RenderMan: So, yes. I am RenderMan. This is Murdoch Monkey. Just you know, I did a lit­tle bio­hack­ing on my liv­er last night, and so when I was work­ing the slides guess who for­got to hit save.” So I was just sit­ting in the back hack­ing togeth­er some­thing, so if this seems a lit­tle dis­joint­ed I apologize. 

This is a seri­ous talk. Let’s…you know, try to be adults here. Vaguely. I mean, there are no chil­dren in here, right? Okay, good. I don’t want to pay any ther­a­py bills.

So yes, Internet of Things. We all know about it. Manufacturers do not… You know, the secu­ri­ty on them’s ter­ri­ble. They don’t have a way to update them, or they just don’t care. Users don’t con­sid­er the secu­ri­ty and pri­va­cy of using these things until it’s way too late. Groups like I Am The Cavalry are doing amaz­ing work on auto­mo­tive, med­ical… But nobody want­ed to touch sex toys for some rea­son, so. But you know, this shows that IoT is per­me­at­ing every part of our lives, includ­ing one of the most pri­vate: bed­room activities.

So, yes. Sex toys are now being con­nect­ed to the Internet. For a lot of peo­ple that’s…they can’t grok that ini­tial­ly, let alone that there’s secu­ri­ty issues. Basically what we’re look­ing at is sex toys, kegel exer­cis­ers, gen­i­tal rings. If it goes into your gen­i­tals, your gen­i­tals go into it, or goes around gen­i­tals, those are the devices we’re wor­ried about.

A large num­ber of IoT research firms…yeah, they don’t want to look at this. Because there are stig­mas around sex. We have a very weird thing in North America about sex. We’ll watch all the vio­lence we want on tele­vi­sion but you can’t see two peo­ple have sex. Like, it makes no sense to me.

So this start­ed basi­cal­ly because I had had the idea rolling around my head for about ten years. Happened to men­tion it to the pur­vey­or of an adult toy store back home in Edmonton. And she was like, This is a good idea. I do all these in-home demon­stra­tions.” It’s like a Tupperware par­ty but dif­fer­ent kin­da Rubbermaid. But it’s like yeah, I’ve got some old mod­els. Ones where the bat­ter­ies don’t work or a bro­ken pow­er con­nec­tor…” and gave me these old demo ones. And I start­ed div­ing into this stuff, and shit got real, real quick.

Because when you now real­ize it, the ques­tion is, is hijack­ing the remote con­trol of a con­nect­ed sex toy sex­u­al assault?

I hear that uncom­fort­able gig­gling but no, think about it. You know, you have a part­ner. You give them per­mis­sion to con­trol this device. Someone else hijacks the con­nec­tion. That per­son does not have per­mis­sion. That fits the def­i­n­i­tion of sex­u­al assault. 

There have been sev­er­al cas­es of rape by decep­tion, where it was like if your twin broth­er has sex with your wife kind of a thing. It’s very inter­est­ing because they usu­al­ly are dis­missed on some sort of tech­ni­cal­i­ty. And I’m not a lawyer. I real­ly want to put an inter­est­ing query into the EFF about this. Canada’s sex­u­al assault laws specif­i­cal­ly define con­sent obtained by fraud is not con­sent. So in this case yes, if you’re imper­son­at­ing some­one by hijack­ing their account or what­ev­er yes, that is not… Consent goes to the per­son at the oth­er end, not the account.

But it gets real­ly weird when you start look­ing at laws because these are devices that’re vol­un­tar­i­ly used. It’s the same data that their inti­mate part­ner would be send­ing, but not by that same per­son. But if they find out that it was­n’t the per­son you thought it was con­trol­ling it, the emo­tion­al hor­ror and trau­ma from that should not be any­where dis­missed or feel any less than a phys­i­cal assault.

You’ve prob­a­bly all heard about the We-Vibe law­suit after DEF CON last year. For those of you who weren’t around, Goldfisk and Follower did a talk where they found a num­ber of issues with the We-Vibe. Full dis­clo­sure, I had actu­al­ly put in the exact same talk that came to the exact same con­clu­sions as them. They got select­ed. They were first-time speak­ers. I’d spo­ken way too many times here.

All boiled down to they did­n’t have the right pri­va­cy pol­i­cy in the app. It basi­cal­ly was the pri­va­cy pol­i­cy from their web site. So it was men­tion­ing you know, cook­ies and stuff like that. It did­n’t dis­close some of the infor­ma­tion that they were col­lect­ing from the app and the device. And yeah, they got nailed to the wall because hey, if I had known that this was doing this I would­n’t have bought it. Deceptive adver­tis­ing, such.

