dig a little bit deeper you can
-
find out that he's still looking to find a
manufacturer to sell his sonic stimulator.
-
Sounds already quite interesting and even
has a patent and a small graphic for it.
-
So it's basically a radio with one input
and two outputs. One input of course the
-
antenna and the two outputs are one for
the headphones and the other output is for
-
this sonic stimulator, which is inserted
from below in the human life-form.
-
laughing
You even can find the patent on Google
-
Patents and he writes there in his
abstract: Random or controlled
-
electronically synthesized signals are
converted to sound waves that are directly
-
coupled to the skin of a life form, yeah
such as a human body for example, to
-
stimulate the skin or internal portions of
the life-form. So as we can see the ideas
-
were there, but the technology was just
not ready in the 1970s and 1980s, but now
-
we're in the year 2018 and we are
definitely ready for a penetration testing
-
the Internet of dildos. And before I'm
going to talk about the test devices and
-
the vulnerabilities, I'm going to make a
promise now. I will try to keep this as
-
serious as possible. I will try to keep
the, I will call it the IPM stimulendous
-
per minutes as low as possible. Yeah, and
now I just want to talk about the test
-
devices because those are very important.
So I selected three test devices for my
-
master's thesis. On the right side we have
the - that's not a joke again -
-
Vibratissimo Panty Buster. That's the real
name.
-
laughing
In the middle we have the MagicMotion
-
Flamingo and on the left side we have the
RealLove Lydia. So the devices on the left
-
side and in the middle have one thing in
common. They are manufactured in China.
-
The device in the red right side is
manufactured in Germany. So, I have to
-
admit I was a little bit biased because I
thought I am going to take a look at the
-
Chinese devices first, because there will
be a lot of low hanging fruits. Question
-
to the audience now: Who believes that I
found most of the vulnerabilities in the
-
Chinese devices? Raise your hand.
laughing
-
Who believes that have found most of the
vulnerabilities in the german device? Who
-
believes that have found vulnerabilities
everywhere?
-
loud laughing
Yeah you're basically all right. But when
-
I took a look at the German device, I
found so many really really critical
-
vulnerabilities that I immediately stopped
there and wrote my whole thesis about the
-
Panty Buster.
laughing
-
Okay, so the Panty Buster itself is just
one product out of a whole product line. I
-
just bought the Panty Buster because it
was the cheapest one. They are basically
-
using all the same backends, the same iOS
and Android apps. And yeah, the Panty
-
Buster is basically a device which is
connected via Bluetooth to a smartphone
-
and it can be used for example for long
distance relationships. But there is way
-
more behind those apps, because there's
like a whole social media network built
-
in. You can make group chats
laughing
-
You can create image galleries, you can
maintain friends lists.
-
loud laughing
Yeah, that's real. That's real. It's not a
-
joke.
applause
-
Yeah. And now we're going to analyze this
Panty Buster and take it down to the last
-
parts. Yeah we're going to analyze the
software. I'm going to tell you a little
-
bit about the transport layer and the
hardware of course. So I'd like to start
-
with the software. So, the first
vulnerability we have to talk about this
-
is so-called information disclosure. So
you might think nah boring, just some
-
random version numbers. Yeah that's true
most of the time information disclosures
-
are boring. But in this case it's really
critical because I found a so-called
-
.DS_STORE file the web root. A .DS_STORE
file is basically a meta data file which
-
is created by the MacOS finder and it
contains a lot of metadata, like files and
-
folder names. So when you find such a file
in a web root you have basically a side
-
channel directory listing. This .DS_STORE
file has a proprietary format but as for
-
all problems in life, there is a Python
module to decode it. Yeah. And I decoded
-
that .DS_STORE file and I was presented
with the following contents. So it's
-
basically a side channel directory listing
of the web root. There are a lot of
-
interesting files and folders so for
example: old page example, I have no idea
-
why it's there in the productive
environment. There is a database folder
-
but the most interesting folder is the
config folder. So whenever we get to the
-
config folder, there was real directory
listing enabled and there was one file in
-
there and it was called config.php.inc
with the following contents. So basically
-
I had now access to the database hostname,
the database names usernames and
-
passwords. The problem now was that as we
can see the database host is just
-
localhost, there might be a chance that
it's not directly reachable via the
-
Internet. And we have to find the so-
called exposed administrative interface to
-
connect to the database. Yeah of course
the first thing I did was to do a
-
portscan.
