-
34c3 intro
-
Herald: So, to our next talk... Sit and
relax, you know what that means. Glass of
-
wine or mate, your favorite easy chair,
and of course your latest WIFI enabled toy
-
compromising your intimate moments.
Barbara Wimmer, as free author and
-
journalist, will tell you more about the
Internet of Fails,
-
will tell you more about where IoT goes
wrong. She's a free author and journalist
-
at futurezone.at, (DORF?), and will in the
near future release one or two public
-
stories and a book. Applause!
applause
-
Barbara Wimmer: Hello everybody. I'm
waiting for my slides to appear on the
-
screen. Where are my slides please? That's
not my slides.
-
Oh, thank you very much. So welcome to the
talk Internet of Fails when IoT has gone
-
wrong. This is a very negative topic title
actually and you're getting a lot of
-
negative stories in this next hour but I
don't want to talk only about negative
-
things so you can see "FAIL" as a "first
attempt in learning". So actually at the
-
end of the talk I want to talk about
solutions as well and I don't want to
-
provide only bad and negative examples
because that's what we hear every day. And
-
this is perfect for the congress motto
"tuwat" because this is all about let's
-
tuwat together. So nobody, most of you in
this room don't will not know me. So I'm
-
going to introduce myself a little bit and
why I'm talking to you about this topic,
-
because that's probably what everybody
asks me when I appear somewhere and say oh
-
I give talks about IoT. And so actually I
work as an IT journalist for more than 12
-
years. And I got in contact with internet
of things in 2014 when I talked to the
-
local CERT.at team in Austria. I'm from
Vienna. And they first told me that the
-
first refrigerator was caught that was
sending out spam mails and that was in
-
2014 and actually that was really a funny
story back then and we were laughing about
-
it but at the same time we already knew
that there is something coming up which is
-
quite going to be a huge development and
so from back then I watched the whole IoT
-
development in terms of security and
privacy. And in the next 45min you will
-
hear a lot of stuff about IoT, and where
the problem with IoT is currently and
-
examples of fails in terms of security and
privacy. But like I mentioned before I
-
wanna talk about solutions and when we
talk about solutions it will not be like
-
only one side, like only the consumer,
only the IT-security, only developers.
-
Actually what I'm going not to provide is
detailed IT-security stuff. So if you
-
wanna focus more on any story that I'm
talking about I'm mentioning most of the
-
the sources in the slides and if you
really wanna know this example got up,
-
please look it up if you're really
interested deeply into it. I'm a
-
journalist and not an IT-security person
so please don't expect me to go into
-
details in this talk. Thats why it's also
in the ethics talk - ethics section of the
-
congress and not the security part. So
coming to the internet of things I want to
-
start with a few numbers because these
numbers show the development of IoT. In
-
2016 we had 6.3 billions of devices out
there. This year we already had 8.3
-
billion of devices and in 2020 we will -
we are going to have 20.4 billion
-
connected devices out there. So the
numbers are from Gartner Institute from
-
January and I have one more slide with
more accurate data from June this year and
-
actually this slide shows that the
development is actually really growing.
-
17% more compared to the previous year.
And by 2021 global IoT spending is
-
expected to reach about 1.4 trillion
dollars. So maybe some you are asking
-
yourself: What is the internet of things?
Maybe some of you expected I'm only
-
talking about a smart home, because IoT is
often related to the smart home. And we're
-
having all the smart devices that we put
into our living rooms, but that's actually
-
not the main focus because it's more about
the connected everything. Which means
-
toys, sex toys, home automation,
lightbulbs, surveillance cameras,
-
thermostats, but also digital assistants
and wearables. So I wanna start with a few
-
examples of classical internet of things
stuff which is actually a smart coffee
-
maker. That's ... so what is smart about a
coffee maker? It only gets ... it doesn't
-
get smart when you regulate your coffee
machine by app because what's smart about
-
that? You can just press the button on the
machine. But when you connect your coffee
-
machine with fitness and sleeping trackers
the coffee machine already knows when you
-
get up if you need a strong or soft coffee
in the morning and so that might sound
-
comfortable for some of us, but it also
has a lot of dangers inside, because you
-
never know that the data is really safe
and only stays with you. Maybe your
-
insurance company get them one day. So you
all know Cars -probably-, the film, and
-
this is McLightning Queen and it got a toy
nowadays which is sold for 350 dollars -
-
no sorry, euros - and this car is able to
sit next to you and watch the film with
-
you and is going to comment the film.