Absolutely no evi­dence of malfea­sance. Data did­n’t leak. They weren’t abus­ing it. They weren’t doing dossiers on users or any­thing. It was just lit­er­al­ly a paper­work over­sight. So the biggest law­suit regard­ing all this stuff had absolute noth­ing do with actu­al­ly tech­ni­cal pri­va­cy or secu­ri­ty but just legal paperwork.

They set­tle for $5 mil­lion in a class action law­suit. And we should be find­ing out in the next two, three weeks how much peo­ple actu­al­ly get out of that. Could be up to ten grand if you’d used the app and the device. 

The inter­est­ing part is We-Connect was actu­al­ly one of the bet­ter apps, even before all this. They were one of best ones I had test­ed. They still had some issues, but yeah, they were actu­al­ly doing SSL at least halfways right. They were doing a lot of things that you would expect. 

After they got hit with this law­suit and the Goldfisk and Follower talk, they stepped up and basi­cal­ly com­plete­ly reengi­neered their app. It’s now kind of like the gold stan­dard I have for oth­er ven­dors. It’s like you need to be doing all the stuff that they’re doing. They got rid of things like you don’t need to cre­ate an account to use it. So there’s no per­son­al infor­ma­tion being col­lect­ed there. Allows for…you start it up the first time, it says, Hey, would you like to opt out of anony­mous data col­lec­tion?” Cool. Gives peo­ple the chance right there, the first time. Looks like they’re actu­al­ly doing cer­tifi­cate pin­ning. Like holy crap.

Still some issues. My favorite is that you still can’t vis­it their web­site over SSL. And I’ve been ham­mer­ing on them on that for like eigh­teen months and they still have not got­ten back to me at all. It’s just…it’s hilarious.

You’ve prob­a­bly also heard about the Siime Eye con­tro­ver­sy. This is a vibra­tor with an embed­ded web­cam. Hey. I don’t judge. Basically because it’s doing video it needs band­width. And so it uses WiFi. When you start it up it becomes its own access point. So you con­nect your tablet, phone, what­ev­er, to it. So it’s not actu­al­ly con­nect­ing to the Internet or any­thing like that. So you view the stream. Control it from your phone. It’s basi­cal­ly Ralink System on a Chip run­ning BusyBox. Interesting to note, I smug­gled my GPG key­chain across the bor­der, on a dong. Because there was about eight megs of stor­age avail­able on here. Proof of con­cept, had to do it.

Also there is the embed­ded web serv­er, and yes I have actu­al­ly host­ed a web site…you know, an Internet on a dong. Literally all it is is a reworked cheap Chinese IP cam­era that they made fit into a par­tic­u­lar container.

That’s a pic­ture of my nose. Pen Test Partners, Ken Munro… Is he here? No? Okay. He’s prob­a­bly over at IoT Village. Literally this thing was in the air from Amazon when they released their report. They had found all the same things I had already in the soft­ware, and I did­n’t have the hard­ware yet to con­firm the last few. While the report was fac­tu­al­ly cor­rect, there was a lot of innu­en­do and jokes and just juve­nile humor. They released it under a pseu­do­nym of Beau du Jour.” And it’s like…really guys? Come on, we’re pro­fes­sion­als here.

So I took some excep­tion with that, post­ed a rebut­tal say­ing that yes your evi­dence of risks was true, but you blew it out of pro­por­tion. Like oh my god, these things are WiFi so they’re broad­cast­ing to any­one and wardrivers can pick this up and add it to wigle​.net. Now you show a screen­shot wigle​.net.

Well, if you actu­al­ly log in to WiGLE and use the Siime Eye SSID in search, you find two. Both of them are at rough­ly the same loca­tion out­side a four-story sex shop in down­town Tokyo. So out of…I for­get how many they’re up to, there are like 600 mil­lion access points cat­a­loged, two. And it’s demo stuff in like an incred­i­bly packed part of town. So like yeah, the risk is very very min­i­mal on that.

Yes, there was a default PIN that inter­est­ing­ly, their pre­vi­ous soft­ware did­n’t give you any way to change it, or none of the instruc­tions. It would tell you repeat­ed­ly change the pass­word, change the pass­word.” But not how.

So I post­ed this rebut­tal, and work­ing with Ken Munro on that, they made a bunch of press but unfor­tu­nate­ly this whole project did­n’t get men­tioned so I’m like, [fist in the air] Ken!” But no, it got them on same page. But it shows that peo­ple are pay­ing atten­tion. That the pub­lic is now con­sid­er­ing this.

