RenderMan: So, yes. I am RenderMan. This is Murdoch Monkey. Just you know, I did a lit­tle bio­hack­ing on my liv­er last night, and so when I was work­ing the slides guess who for­got to hit save.” So I was just sit­ting in the back hack­ing togeth­er some­thing, so if this seems a lit­tle dis­joint­ed I apologize. 

This is a seri­ous talk. Let’s…you know, try to be adults here. Vaguely. I mean, there are no chil­dren in here, right? Okay, good. I don’t want to pay any ther­a­py bills.

So yes, Internet of Things. We all know about it. Manufacturers do not… You know, the secu­ri­ty on them’s ter­ri­ble. They don’t have a way to update them, or they just don’t care. Users don’t con­sid­er the secu­ri­ty and pri­va­cy of using these things until it’s way too late. Groups like I Am The Cavalry are doing amaz­ing work on auto­mo­tive, med­ical… But nobody want­ed to touch sex toys for some rea­son, so. But you know, this shows that IoT is per­me­at­ing every part of our lives, includ­ing one of the most pri­vate: bed­room activities.

So, yes. Sex toys are now being con­nect­ed to the Internet. For a lot of peo­ple that’s…they can’t grok that ini­tial­ly, let alone that there’s secu­ri­ty issues. Basically what we’re look­ing at is sex toys, kegel exer­cis­ers, gen­i­tal rings. If it goes into your gen­i­tals, your gen­i­tals go into it, or goes around gen­i­tals, those are the devices we’re wor­ried about.

A large num­ber of IoT research firms…yeah, they don’t want to look at this. Because there are stig­mas around sex. We have a very weird thing in North America about sex. We’ll watch all the vio­lence we want on tele­vi­sion but you can’t see two peo­ple have sex. Like, it makes no sense to me.

So this start­ed basi­cal­ly because I had had the idea rolling around my head for about ten years. Happened to men­tion it to the pur­vey­or of an adult toy store back home in Edmonton. And she was like, This is a good idea. I do all these in-home demon­stra­tions.” It’s like a Tupperware par­ty but dif­fer­ent kin­da Rubbermaid. But it’s like yeah, I’ve got some old mod­els. Ones where the bat­ter­ies don’t work or a bro­ken pow­er con­nec­tor…” and gave me these old demo ones. And I start­ed div­ing into this stuff, and shit got real, real quick.

Because when you now real­ize it, the ques­tion is, is hijack­ing the remote con­trol of a con­nect­ed sex toy sex­u­al assault?

I hear that uncom­fort­able gig­gling but no, think about it. You know, you have a part­ner. You give them per­mis­sion to con­trol this device. Someone else hijacks the con­nec­tion. That per­son does not have per­mis­sion. That fits the def­i­n­i­tion of sex­u­al assault. 

There have been sev­er­al cas­es of rape by decep­tion, where it was like if your twin broth­er has sex with your wife kind of a thing. It’s very inter­est­ing because they usu­al­ly are dis­missed on some sort of tech­ni­cal­i­ty. And I’m not a lawyer. I real­ly want to put an inter­est­ing query into the EFF about this. Canada’s sex­u­al assault laws specif­i­cal­ly define con­sent obtained by fraud is not con­sent. So in this case yes, if you’re imper­son­at­ing some­one by hijack­ing their account or what­ev­er yes, that is not… Consent goes to the per­son at the oth­er end, not the account.

But it gets real­ly weird when you start look­ing at laws because these are devices that’re vol­un­tar­i­ly used. It’s the same data that their inti­mate part­ner would be send­ing, but not by that same per­son. But if they find out that it was­n’t the per­son you thought it was con­trol­ling it, the emo­tion­al hor­ror and trau­ma from that should not be any­where dis­missed or feel any less than a phys­i­cal assault.