laughter
-
And it is - this sounds very funny - but -
and it is funny - but it means that it has
-
a microphone integrated which is waiting
for the terms in the film on the right
-
stories and then it makes comments. And
the microphone can only be turned off by
-
app so there's no physical button to turn
it off and actually another thing is when
-
you first ... when you actually got this
present for Christmas, which is a really
-
expensive present with 350 euros, it's
actually first updating for more than
-
35min before you can even use it. The next
example - you're already laughing - is
-
internet of ... I call it internet of shit
because you can't say anything else to
-
that example. It's a toilet IoT sensor
which is actually a smart, small little
-
box which is put into the toilet. And this
box has sensors. It's an Intel box but I
-
don't know and this box has sensors and
these sensors help analyzing the stool.
-
And this data that is collected is going
to send into the cloud. And actually this
-
could be very useful for people who are
having chronical diseases like Colitis
-
Ulcerosa or other chronical diseases with
the digestion stuff but it is mainly
-
designed for healthy people who want to
make better nutrition and reduce their
-
stress levels with the stool analysis. And
maybe it sounds good at the beginning but
-
this data that is collected could also be
used for other things in the future. So
-
it's a perfect example for internet of
shit. But there is another internet of
-
shit which is a twitter account that
collects all these funny little stories.
-
It's not from me, so I'm not behind that.
I tried to reach the person but I never
-
got a replay so I can't tell you anything
about them but they collect examples - if
-
you don't follow them now and are
interested in this topic you might do
-
after this talk - so after presenting a
couple of IoT examples with the good and a
-
bit of the bad sides I first wanna focus a
little bit on the problem because as I
-
said before you might now think that
everything is nice, comfortable, why
-
shouldn't we do that and stuff like that.
So the problem is that most of the vendors
-
that are doing IoT stuff now, that start
to connect everything, they are creating
-
manually operated devices without
connectivity for long years and they had a
-
lot of knowledge in terms of materials,
ergonomics, mechanical engineering but
-
almost zero in the fields of IT security.
Actually I don't say that without having
-
talked to vendors that have said exactly
that when I interviewed them. Like there
-
was a lightbulb vendor from Austria who is
a really big vendor who is making
-
lightbulbs for years and years and years
and actually they started to make
-
connected lightbulbs in 2015 and when they
did that they ... and I asked them "Oh how
-
big is your IT security department?" "1
Person". So they didn't actually have the
-
knowledge that IT security might be more
important when they connect - when they
-
start to connect things. And actually the
result is that these vendors are making
-
the same sort of security errors than the
high tech industry was dealing with 15
-
years ago. So the early 2000s called and
want their web security, their lack of
-
security back. So there are all kinds of
problems we already know from past:
-
hardcoded passwords, unsecure bluetooth
connections, permanent cloud server
-
connections and a lot of other stuff. So
we're going to have from all these 20
-
billion devices out there, there will be a
lot of unsecure devices and the problem is
-
that they are collecting to a botnet and
are starting DDoS attacks and we are going
-
to have internet outages. For those who
are not familiar with the terms I made a
-
really really really short explanation so
that you are also understanding what I am
-
talking about. A botnet is a network of
private computers infected with malicious
-
software and controlled as a group without
the owners knowledge. Like the example of
-
the refrigerator that was sending out spam
I told you about earlier. This
-
refrigerator sent out ... one refrigerator
was sending out 750.000 spam mails by the
-
way. So the botnet, that has a botnet
owner of course, because it's not only a
-
zombie botnet, and the botnet owner can
control this network of infected computers
-
by issuing commands to perform malicious
activities like DDoS attacks. So DDoS is a
-
distributed denial of Service attack and
actually that's an attempt to stop
-
legitimate users form accessing the data
normally available on a website. And this
-
actually can lead to completely shutdown
of a service. And we had this already so
-
I'm not talking about something in the far
future but we had this in 2016 and most
-
people already recognized it but it didn't
recognized why - their twitter accounts
-
did not work, they couldn't use Reddit, or
Spotify, or they couldn't pay with PayPal
-
at the moment. And behind that attack was
Mirai so several other major services were
-
offline because an infrastructure provider
was attacked by zombie IoT devices. And
-
this was one year ago and now one year
later Mirai botnet infections are still
-
widespread so not every zombie device is
already secured so there are still some
-
around and not so little and actually
there is a study saying that every
-
unsecured - no every botnet infection
that's there - every security hole thats
-
there is staying there for at least 7
years which means that all the unsecure
-
devices which are out now could get
infected and could stay infected for 7
-
years. So that's why it's very important
that we are going to do something really
-
quickly and not starting like in 2020. So
Mirai was supposed to continue in 2017 and
-
actually a lot of DDoS attacks similar
attacks like Mirai happened in 2017. This
-
as an example could unleash at any moment
which was in November one few days later
-
exactly this attack was unleashed, so it
happened. In 2017 we also had a huge
-
increase in DDoS attacks 91% increase from
Q1 and it's going to increase more. I have
-
to take a short sip, sorry.