So ven­dors were already freaked out by the We-Vibe suit. Seeing this get­ting dragged through the mud did­n’t help them much either. It was also a great exam­ple because they had tried to do a coor­di­nat­ed dis­clo­sure with the ven­dor, but they nev­er replied. This is why you need vul­ner­a­bil­i­ty dis­clo­sure pro­grams that actu­al­ly are act­ed upon.

The prob­lem with these things is that you have the poten­tial for real­ly dum­b­ass reg­u­la­tions and stuff like that. I mean you’ve got some 70 or 80 year-old geri­atric con­gress­man or sen­a­tor try­ing to fig­ure out this tech­nol­o­gy and it’s like, Oh my God, that’s aber­rant! Sex!” con­sid­er­ing that they’re prob­a­bly also doing their sec­re­tary or some­thing. Yeah it’s like you’re look­ing for solu­tions to a prob­lem that does­n’t exist. It may not be your thing, but does­n’t every­one deserve pri­va­cy and secu­ri­ty in what they do, even if you don’t agree with it? If not, you’re want­i­ng peo­ple to be hurt, you’re a ter­ri­ble human being. And it’s issues like that that are why I start­ed this project.

So inter​netof​don​.gs. In case you’re won­der­ing, .gs is South Sandwich Islands. I had actu­al­ly inquired with some friends that issue CVEs. There’s a big thing with IoT stuff, they don’t know how to issue a CVE for some of it because it’s using oth­er projects’ soft­ware but it’s only for this device con­fig­u­ra­tion… So I was like screw it. So I’m doing Dong Vulnerability Exposure IDs, most­ly for my own san­i­ty. When I was sub­mit­ting things there would be like half a dozen things that I want­ed to make sure that none of them were for­got­ten. So hav­ing an iden­ti­fi­er helped. 

But also the reports. You can actu­al­ly start see­ing what sort of issues are hap­pen­ing. I’ve already helped a num­ber of ven­dors build vul­ner­a­bil­i­ty dis­clo­sure and man­age­ment pro­grams. Because if some­body finds some­thing, why the hell aren’t you just mak­ing it easy to report? They’re giv­ing you free work. Like…makes sense. Again, non­judg­men­tal, just want to have peo­ple use these things pri­vate­ly and securely.

The vast major­i­ty of these are Bluetooth. Bluetooth LE. This is about the only WiFi one. They pair to a smart­phone or tablet for local con­trol, but also as a gate­way for remote con­trol via the Internet. A few have some desk­top appli­ca­tions. XMPP is a very com­mon con­trol chan­nel on these. It pro­vides you text chat func­tions as well. But they’ll also do text, audio, and video chat—full-fledged video tele­con­fer­enc­ing teledil­don­ics. Sweet. So lots of inter­est­ing attack sur­faces there, when you think about it, between the text, the audio, and the video. 

Almost always, there’s some sort of inter­ac­tion with a com­pa­ny serv­er for bro­ker­ing the con­nec­tion or find­ing each oth­er or some­thing. But try­ing to con­vince ven­dors you need to be as hands-off as you can pos­si­bly be. Because yes, it might be eas­i­er to do things this way where you tag unique iden­ti­fiers to every­body, but…no, that’s where things get weird. So the more hands-off you can be, the better.

So, so far twenty-seven vul­ner­a­bil­i­ties report­ed, sev­en­teen fixed, though I haven’t checked in the last week. Four com­plete or par­tial user data­bas­es. Two com­plete remote hijacks. One set of GPS loca­tions for all users that were online at the time. I’ve got eight ven­dors that’re on board with doing vul­ner­a­bil­i­ty dis­clo­sure pro­grams. I’m help­ing them basi­cal­ly to real­ize hey, you’re a soft­ware com­pa­ny now whether you want it to be or not; you’re gonna have to do cer­tain things.

Four have reached what I con­sid­er a trust­ed part­ner lev­el. It means that they have a very good and well-established vul­ner­a­bil­i­ty dis­clo­sure pro­gram. They’re being proac­tive, and just ful­ly embrac­ing the idea that okay, we need to be secure. Twenty-two test devices in this love­ly hand-cut foam case. Which is real­ly fun as carry-on. One cor­po­rate spon­sor, and a very con­fused mother. 

So yes, we are sup­port­ed by Pornhub. Wait, you’re all famil­iar with it? Oh, I thought it was just some obscure lit­tle site. Drunken email to their mar­ket­ing peo­ple say­ing, Hey, here’s the project. Going to buy some of these devices. They’re expen­sive. You know, can you somehow?”