You’ve prob­a­bly all heard about the We-Vibe law­suit after DEF CON last year. For those of you who weren’t around, Goldfisk and Follower did a talk where they found a num­ber of issues with the We-Vibe. Full dis­clo­sure, I had actu­al­ly put in the exact same talk that came to the exact same con­clu­sions as them. They got select­ed. They were first-time speak­ers. I’d spo­ken way too many times here.

All boiled down to they did­n’t have the right pri­va­cy pol­i­cy in the app. It basi­cal­ly was the pri­va­cy pol­i­cy from their web site. So it was men­tion­ing you know, cook­ies and stuff like that. It did­n’t dis­close some of the infor­ma­tion that they were col­lect­ing from the app and the device. And yeah, they got nailed to the wall because hey, if I had known that this was doing this I would­n’t have bought it. Deceptive adver­tis­ing, such.

Absolutely no evi­dence of malfea­sance. Data did­n’t leak. They weren’t abus­ing it. They weren’t doing dossiers on users or any­thing. It was just lit­er­al­ly a paper­work over­sight. So the biggest law­suit regard­ing all this stuff had absolute noth­ing do with actu­al­ly tech­ni­cal pri­va­cy or secu­ri­ty but just legal paperwork.

They set­tle for $5 mil­lion in a class action law­suit. And we should be find­ing out in the next two, three weeks how much peo­ple actu­al­ly get out of that. Could be up to ten grand if you’d used the app and the device. 

The inter­est­ing part is We-Connect was actu­al­ly one of the bet­ter apps, even before all this. They were one of best ones I had test­ed. They still had some issues, but yeah, they were actu­al­ly doing SSL at least halfways right. They were doing a lot of things that you would expect. 

After they got hit with this law­suit and the Goldfisk and Follower talk, they stepped up and basi­cal­ly com­plete­ly reengi­neered their app. It’s now kind of like the gold stan­dard I have for oth­er ven­dors. It’s like you need to be doing all the stuff that they’re doing. They got rid of things like you don’t need to cre­ate an account to use it. So there’s no per­son­al infor­ma­tion being col­lect­ed there. Allows for…you start it up the first time, it says, Hey, would you like to opt out of anony­mous data col­lec­tion?” Cool. Gives peo­ple the chance right there, the first time. Looks like they’re actu­al­ly doing cer­tifi­cate pin­ning. Like holy crap.

Still some issues. My favorite is that you still can’t vis­it their web­site over SSL. And I’ve been ham­mer­ing on them on that for like eigh­teen months and they still have not got­ten back to me at all. It’s just…it’s hilarious.

You’ve prob­a­bly also heard about the Siime Eye con­tro­ver­sy. This is a vibra­tor with an embed­ded web­cam. Hey. I don’t judge. Basically because it’s doing video it needs band­width. And so it uses WiFi. When you start it up it becomes its own access point. So you con­nect your tablet, phone, what­ev­er, to it. So it’s not actu­al­ly con­nect­ing to the Internet or any­thing like that. So you view the stream. Control it from your phone. It’s basi­cal­ly Ralink System on a Chip run­ning BusyBox. Interesting to note, I smug­gled my GPG key­chain across the bor­der, on a dong. Because there was about eight megs of stor­age avail­able on here. Proof of con­cept, had to do it.

Also there is the embed­ded web serv­er, and yes I have actu­al­ly host­ed a web site…you know, an Internet on a dong. Literally all it is is a reworked cheap Chinese IP cam­era that they made fit into a par­tic­u­lar container.

That’s a pic­ture of my nose. Pen Test Partners, Ken Munro… Is he here? No? Okay. He’s prob­a­bly over at IoT Village. Literally this thing was in the air from Amazon when they released their report. They had found all the same things I had already in the soft­ware, and I did­n’t have the hard­ware yet to con­firm the last few. While the report was fac­tu­al­ly cor­rect, there was a lot of innu­en­do and jokes and just juve­nile humor. They released it under a pseu­do­nym of Beau du Jour.” And it’s like…really guys? Come on, we’re pro­fes­sion­als here.