Now we're coming back to examples. One
-
really good example is the university that
was attacked by it's own vending machines
-
and smart lightbulbs and 5000 other IoT
devices. This was very very difficult to
-
get fixed because they couldn't get the
university network down so they had to
-
find a really difficult solution to get it
back up. And actually how did they even
-
notice about it? Because the students
complained that the internet was going so
-
slow. Another example which has nothing to
do with DDoS attacks anymore but with IoT
-
sensors - actually - in a fishtank in an
American casino - north American casino
-
there were sensors measuring the
temperature of the aquarium and the
-
fishtank - that the fishes didn't die -
and these sensors were sending the data to
-
a PC of this casino and this PC was the
same - was using the same network than the
-
sensors so actually the cybercriminals
could access to this data of the casino
-
and were stealing them and sending them to
their own servers in Finland. And the
-
amount was about 10GB of data. Another
example which is actually one of my most -
-
I don't know why but it's the example I
personally like most of the whole examples
-
that are collected in 2017. So there was a
surveillance camera bought by a
-
netherlands woman. Actually she wanted to
surveil her dog when she was out at work
-
but what did this camera do? It did
surveil the dog when she was out at work,
-
but when she was at home the camera
followed her through the room and was
-
watching her all over the place. And it
had a microphone integrated and one day it
-
started to talk with her and it said "hola
señorita". And this woman was so
-
frightened that she actually started to
record that because she thought that
-
nobody will buy this story. All will think
I’m crazy but this camera actually did not
-
surveil the dog but was hacked and
surveiled her. And it was a very cheap
-
camera by the way. She bought it in a
supermarket but we don't know the name of
-
the vendor in this case. So coming for a
very cheap camera to a very hightech
-
camera the cameras you see here is one
that is actually build in a lot of
-
companies and there was a security hole
found by some Vienna security specialists
-
from SEC consult and actually they
demonstrated me how they could actually
-
hack into this camera and how they could
make it possible that this camera shows
-
pictures of an empty room in a bank so the
pictures from the empty room in the bank
-
were shown to me and in reality the bank
was robbed - ok, not in reality. But it
-
could have been robbed. So thats actually
sounding a little bit like a movie scene
-
and actually this camera which is sold as
a security camera is kind of useless when
-
it doesn't have security and it doesn't
really show the picture. And the problem
-
with this camera was hardcoded passwords.
And the hardcoded password got fixed after
-
so it was responsible disclosure process
and this camera is safe now. So I'm coming
-
to a different example now. And this now
finally explains why this toy is sitting
-
here. Before my talk everybody was telling
me "Ah, you brought your favorite toy, to
-
protect you during your talk." and I was
laughing "Oh no. No no no no, it one of
-
the most unsecure devices out there." But
before we come to this in special I'm
-
going to talk a little bit about connected
toys. So the Germany Stiftung Warentest
-
had made a study regarding connected toys.