Immediately got a reply, Yep, we’re on board. We love this.” Originally they were try­ing to get some of the ven­dors to send free stuff. Eventually just set­tled on, Here’s a big pile of cash.” So yes, I had a bank trans­fer from Pornhub for keep­ing my clothes on. That just seems…weird. But again, try and explain­ing that one to your mother. 

This is real­ly weird research. I’m gen­er­al­ly not embar­rassed or shocked or any­thing like that. But still it’s… The things you see…you know, it’s not nec­es­sar­i­ly for the timid. Because peo­ple have some inter­est­ing fetish­es. There are peo­ple who like the idea of a ran­dom anony­mous per­son on the Internet con­trol­ling their vibra­tor. But that’s you know, informed con­sent. That’s your thing.

But the vul­ner­a­bil­i­ties that you find are shock­ing. Not every­one knows how to do SSL, if they’re using it at all. User infor­ma­tion, per­son­al infor­ma­tion dis­clo­sure, part­ner dis­clo­sure, GPS, per­mis­sions, blah blah blah.

I’d say at least half, if they’re doing SSL, allow all host­name ver­i­fi­er,” which basi­cal­ly turns off SSL cer­tifi­cate check­ing. So you can stick any cer­tifi­cate in there for easy man in the mid­dle. So, why did you imple­ment SSL in the first place? You just turned it off, basically. 

A lot of these devices when you think about it, spouse is trav­el­ing for work or some­thing. They’re prob­a­bly using them in hotels, which are shared net­works a lot of times. So I don’t know if any­body here’s ever done sniff­ing on wire­less net­works, but it’s amaz­ing what oth­er peo­ple will be doing. It’s amaz­ing how many peo­ple watch porn in airports. 

User enu­mer­a­tion. I found vari­a­tions of this where you could basi­cal­ly find out if a cer­tain email address has an account there, for what­ev­er pur­pose. So with Lovense, you could basi­cal­ly do a sim­ple query and it would just come back with true or false. No authen­ti­ca­tion, no tokens required, no noth­ing. Anyone any­where in the Internet could just do a GET request and it comes back with true or false.

So, took my per­son­al address book with about 275 address­es and ran that through, just proof of con­cept. I have some friends with some sur­pris­ing inter­ests I did­n’t know. But this shows you can find out things about peo­ple that maybe they don’t want to share. One of them was a friend a friend Bluetooth research and had some of the Lovense devices. Didn’t know about my projects, so it was real­ly fun­ny to email him and say, Dude, why do you have these?” And he’s like holy shit, that I was able to find this.

I ramped it up with the Ashley Madison dump. Dumped all the gov­ern­ment address­es I could find. Queried about 10,000. They’ve already had enough dam­age to their lives. I’m not going to dis­close any­thing. But there was a hand­ful of trues from very inter­est­ing places.

OhMiBod. The app has a search func­tion for find­ing poten­tial part­ners. Some of them, if you have a pri­va­cy bit set for pub­lic, you could do a par­tial user­name search and you come up in the list. If you had the pri­va­cy bit set to pri­vate, you had to know the entire user­name, and that’s the only way you can connect.

But in the GUI it lim­it­ed you to I believe three char­ac­ters is the min­i­mum. But only through the GUI. If you did the query direct­ly, sin­gle char­ac­ters. Which means A through Z, 0 through 9, you now have all the public. 

Lots of inter­est­ing infor­ma­tion there, but it got worse, because my padawan (a stu­dent I’m men­tor­ing) fig­ured out that you just put a cou­ple dou­ble quotes in that and you click and it’s like oh, this is tak­ing a while. Because there’s a 32M JSON reply of every­thing, pri­vate or not. Like, the whole bloody data­base. Like 50,000 users, here’s every­thing. Of course that also includ­ed the URL for all the pro­file pho­tos, and I made the mis­take of down­load­ing all of them. I have now got more dick pics than I know what to do with.

Some apps are more social. They have ways to find new friends.” Sometimes a serv­er pro­vides more info. Like you post a vibra­tion pat­tern, and do so anony­mous­ly. But in the return from the serv­er, it still includes the user’s email address. So…you’re not helping.

An anony­mous user­name now has its asso­ci­at­ed email dis­closed to oth­ers for what­ev­er sort of spam or hijack­ing pur­pos­es. But think about this. Things like cam mod­el sites. The poten­tial for stalk­ing and harass­ment, if infor­ma­tion is dis­closed of their loca­tion or their pri­vate details. That’s scary, right.

Partner dis­clo­sure. Larry Pesce at Defcon 22 showed this one. Didn’t report it at the time, the bas­tard, but it has been report­ed and fixed now, where he was basi­cal­ly able to query for user­name your­vagi­na,” and it would respond with your part­ner’s nick­name hax­orthe­ma­trix.” Yeah. So you could tell and build social graphs of who was con­nect­ed to who. Because you could con­nect to mul­ti­ple peo­ple over time and it would still report over time. 