So I took some excep­tion with that, post­ed a rebut­tal say­ing that yes your evi­dence of risks was true, but you blew it out of pro­por­tion. Like oh my god, these things are WiFi so they’re broad­cast­ing to any­one and wardrivers can pick this up and add it to wigle​.net. Now you show a screen­shot wigle​.net.

Well, if you actu­al­ly log in to WiGLE and use the Siime Eye SSID in search, you find two. Both of them are at rough­ly the same loca­tion out­side a four-story sex shop in down­town Tokyo. So out of…I for­get how many they’re up to, there are like 600 mil­lion access points cat­a­loged, two. And it’s demo stuff in like an incred­i­bly packed part of town. So like yeah, the risk is very very min­i­mal on that.

Yes, there was a default PIN that inter­est­ing­ly, their pre­vi­ous soft­ware did­n’t give you any way to change it, or none of the instruc­tions. It would tell you repeat­ed­ly change the pass­word, change the pass­word.” But not how.

So I post­ed this rebut­tal, and work­ing with Ken Munro on that, they made a bunch of press but unfor­tu­nate­ly this whole project did­n’t get men­tioned so I’m like, [fist in the air] Ken!” But no, it got them on same page. But it shows that peo­ple are pay­ing atten­tion. That the pub­lic is now con­sid­er­ing this.

So ven­dors were already freaked out by the We-Vibe suit. Seeing this get­ting dragged through the mud did­n’t help them much either. It was also a great exam­ple because they had tried to do a coor­di­nat­ed dis­clo­sure with the ven­dor, but they nev­er replied. This is why you need vul­ner­a­bil­i­ty dis­clo­sure pro­grams that actu­al­ly are act­ed upon.

The prob­lem with these things is that you have the poten­tial for real­ly dum­b­ass reg­u­la­tions and stuff like that. I mean you’ve got some 70 or 80 year-old geri­atric con­gress­man or sen­a­tor try­ing to fig­ure out this tech­nol­o­gy and it’s like, Oh my God, that’s aber­rant! Sex!” con­sid­er­ing that they’re prob­a­bly also doing their sec­re­tary or some­thing. Yeah it’s like you’re look­ing for solu­tions to a prob­lem that does­n’t exist. It may not be your thing, but does­n’t every­one deserve pri­va­cy and secu­ri­ty in what they do, even if you don’t agree with it? If not, you’re want­i­ng peo­ple to be hurt, you’re a ter­ri­ble human being. And it’s issues like that that are why I start­ed this project.

So inter​netof​don​.gs. In case you’re won­der­ing, .gs is South Sandwich Islands. I had actu­al­ly inquired with some friends that issue CVEs. There’s a big thing with IoT stuff, they don’t know how to issue a CVE for some of it because it’s using oth­er projects’ soft­ware but it’s only for this device con­fig­u­ra­tion… So I was like screw it. So I’m doing Dong Vulnerability Exposure IDs, most­ly for my own san­i­ty. When I was sub­mit­ting things there would be like half a dozen things that I want­ed to make sure that none of them were for­got­ten. So hav­ing an iden­ti­fi­er helped. 

But also the reports. You can actu­al­ly start see­ing what sort of issues are hap­pen­ing. I’ve already helped a num­ber of ven­dors build vul­ner­a­bil­i­ty dis­clo­sure and man­age­ment pro­grams. Because if some­body finds some­thing, why the hell aren’t you just mak­ing it easy to report? They’re giv­ing you free work. Like…makes sense. Again, non­judg­men­tal, just want to have peo­ple use these things pri­vate­ly and securely.