The people were testing them and actually
-
all of their tested bears, robot dogs and
dolls were very very unsecure and some of
-
them were even critical and are extremely
critical and others were critical. And
-
actually what was the problem with the
toys and also with this? They were using -
-
they are using bluetooth connections. And
these bluetooth connections are not
-
secured by a password or a PIN code. So
every smartphone user close enough could
-
connect to the toy and listen to children
or ask questions or threaten them and
-
another problem are the data collecting
apps related to this stuff. So actually
-
this little unicorn has an app where you
can send the messages. So what does this
-
actually? It can play messages and you can
- as a child you can record messages and
-
send it to you mom or your dad. And when
you play messages you never - the heart
-
blinks. So actually there's a message
waiting for you now. And I'm not sure if
-
it's the same that I recorded earlier
before. Maybe now it is, maybe at the end
-
of the talk when I press the button again
it might not be. And so everybody can - so
-
this - err sorry - This device does have
an app where you can send the message to.
-
And it also has a children interface and
where you are using the children interface
-
you're seeing that there are ads
integrated. And in the children's
-
interface there were ads for porn and
ehm... ...other stuff, which are not
-
really in the best hands of a child. And
this is also what Stiftung Warentest has
-
actually - yeah has actually found out.
The data is also used to send to third
-
party companies and they put trackers to
control the online behavior of their
-
parents. This is also done with this
device. So the Stiftung Warentest advises
-
a not connectible dumb teddy might be the
smarter choice in the future. And before I
-
finally press this button - you're
probably curious now - but first I'm going
-
to talk a little bit about Cayla. You
probably have heard of Cayla as a very
-
unsecure doll. Actually it got forbidden
in Germany by law. It is judged as a
-
prohibited broadcasting station. And
parents who do not destroy it will be
-
actually fined. And I tried to buy Cayla
in Austria and didn't get the doll. So
-
actually it should be really off the
market in the German speaking area. And
-
actually that is also a result of a
campaign from Norway called Toyfail, which
-
is a Norwegian consumer organization who
are actually - this is Cayla. You can see
-
her now. Which is actually going to the
European Parliament to make them
-
understand how unsecure toys is doing a
lot of harm and how we should put more
-
security into toys. And I've brought a
short little video and I hope we can hear
-
the audio here as well. We will see.
No. You don't hear anything.
-
But this doesn't matter because they
have...
-
Sign Language Interpreter: subtitles
Barbara: subtitles.
-
Person (Video): There's not added any kind
of security. With simple steps I can talk
-
through the doll and listen to other
people.
-
Person through doll (Video): No one wants
others to speak directly through the doll.
-
Barbara: He's speaking now at the moment.
Doll: inaudible
-
Person: And you may think... [see video
subs] ... Cayla, can I trust you?
-
Doll: I don't know.
laughter
-
applause
Barbara: Yeah and we don't trust Cayla and
-
we also don't trust our little unicorn.
button clicking
-
laughter
crying baby in background
-
Barbara: Ok, somebody has hacked it.
laughter
-
Yes.
Unicorn Toy: Hello, Chaos Communication
-
Congress.
Barbara: Ok, that's what I recorded
-
earlier. But there is some time left.
Maybe, maybe... but you're all sitting too
-
far actually and nobody of you brought
your computer, so... but we will see, we
-
will try it later on. So but actually you
shouldn't trust this unicorn, because this
-
unicorn is from the company called
Cloudpets, which is a - no sorry It's a
-
toy called Cloudpet and the company is
Spiraltoys from the US. So this is
-
Cloudpet and there are cats and dogs and
unicorns and it's very ugly but it's a
-
unicorn. And actually now I'm already
talking a lot about this. Why I'm
-
explaining you now. There already was a
data breach with this toy so the
-
children's messages in Cloudpets data
actually was stolen and was public on the
-
internet. 2 million voice messages
recorded on the cuddly toys has been
-
discovered free on the internet. And
actually Spiraltoys say that there was no
-
data breach but the data was there, so...