A map of the world with many location pins all over it

I’ll let you fig­ure out what that’s about.

Embedded API keys. They’re always fun. I have one that has left their admin MailChimp API key in the app, unob­fus­cat­ed. Full access to their mar­ket­ing email lists, user sub­scriber lists and every­thing, so you can query all that. And send mail as them if you real­ly want­ed to. They’re not reply­ing to my emails. I may have to send an email to them, from them­selves, or just drop a 0‑day, you know.

So, it’s all for a good rea­son. Some of this is fun­ny but there are seri­ous con­cerns. Security and pri­va­cy should be in all IoT, espe­cial­ly these devices. As you’ve seen, this is just a quick few examples—there’s a lot more where they’re not. This indus­try lit­er­al­ly does not know what they don’t know. They have been hard­ware man­u­fac­tur­ers of manually-operated devices until very recent­ly. They don’t have peo­ple like us around to say, Hey, that’s not a good idea.” They just are nev­er inter­act­ing with us. So I’m try­ing to build some bridges to wake them up to real­i­ty. And when you hand them their 50,000 user data­base on a sil­ver plat­ter you have their undi­vid­ed attention. 

Yes, this means I have a bag full of sex toys I trav­el with. But you know, for me this is a seri­ous issue. And you know, the dif­fer­ence between screw­ing around and sci­ence is writ­ing it down. 

Basically, sev­er­al of the ven­dors that I’ve helped have actu­al­ly approached me, want­i­ng to start some sort of trade group or con­sor­tium or some­thing like that to adopt a vol­un­tary pri­va­cy and secu­ri­ty set of stan­dards that they would adhere to through like a third-party audi­tors or some sort of trans­paren­cy report to basi­cal­ly say, Hey, we take secu­ri­ty seri­ous­ly. Here’s how we take it Seriously.” You know, full dis­clo­sures and hav­ing vul­ner­a­bil­i­ty dis­clo­sure pro­grams. It makes con­sumers aware yes there are risks, yes we are deal­ing with them. It’s not just ignor­ing them or any­thing like that.

Still try­ing to fig­ure that out. I don’t know if it’s going to be a seal of approval on the box, you you know, you’re going to see my face on there going [enthu­si­as­ti­cal­ly makes thumbs up” ges­ture], It’s secure!” No. Still a ways off. Still try­ing to fig­ure out how I’m going to do it because I have no idea what I’m doing with this project. It’s a new area for me.

There’s oth­er things like Google Play and the Apple App Store, they will ban adult” apps for ran­dom rea­sons. Well then that means you break the update cycle. So yes, the man­u­fac­tur­er may fix an issue, but it’s not going to get pushed out. So peo­ple have to side­load apps and stuff like that so you’re mak­ing them turn off secu­ri­ty. Like that’s…dumb.

Data col­lec­tion from users in places where sex toys are ille­gal. I believe in one of south­ern states it is still— I believe…Texas, it is ille­gal to own more than six sex toys. So I won’t be going to Texas any­time soon. But you can see how data har­vest­ing might be an issue.

Physical harm, as we found out with Samsung. You know, lithi­um ion bat­ter­ies burst into flames. Considering where these things are gen­er­al­ly put, that would make your day suck.

And I’m wait­ing for things like the first divorce case to cite oh you know, the guy’s remote vibra­tor app was con­nect­ed to a sec­re­tary’s device not his wife’s. That sort of thing. 

Anyways. I hope that I con­vinced you that there are some seri­ous issues here. Because they’re not reg­u­lat­ed like med­ical devices, there are no stan­dards or any­thing like that. So as the pub­lic, we have to hold them to a set of standards.

Get over the dis­com­fort. The exact same chipsets that’re in so many fridges and chil­dren’s toys and every­thing like that, it’s…just dif­fer­ent pack­ag­ing. We need your help to edu­cate peo­ple and say, Hey, guys. Let’s raise the bar.”

So, if you’re inter­est­ed in this I will be around and try­ing to orga­nize a hack­adong. Probably at the IoT Village to…you know, peo­ple can start­ing apart apps and give you some help there. If you’re good at pol­i­cy writ­ing and stuff like, I could real­ly use some help for the vol­un­tary framework. 

Buy me a beer so that I can wipe away some of the mem­o­ries of things I’ve seen. And we also have a Patreon to just off­set the few op costs we have for serv­er time and that. So, alright. Cool. Thank you.

Further Reference

The DEF CON Biohacking Village site