The vast major­i­ty of these are Bluetooth. Bluetooth LE. This is about the only WiFi one. They pair to a smart­phone or tablet for local con­trol, but also as a gate­way for remote con­trol via the Internet. A few have some desk­top appli­ca­tions. XMPP is a very com­mon con­trol chan­nel on these. It pro­vides you text chat func­tions as well. But they’ll also do text, audio, and video chat—full-fledged video tele­con­fer­enc­ing teledil­don­ics. Sweet. So lots of inter­est­ing attack sur­faces there, when you think about it, between the text, the audio, and the video. 

Almost always, there’s some sort of inter­ac­tion with a com­pa­ny serv­er for bro­ker­ing the con­nec­tion or find­ing each oth­er or some­thing. But try­ing to con­vince ven­dors you need to be as hands-off as you can pos­si­bly be. Because yes, it might be eas­i­er to do things this way where you tag unique iden­ti­fiers to every­body, but…no, that’s where things get weird. So the more hands-off you can be, the better.

So, so far twenty-seven vul­ner­a­bil­i­ties report­ed, sev­en­teen fixed, though I haven’t checked in the last week. Four com­plete or par­tial user data­bas­es. Two com­plete remote hijacks. One set of GPS loca­tions for all users that were online at the time. I’ve got eight ven­dors that’re on board with doing vul­ner­a­bil­i­ty dis­clo­sure pro­grams. I’m help­ing them basi­cal­ly to real­ize hey, you’re a soft­ware com­pa­ny now whether you want it to be or not; you’re gonna have to do cer­tain things.

Four have reached what I con­sid­er a trust­ed part­ner lev­el. It means that they have a very good and well-established vul­ner­a­bil­i­ty dis­clo­sure pro­gram. They’re being proac­tive, and just ful­ly embrac­ing the idea that okay, we need to be secure. Twenty-two test devices in this love­ly hand-cut foam case. Which is real­ly fun as carry-on. One cor­po­rate spon­sor, and a very con­fused mother. 

So yes, we are sup­port­ed by Pornhub. Wait, you’re all famil­iar with it? Oh, I thought it was just some obscure lit­tle site. Drunken email to their mar­ket­ing peo­ple say­ing, Hey, here’s the project. Going to buy some of these devices. They’re expen­sive. You know, can you somehow?”

Immediately got a reply, Yep, we’re on board. We love this.” Originally they were try­ing to get some of the ven­dors to send free stuff. Eventually just set­tled on, Here’s a big pile of cash.” So yes, I had a bank trans­fer from Pornhub for keep­ing my clothes on. That just seems…weird. But again, try and explain­ing that one to your mother. 

This is real­ly weird research. I’m gen­er­al­ly not embar­rassed or shocked or any­thing like that. But still it’s… The things you see…you know, it’s not nec­es­sar­i­ly for the timid. Because peo­ple have some inter­est­ing fetish­es. There are peo­ple who like the idea of a ran­dom anony­mous per­son on the Internet con­trol­ling their vibra­tor. But that’s you know, informed con­sent. That’s your thing.

But the vul­ner­a­bil­i­ties that you find are shock­ing. Not every­one knows how to do SSL, if they’re using it at all. User infor­ma­tion, per­son­al infor­ma­tion dis­clo­sure, part­ner dis­clo­sure, GPS, per­mis­sions, blah blah blah.

I’d say at least half, if they’re doing SSL, allow all host­name ver­i­fi­er,” which basi­cal­ly turns off SSL cer­tifi­cate check­ing. So you can stick any cer­tifi­cate in there for easy man in the mid­dle. So, why did you imple­ment SSL in the first place? You just turned it off, basically. 

A lot of these devices when you think about it, spouse is trav­el­ing for work or some­thing. They’re prob­a­bly using them in hotels, which are shared net­works a lot of times. So I don’t know if any­body here’s ever done sniff­ing on wire­less net­works, but it’s amaz­ing what oth­er peo­ple will be doing. It’s amaz­ing how many peo­ple watch porn in airports. 