Thats also why I brought this, it was
-
still very easily available and actually
as I said before the app for child the
-
interface shows porn ads, so I would not
recommend that for your child. Actually
-
there are already a lot of institutions
out there which are warning for connected
-
toys also the consumer group Which? which
actually did a study about this and other
-
like also the Furby connected they
analyzed, the German Stiftung Warentest,
-
the Austrian Verein für
Konsumenteninformation, the Norwegian
-
consumer council, and the FBI. The list is
to be continued. So consider if you really
-
need a connected toy for your child or
yourself because the next section is about
-
sex toys.
laughter
-
applause
squeaky horn
-
more laughter and applause
I am not... It's not necessary say a lot
-
about this example. It's actually a
connected vibrator that has a build-in
-
camera and this camera is very very very
unsafe. Also this toy is really expensive,
-
so you can't say "Eh, it's only the cheap
stuff that is so unsecure." Also the high-
-
tech stuff can be really unsecure. I mean
this vibrator costs 250 dollars so it's
-
very expensive and it has a build-in web-
connected endoscope and they found out
-
that it's massively insecure. The password
of this... And if you forgot to change it
-
it's a few more players than expected that
might be watching your newest video about
-
your private sex adventures. There was
another example actually in this - sorry
-
go back one more time to this example -
there's a very funny video on it on
-
youtube about it, maybe you wanna watch
it. I didn't bring it because I couldn't
-
reach the makers of it. So I'm going to
the next example which is about a case of
-
sex toy company that actually admits to
recording users remote sex sessions and it
-
called it a "minor bug". It was this love
sensor remote app you can see the icon
-
here and actually this is a vibrator and
an app and the vibrator controlling app
-
was recording all the sex sounds, all the
sounds you're making when you're using
-
this vibrator and stores them on the phone
without your knowledge. And the company
-
says that no information or data was sent
to the servers so this audio file exists
-
only temporarily and only your device. And
they already had an update so actually
-
this is not as funny as the other story
but still it's an example of how unsecure
-
sex stuff can be. So there are lot of lot
of more sex examples out there. One you
-
should actually definitely search for
after - please don't search for now, but
-
after this talk. You could google or
duckduckgo or whatever you use the terms
-
"blowjob injection". And please add
"security" because otherwise you will land
-
on other sites.
laughter
-
And this was a female security expert who
was doing this research about a device
-
which actually was supposed to your
girlfriend could make you a special
-
blowjob program, your special blowjob and
this could be hacked so somebody else's
-
blowjob might appear instead your own.
laughter
-
So there's also a story about a map of
buttplugs in Berlin that are unsecure.
-
Also if you're interested in that please
also search for that story. Because it's
-
funny to talk about this, but I also wanna
talk little bit about things that we could
-
actually do. And one of the projects in
this part is actually doing something
-
thats called the "internet of dongs
project - hacking sex toys for security
-
and privacy". And as you can see it's
supported by PornHub, which in this case
-
means that they get money from PornHub
that they can buy sex toys for their
-
research. So PornHub is sponsoring them.
Actually I did for talk to the guy who is
-
behind this project. He's called
Randomman. That's a render of him and this
-
is the website by the way. So he told me
he's currently - they're currently a team
-
of about 15-20 people out there that are
doing their security research in their own
-
spare time. And they are not getting any
money for it and they also don't want to
-
get any money but they are already looking
for more security experts that wanna join
-
the team and also they have also an
ethical codex and stuff like that and
-
actually one of the most important things
that he was telling me is that he doesn't
-
want that you should stay off connected
sex toys at all, but to find the security
-
holes that we are all able to use them if
we want without any fear. So yeah, you can
-
get in contact with him if you're
interested. Coming to a different section
-
now. You can see I'm switching from
security to security and privacy and now
-
I'm landed on the privacy section. This is
Google Home. And we all know that there is
-
also Amazon Echo and digital assistants
are also smart IoT devices and this is why
-
I wanna talk a very very short time about
them because I'm sure a lot of people got
-
those devices for Christmas. Actually
there was a big increase of digital
-
assistants in the last year int this
quarter 3 of 2016 there were only 900.000
-
of such devices sold and in the quarter 3
2017 we had more than 7.4 million of those
-
devices sold. So there's a huge increase
and we don't even have the numbers of the
-
Christmas time. Yeah you have seen it. so
why I wanna talk about it, because when
-
you put this kind of stuff in your home it
might be very comfortable at the beginning
-
because you don't have to look up the
weather information you can - you don't
-
have to read your emails you can make the
device read your own emails you can use
-
them to program your list of what you're
going to buy and stuff like that but
-
that's how they learn a lot about the
users habits and their personalties and
-
those devices will learn more and more
information about you and this information
-
does not stay in your own home it actually
is going to send to the servers of amazon
-
and google and I don't need to tell you