laughing
-
applause
A lot of interesting ports. Sadly no SQL
-
ports. But some of you might remember
this, let's call it weird brown orange web
-
application, called phpMyAdmin and I found
a subdomain which contained the phpMyAdmin
-
installation and I was able to use those
credentials to connect directly to the
-
database and get access to all the data.
applause
-
So I basically had access now to the real
life addresses, to messages in clear text
-
which were exchanged, images, videos and a
lot of other stuff. So, yeah. And what
-
hurt me the most was the following slide,
because the passwords were stored in clear
-
text and that's really not necessary in
the 21st century. Okay. So in real life
-
about 30 minutes have passed by
loud laughing
-
and I tried to do a write up as fast as
possible and submitted to the german CERT-
-
Bund. And yeah a few minutes later, I got
a really interesting call from the german
-
CERT-Bund. They told me that the already
informed the manufacturer and they're
-
already trying to fix those problems. So
my problem was now that I still had to
-
write my master thesis and I just have
content for about 30 pages now and I need
-
like hundred pages. So I did a little bit
of more research and found way more
-
vulnerabilities of course. And the next
vulnerability I'm going to talk about is
-
the so-called insecure Direct Object
reference. Sounds cryptic, but it isn't.
-
It's basically always a vulnerability
which is consisting of two sub problems.
-
So the first problem is, when someone
uploads resources to a backend those
-
resources are most of the time renamed, to
like a random string which shouldn't be
-
guessable. The first problem would be if
it would be guessable. But the second
-
thing is, there should be authorization
checks in place. So if someone is able to
-
guess those unique identifiers, there
should still be some like process which
-
should check if the user should even be
able to download these resources. And in
-
this case, yeah, it was just really easy
to guess the identifiers and there was no
-
authorization whatsoever. And I had to
learn this the hard way, literally. There
-
is a feature in the smartphone apps,
called galleries. So you can create
-
galleries, you can set the visibility to
no one is able to see it, just your
-
friends are able to see it , everyone is
able to see it. You can even set a
-
password on those galleries. Yeah. And
just for a test I created a gallery with a
-
few cats and when you request the gallery,
you see the following request. It's
-
userManager.php blah blah blah username
password and some ID. And I thought maybe
-
I should change this ID. And I was
presented with a dick pic.
-
laughing
Yeah, the problem behind this is quite
-
easy. Everything which is stored on the
server is renamed to a global counter. The
-
global counter is incremented by one after
every upload. And there are no
-
authorization checks whatsoever, because
the images are just stored in a server, so
-
it doesn't matter if you set a password or
set the visibility. That's just nonsense
-
to do. OK. So the next vulnerability. Yeah
I call it improper authentication. To be
-
honest it was just a weird authentication.
At SEC consult I saw already a lot of
-
different ways of implementing
authentication. Some are good some are
-
bad, but it can be fixed. But in this case
it was just weird, I've never seen
-
something like that. It's basically like
HTTP basic authentication but a little bit
-
worse.
laughing
-
So normally authentication works as
follows. You're sending a username and
-
password to a server and if this process
is successful you get some kind of
-
authorization information like a cookie or
an API token. You can use this cookie or
-
API token to authorize all the other
requests. In this case every request
-
contains just username and password and
clear text to authenticate through
-
requests. That's just weird to be honest.
And also if your password is compromised,
-
it will also mean that you have to change
your username because it's part of the
-
authentication information. So weird,
weird implementation. Okay the next
-
vulnerability is called the remote
pleasure version 1.0. It's 1.0 because
-
there is a 2.0 .
laughing
-
There is a feature in those apps where you
can create remote control links. They can
-
be sent via SMS or email and everyone who
is in possession of those links can
-
directly control the devices. There is no
extra confirmation needed. We'll take a
-
look at the email now. There is a button
in the email called Quick Control and
-
there is an ID again. Yeah the thing is
it's just a global counter again. And what
-
an attacker can do now is download the
app, create his own quick control link,
-
decrement the ID and pleasure just random
strangers on the Internet.