User enu­mer­a­tion. I found vari­a­tions of this where you could basi­cal­ly find out if a cer­tain email address has an account there, for what­ev­er pur­pose. So with Lovense, you could basi­cal­ly do a sim­ple query and it would just come back with true or false. No authen­ti­ca­tion, no tokens required, no noth­ing. Anyone any­where in the Internet could just do a GET request and it comes back with true or false.

So, took my per­son­al address book with about 275 address­es and ran that through, just proof of con­cept. I have some friends with some sur­pris­ing inter­ests I did­n’t know. But this shows you can find out things about peo­ple that maybe they don’t want to share. One of them was a friend a friend Bluetooth research and had some of the Lovense devices. Didn’t know about my projects, so it was real­ly fun­ny to email him and say, Dude, why do you have these?” And he’s like holy shit, that I was able to find this.

I ramped it up with the Ashley Madison dump. Dumped all the gov­ern­ment address­es I could find. Queried about 10,000. They’ve already had enough dam­age to their lives. I’m not going to dis­close any­thing. But there was a hand­ful of trues from very inter­est­ing places.

OhMiBod. The app has a search func­tion for find­ing poten­tial part­ners. Some of them, if you have a pri­va­cy bit set for pub­lic, you could do a par­tial user­name search and you come up in the list. If you had the pri­va­cy bit set to pri­vate, you had to know the entire user­name, and that’s the only way you can connect.

But in the GUI it lim­it­ed you to I believe three char­ac­ters is the min­i­mum. But only through the GUI. If you did the query direct­ly, sin­gle char­ac­ters. Which means A through Z, 0 through 9, you now have all the public. 

Lots of inter­est­ing infor­ma­tion there, but it got worse, because my padawan (a stu­dent I’m men­tor­ing) fig­ured out that you just put a cou­ple dou­ble quotes in that and you click and it’s like oh, this is tak­ing a while. Because there’s a 32M JSON reply of every­thing, pri­vate or not. Like, the whole bloody data­base. Like 50,000 users, here’s every­thing. Of course that also includ­ed the URL for all the pro­file pho­tos, and I made the mis­take of down­load­ing all of them. I have now got more dick pics than I know what to do with.

Some apps are more social. They have ways to find new friends.” Sometimes a serv­er pro­vides more info. Like you post a vibra­tion pat­tern, and do so anony­mous­ly. But in the return from the serv­er, it still includes the user’s email address. So…you’re not helping.

An anony­mous user­name now has its asso­ci­at­ed email dis­closed to oth­ers for what­ev­er sort of spam or hijack­ing pur­pos­es. But think about this. Things like cam mod­el sites. The poten­tial for stalk­ing and harass­ment, if infor­ma­tion is dis­closed of their loca­tion or their pri­vate details. That’s scary, right.

Partner dis­clo­sure. Larry Pesce at Defcon 22 showed this one. Didn’t report it at the time, the bas­tard, but it has been report­ed and fixed now, where he was basi­cal­ly able to query for user­name your­vagi­na,” and it would respond with your part­ner’s nick­name hax­orthe­ma­trix.” Yeah. So you could tell and build social graphs of who was con­nect­ed to who. Because you could con­nect to mul­ti­ple peo­ple over time and it would still report over time. 

A map of the world with many location pins all over it

I’ll let you fig­ure out what that’s about.

Embedded API keys. They’re always fun. I have one that has left their admin MailChimp API key in the app, unob­fus­cat­ed. Full access to their mar­ket­ing email lists, user sub­scriber lists and every­thing, so you can query all that. And send mail as them if you real­ly want­ed to. They’re not reply­ing to my emails. I may have to send an email to them, from them­selves, or just drop a 0‑day, you know.