what amazon an google are doing with this
-
data. current at least currently they are
only collecting it but that's very
-
valuable and they turn around and use it
or sell it in various ways to monetize
-
that information in one of the future
days. So all digital assistants send the
-
voice controls that are made after "Ok,
Google" or "Alexa" to their servers and
-
the data will be saved there and it was
not possible for me to find out for how
-
long and at which servers. It's not in
their terms of conditions and I couldn't
-
find it anywhere. So also the German data
privacy delegate Andrea Voßhoff didn't
-
find this information. She criticized that
"It is not easy for users to understand
-
how, to what extent and where the
information collected is processed. Also,
-
it is not clear how long the data will be
stored." So if you still want those
-
devices in your home now there are at
least physical mute button with google
-
home and amazon echo and you can also
change the settings to control the data so
-
all the data that is collected is regulary
deleted from the servers but of course you
-
never know in how may backups it's
collected as well. So yes it's only
-
recording after this voice control but
both devices already got hacked and yeah I
-
didn't amazon echo got hacked in 2016 and
google mini got hacked in 2017 of course
-
both problems got fixed and when I say got
hacked it means that the devices in your
-
home were listening to the conversations
all the time. So I'm coming -
-
unfortunately the funny examples are over.
I'm coming to the part where I wanna speak
-
about what we can do against the lack of
security and lack of privacy with the
-
internet of things. So we are currently
having the status quo where we are having an
-
information asymmetry between the vendor
and the customer. Currently the
-
manufacturers do not need to provide a
sample information but(?) how security of
-
a device such as how long it will receive
security updates. so when we buy a device
-
we never know... oh is it going to be safe
or not. So what we need ... actually what
-
we need. I did write a couple of things -
I write down a couple of things here which
-
are partly stolen by the green MEP Jan
Philipp Albrecht from his program because
-
he's dealing a lot with that kind of
question what we can do with his work and
-
I'm also - I also was stealing some of
those suggestions from the Renderman from
-
the Internet of Dongs project, he also had
some helpful tips. And I also stole some
-
of the information from security experts I
talked in interviews all of the time
-
because we never talk only about the bad
things we always - we all want to get the
-
internet of things safer at the end. So
some of them suggested that we could need
-
an security star rating system similar to
the energy labeling. And when we talk
-
about security star ratings that could
mean that we use a label. When a device
-
gets security updates for free for the
next five years it gets the A++ label, if
-
it's no updates at all and it stays
unsecure it gets the baddest rating or
-
such things. Actually vendors should also
be forced to close security holes instead
-
of ignoring them. And they should provide
the security researchers with email
-
addresses where we can easily report
security flaws because sometimes the
-
hardest part of the game is to actually
find the right contact to send out the
-
information about what is unsecure and
what's not. What we also need is a
-
mandatory offline mode for electronical
devices so this device at least has a
-
button where you can turn it off. so it
doesn't listen to you permanently. And we
-
need that for all devices - all connected
devices. Also an airbag and seatbelt for
-
the digital age and we also have to talk
about product liability and a clear update
-
policy. so there are also good examples
that we are having now. Actually all what
-
I was talking about here is regulation.
Regulation that is not existing at the
-
moment. But there is some regulation that
is existing in the kind of data which is
-
the GDPR the General Data Protection
Regulation which is coming up in May 2018
-
and it has included some really really
really helpful things: privacy by design
-
and privacy by default. And more
possibilities for law enforcement. And
-
this is very very important because it
doesn't say that because we are going to
-
have a regulation about privacy by design
and privacy by default this is really done
-
by the vendors. Actually when is was
interviewing some of them they already
-
told me that it's not their plan to
integrate that in their products they are
-
going to wait until they are sued. They
say "Oh, we don't need it. why should we
-
do it worked now - nope." So that's why
the law enforcement comes into place and
-
maybe some of you know Max Schrems, he's
also speaking here in two days about
-
something else though and he a data
protection activist. And he says that
-
everything that goes will be done in this
phase we are now, but if vendors won't
-
observe the law we have to remind them to
do it. So this is how he looks like and he
-
says that with this new regulation we can,
as a customer, ask for compensation when
-
data breaches occur. We couldn't do that
so easily now but with this new regulation
-
it will get a lot of easier. And if 4
billion people sue a company and ask for
-
compensation that could be a bit expensive
at the end. So if you are not able to sue
-
anybody yourself, which is not cheap so
nobody - not everybody will secure
-
companies you can support organizations
that help you with that like the new
-
organization from Max Schrems called "None
of Your Business" maybe you have seen this
-
already, I'm not saying that you should
support especially (???) this
-
organization but his plan is to actually
do that stuff I explained earlier: sue
-
companies that are not abiding to the law.