-
applause
Okay I will show you guys a video now,
-
where I'm doing exactly that.
laughing
-
So when the video is going to start...
It's going to start, perfect. On the right
-
side we're going to see an attacker device
which is just connected to the normal
-
mobile network. And the attacker creates
his own quick control link and decrements
-
the ID. On the left side we can see
another smartphone which is connected to
-
Wi-Fi, to have Internet access and via
Bluetooth, to the smart sex toy. This
-
attacker device should now be able to
control - yeah, you can see that now, in a
-
few seconds. That's just what I explained.
silence
-
laughing
There is no confirmation whatsoever so you
-
can directly control all the devices.
Okay, I have to stop talking about
-
software now. There is a lot more like
cross-scripting, HTTPs problems, outdated
-
software, but there is not enough time
left now so we have to talk about the
-
transport layer. Before I'm going to tell
you something about the vulnerabilities I
-
have identified, I will tell you something
about Bluetooth low energy in general, the
-
security basics and how authentication and
encryption works on a very high level. So
-
you can imagine that Bluetooth Low Energy
basically works like a web API. So it's
-
very high level explanation. You have API
endpoints. Those are the service
-
characteristics and you have properties
where you can read and write to. So for
-
example the device name can be read or
written to change the device name. There's
-
also a lot of other characteristics which
will be very important when it comes to
-
remote pleasure version 2.0 a little bit
later. So that's a very high level
-
explanation, i know, but we don't have
enough time left. Talking about the
-
security basics Bluetooth Low Energy is
using AES-CCM that's counter CBC with Mac.
-
That's basically considered secure but as
we know, security also depends on the key
-
material and the key exchange. At
Bluetooth Low Energy the key exchanged is
-
defined as the pairing methods. For
Bluetooth Low Energy we have five pairing
-
methods. We have just "No Pairing". So
yeah we basically throw packets into the
-
air and if a device is nearby it tries to
do something with those packets. We have
-
"Just Works", we have "Out of Band
Pairing", "Passkey" and "Numeric
-
Comparison". I don't have to tell you the
details now. You all know those. It's
-
numeric comparison, where we compare
numbers to exchange the key material. You
-
have the Passkey, which is yeah like
always 0000 or 1234. We have Out of Band
-
Pairing, where the key material is
exchanged via NFC for example and we have
-
just works, that's really secure, where
the keys just set to zero and can be of
-
course be brute forced with ease, but it
just works of course. So out of those five
-
methods, what does the audience think the
sex toy is using? Is it using no pairing?
-
Raise your hands. Is it using any of the
other more or less secure methods? Yeah.
-
It's using no pairing.
laughing
-
That means that the Android and iOS apps
just throw the packets into the air and if
-
a device is nearby, it starts to vibrate
laughing
-
and that's of course easily exploitable
you can just sniff the real traffic and
-
repeat it. I did exactly that using a so-
called Bluetooth Low Energy sniffer. I
-
used a bluefruit device, it works very
well and I placed it between the sex toy
-
and the smartphone app. I sniffed the
traffic using wireshark and I found some
-
interesting end points or handles. There
is the 1F handle which is like an
-
initialization handle and there is the
handle 25, where you can send values from
-
00 to FF to set the vibration intensity.
Yeah and now it's time for a little bit of
-
War-dildoing. I wrote a small Python proof
of concept which basically scans the air
-
for Bluetooth low energy devices. If it
finds a device. It tries to or tries to
-
find out if it is a sex toy and if yes.
Yeah it basically turns it on to 100%, to
-
FF.
laughing
-
So the next thing I want to talk about is
not that funny. So please don't laugh now
-
because when we released this, a lot of
people on Twitter asked "Is this rape?",
-
so serious topic. For example the evil
attacker is using my War-dildoing script
-
in the metro, in the U-Bahn in Vienna. And
he would just pleasure random strangers.
-
Is this rape? In Austria we have two
different things. We have rape and sexual
-
assault and they have two preconditions.