So, it’s all for a good rea­son. Some of this is fun­ny but there are seri­ous con­cerns. Security and pri­va­cy should be in all IoT, espe­cial­ly these devices. As you’ve seen, this is just a quick few examples—there’s a lot more where they’re not. This indus­try lit­er­al­ly does not know what they don’t know. They have been hard­ware man­u­fac­tur­ers of manually-operated devices until very recent­ly. They don’t have peo­ple like us around to say, Hey, that’s not a good idea.” They just are nev­er inter­act­ing with us. So I’m try­ing to build some bridges to wake them up to real­i­ty. And when you hand them their 50,000 user data­base on a sil­ver plat­ter you have their undi­vid­ed attention. 

Yes, this means I have a bag full of sex toys I trav­el with. But you know, for me this is a seri­ous issue. And you know, the dif­fer­ence between screw­ing around and sci­ence is writ­ing it down. 

Basically, sev­er­al of the ven­dors that I’ve helped have actu­al­ly approached me, want­i­ng to start some sort of trade group or con­sor­tium or some­thing like that to adopt a vol­un­tary pri­va­cy and secu­ri­ty set of stan­dards that they would adhere to through like a third-party audi­tors or some sort of trans­paren­cy report to basi­cal­ly say, Hey, we take secu­ri­ty seri­ous­ly. Here’s how we take it Seriously.” You know, full dis­clo­sures and hav­ing vul­ner­a­bil­i­ty dis­clo­sure pro­grams. It makes con­sumers aware yes there are risks, yes we are deal­ing with them. It’s not just ignor­ing them or any­thing like that.

Still try­ing to fig­ure that out. I don’t know if it’s going to be a seal of approval on the box, you you know, you’re going to see my face on there going [enthu­si­as­ti­cal­ly makes thumbs up” ges­ture], It’s secure!” No. Still a ways off. Still try­ing to fig­ure out how I’m going to do it because I have no idea what I’m doing with this project. It’s a new area for me.

There’s oth­er things like Google Play and the Apple App Store, they will ban adult” apps for ran­dom rea­sons. Well then that means you break the update cycle. So yes, the man­u­fac­tur­er may fix an issue, but it’s not going to get pushed out. So peo­ple have to side­load apps and stuff like that so you’re mak­ing them turn off secu­ri­ty. Like that’s…dumb.

Data col­lec­tion from users in places where sex toys are ille­gal. I believe in one of south­ern states it is still— I believe…Texas, it is ille­gal to own more than six sex toys. So I won’t be going to Texas any­time soon. But you can see how data har­vest­ing might be an issue.

Physical harm, as we found out with Samsung. You know, lithi­um ion bat­ter­ies burst into flames. Considering where these things are gen­er­al­ly put, that would make your day suck.

And I’m wait­ing for things like the first divorce case to cite oh you know, the guy’s remote vibra­tor app was con­nect­ed to a sec­re­tary’s device not his wife’s. That sort of thing. 

Anyways. I hope that I con­vinced you that there are some seri­ous issues here. Because they’re not reg­u­lat­ed like med­ical devices, there are no stan­dards or any­thing like that. So as the pub­lic, we have to hold them to a set of standards.

Get over the dis­com­fort. The exact same chipsets that’re in so many fridges and chil­dren’s toys and every­thing like that, it’s…just dif­fer­ent pack­ag­ing. We need your help to edu­cate peo­ple and say, Hey, guys. Let’s raise the bar.”

So, if you’re inter­est­ed in this I will be around and try­ing to orga­nize a hack­adong. Probably at the IoT Village to…you know, peo­ple can start­ing apart apps and give you some help there. If you’re good at pol­i­cy writ­ing and stuff like, I could real­ly use some help for the vol­un­tary framework. 

Buy me a beer so that I can wipe away some of the mem­o­ries of things I’ve seen. And we also have a Patreon to just off­set the few op costs we have for serv­er time and that. So, alright. Cool. Thank you.

Further Reference

The DEF CON Biohacking Village site

Help Support Open Transcripts

If you found this useful or interesting, please consider supporting the project monthly at Patreon or once via Cash App, or even just sharing the link. Thanks.