So if you wanna visit the website they
-
currently collecting money. What else can
consumers do? That are no easy tips but we
-
can't do much except a few easy things.
Does this product really need an internet
-
connection? Is it possible to turn it off?
Is it still working after that? What do we
-
find about it on the internet? Can we
reach the vendor? Does the vendor reply
-
when I have a question? Do we get more
information? Sometimes also clicktivism
-
helps to stop vendors making stupid
decisions. Here is another example from
-
the vacuum robot cleaning machine Roomba
who wanted to sell the data that is
-
collected from the home from the vacuum
cleaner and actually there was a huge huge
-
huge shitstorm after he was announcing
that - the CEO that was announcing that.
-
And after the shitstrorm the CEO said "Ok,
no nono. We're not collecting. We're not
-
selling your data. No no." So sometimes
this helps as well and of course follow
-
the basics in IT-security please update
everything that has updates, separate
-
networks from IoT products and use safe
passwords, support open hardware, open
-
software, products where the data is
stored locally is always better than in
-
the cloud and if you're tech savvy enough
start - which I think you are here - start
-
building your own tools. Because you have
the control. And what can developers do?
-
Support privacy by design, security by
design, think about it from the beginning
-
because you can change it and take
responsibility. And IT security can also
-
do some stuff or continue to do some
stuff. Point the vendor to the problems,
-
make helping IT security stronger, keep
reporting the flaws, publish your
-
research, help develop standards, labels
and seat belts and support each others
-
work to a stronger voice about this. So
I'm coming to the end of my talk now and
-
to the topic back to the internet of
fails: How many must be killed in the
-
Internet of Deadly Things train wrecks?
This is actually an article I was reading
-
with a huge interest myself because it was
starting to deal with making comparisons
-
to the great age of railway construction
that was likewise riddled with decades of
-
disasters before the introduction of
effective signaling and failsafe breaks.
-
And it was also comparisoned with the
automotive industry where the mandatory
-
fitting of seatbelts designing the bodies
of cars to reduce injury to pedestrians,
-
airbag and measures to reduce air
pollution were not introduced not early
-
enough. So this guy was asked: Do we
really need to kill a few people first?
-
And he said: Unfortunately that will happen.
So he says: Safety and security standards
-
for the internet of things can't come soon
enough. I agree with that. With that we
-
need standards really soon. So I am at the
end of my talk and if we have some time
-
left I'm waiting for your questions,
ideas, and input now. Otherwise I will
-
thank you very much for your attention.
-
applause
-
Herald: Thank you Barbara. A very warm
applause.
-
So a small information: If you want to
exit the room please exit the room to your
-
left over there. So, questions?
I see one question from the Signal Angel.
-
Q: Hello, ok. The internet wants to know,
well those companies don't have any IoT
-
security whatsoever or basically none, so
what can we do to make them have more?
-
B: What we as who, as consumers?
Q: Yeah, basically.
-
B: Yeah, actually I would - what I said
was I would write them and ask for
-
standards. I would - I think it can be the
first step that we can write emails or
-
call them and say "Well, what kind of
security is build in this device, can you
-
tell me? Otherwise I won't buy your
product."
-
Herald: Thank you. Any other question? Ok,
in this case again: Thank you Barbara for
-
your nice talk.
applause
-
A very warm round of applause. Thanks.
-
34c3 outro
-
subtitles created by c3subtitles.de
in the year 2018. Join, and help us!