So that's violence - eh three
-
preconditions. We have violence, threats
or deprivation of liberty, which is just
-
not the case in this scenario. But we have
a special paragraph called, phew that's
-
really hard to translate that. It's called
the Po-Grapsch paragraph. I know that's a
-
little bit different in Germany and I'm
not a law expert so it just kept the
-
Austrian laws which could be verified by
tourists. According to this paragraph this
-
would be an unwanted sexual act, via a
third party object. So it's not rape, but
-
it's an unwanted sexual act. Okay. The
hardware. Last but not least. The biggest
-
problem is that firmware updates are not
possible. That was confirmed by the
-
manufacturer. The problem here is a lot of
vulnerabilities can just be fixed by doing
-
firmware updates and the manufacturer came
up with the idea, that the end users can
-
send in their smart sex toys to do a
firmware update and I'm quite sure that
-
nobody's sending in their used devices to
conduct a firmware update. The other
-
problems are debug interfaces. They just
forgot to remove it or deactivate their
-
serial interfaces on the sex toys. It's
just really easy to extract the firmware
-
and do a little bit of more research on
the firmware. Okay. So you might now think
-
I still want to use smart sex toys. What
can I do? Yeah the tin foil is not
-
working.
loud laughing
-
applause
But there are a lot of interesting open
-
source projects out there. So first of all
the most famous project is the Internet of
-
Dongs project. There is a really
interesting person behind that. He's
-
called RenderMan. You can find him on
Twitter. He invented this project to make
-
this whole Internet of Dongs a little bit
safer. And he's doing like penetration
-
tests and stuff like that and he's even
handing out DVS. So that's the equivalent
-
to CVS. Then we have buttplug.io and
metafetish. They are developing open
-
source firmwares for a lot of different
sex toys and they're independent from all
-
the manufacturers. And there is also
something called Onion Dildonics
-
laughing
which has the goal of rerouting all the
-
smart sex toy traffic over the TOR network
to make it a little bit more safer.
-
applause
OK. There is one more thing. I had a lot
-
of calls together with the manufacturer
and the german CERT-Bund. And one call was
-
outstanding because we were discussing the
remote pleasure vulnerabilities. And we
-
tried to explain the manufacturer that
it's not good that you can basically out
-
of the box pleasure everyone on the
Internet or if you're nearby. We told them
-
that it should be at least like an opt in
feature, where you can switch on this
-
feature in the apps, but the manufacturer
said no that's not possible because, at
-
least they believed that, most of our
customers are in swinger clubs and you
-
don't know beforehand who is in the
swinger club. So there is just no optin,
-
in a swing club, because you're basically
always in. Thank you.
-
applause
Herald Angel: Secretary of Education you
-
are now taking questions. We have five
microphones two in the front and three in
-
the back. So please line up and ask
whatever you want. So apparently people on
-
Twitter are engaged in a drinking game
where they were drinking every time you
-
said penetration testing.
loud laughing
-
applause
Herald: In the meantime we have a question
-
from microphone number two.
Question: Did you come across anything
-
with the patent trolls in teledildonics?
Answer: I came across what sorry?
-
Q: patent trolls. There is a issue with
the teledildonics patent and some
-
companies have been threatened to go out
of business because of frivolous lawsuits.
-
A: Yes. Yes there was the I guess it was
called the teledildonics appreciation day
-
in August because the patent ended. So you
can basically use the term wherever you
-
want.
Herald: Thank you. Microphone number three
-
please.
Q: So this was very funny obviously. And
-
you showed us the really low hanging
fruit. On the website in the database you
-
would have been able to see the social
graph of the users. I don't know if you
-
have managed to look at other devices. Can
you elaborate a little bit more on
-
something that I believe more serious.
Which is the profiling of users behavior,
-
social networks and so on?
A: So of course it didn't take a look of
-
all the data because it was so critical in
my opinion, that I directly contacted the
-
CERT-Bund. So I can't give you any
information about the data of course. I
-
also took a look at like things like
tracking and stuff like that and in this
-
case there was not a lot of tracking going
on at the german sex toys. But when you
-
compared it to the Chinese sex toys, there
is way more tracking and stuff like that
-
going on. But I didn't took like a
detailed look into that.
-
Herald: Thank you. Thank you again for
the educational and entertaining talk
-
and hopefully a lot of rounds of applause.
-
applause
-
35c3 postroll music
-
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!
