 So, to our next talk, stand to relax. You know what that means, a glass of wine or marta, your favorite easy chair. And of course, it is Wi-Fi enabled toy compromising your intimate moments. Barbara Wimmer, as free author and journalist, will tell you more about the Internet of Fails. We'll tell you more about where IOTs got wrong. She's a free author and journalist at FutureZone for dot AT, the ORF and will in the near future release one or two public stories and the book. Thanks. Welcome to the talk of Internet of Fails, 34C3, the translation, that's the translation Spanish of Como El Cometa Eager. Welcome. I'm waiting for my slides to appear. I'm waiting for my slides to appear on the screen. Where are my slides? Those are not my slides. Thank you very much. Thank you very much. A round of applause from the audience. Welcome to the talk of Internet of Fails. Welcome to the talk of Internet of Fails. When IOTs don't work, this is a very negative topic, a very negative title. There are a lot of negative stories. There are a lot of negative stories in this but I don't want to talk only about negative things. Fail errors are the first step to learning. I'm also going to talk about solutions and I'm not only going to talk about negative examples. Why do we hear it every day? This is perfect for the congress motto, Tuvat, because it's to do something together. The majority of you don't know me. So I'm going to introduce myself. Why am I going to introduce myself? Why am I talking about this topic? Because that's probably what everybody asks me when they talk about IOT. So actually I've worked with Internet of Fails for more than 12 years. Since 12 years I've been working as an Internet reporter for IOT. And in 2014 I got in touch with IOT when I talked about a frigorific in Austria. And they told me that the first frigorific was found sending spam emails. And that was in 2014. That was really a funny story back then. But at the same time we already knew that this was going to be a huge development. And in the future it's going to be a very big and important evolution. So since then I've been looking at the IOT evolution in security and privacy. And in those 45 minutes you're going to hear a lot of stuff about IOT. And what are the problems with IOT at the moment? And examples of mistakes in security and privacy. But as I said before, I'm going to talk a little bit about solutions. And when we talk about these solutions it's not going to be just one side. For example, the consumer or the... What I'm going to give you is details about security, IOT. If you want to know more about those... I'm going to name most of the sources in the slide. So if you want to know exactly how this example came out, please look at it. If you're interested in the subject. I'm a journalist and I'm not an expert in security in IOT. So I'm going to wait for you to see the details. And that other sessions of the Congress will appear. So coming to the Internet of Things, I want to start with some data. Because these data show how technology has developed. In 2016 we had 6.3 million devices. And today we have 20.4 million. Today we have 11 million. In 2020 we have more than 20 million devices. These are data from the Ghana Institute in January. And I have another one with more exact data about this year. In this slide you see the development. You see how it's growing. Like 17% more than last year. And until 2021 it's going to be 1.4 million. 1.4 million trillion dollars in Internet of Things. So maybe some of you are wondering what Internet of Things is. Maybe you know, wait, I'm talking about the smart home. Or the intelligent one. Because it's very related to the Internet of Things. And we're having all the smart devices in our rooms. But it's not the specific one. Because we're talking about all the things that are connected. For example, toys, sex toys. Automatization of the house. Lights, thermostats. Like digital devices. For example, watches. I'd like to start with some examples. Of some classic Internet devices of Things. Smart coffee maker. So what is smarter about a coffee maker? It doesn't get smart when you regulate it. It doesn't become smart when you turn it on with an app. What is smart about that? You can touch it, it's the same as touching the button in the machine. And you connect the coffee maker with fitness tracker and something that measures the sleep. And to make, for example, a stronger coffee or less strong, depending on what you've slept. That's smart. That sounds comfortable for some people, but it has a lot of dangers. Because you never know if the data is really safe or where they're arriving. Maybe your doctor will be receiving them one day. Everyone knows? Do you know Kaz, the movie? This is McLeod and Queen. And this is the main character, who is a toy today. $350. No, sorry, euros. 350 euros. And this car is capable of... ...to watch the movie with you and comment on the movie. Grisas? This sounds very funny. It sounds very funny, but... Well, it's funny, but it means that it has an integrated microphone that is waiting to hear the words in the movie or the stories to make comments. And the microphone can only be turned off because of an app. There's no button to turn it off. And another thing is that when... When you received this Christmas gift, which is a very expensive gift, 350 euros, it's actually first updating for more than 35 minutes. First, it has to be updated for more than 45 minutes before you can use it. The next example... I call it Internet of shit because you can't call it another way. It's about a sensor with Internet of things for the bathroom. It's a small smart box that is placed in the bathroom and it has a sensor. It has sensors that help analyze the exceptions. It's collecting the data and sending them to the cloud. Actually, this could be very useful for having chronic diseases or others. It's very good for people who have chronic diseases such as colitis ulcerosa. But it is mainly designed for people who want to improve their nutrition and analyze stress levels. Maybe it sounds good at first, but these data that are being collected could be used for other things in the future. It's a perfect example for the Internet of shit. There's another Internet of shit. It's a Twitter account that collects all these funny stories. It's not mine. I don't have anything to do with the account. I tried to contact the person, but I never got an answer, so I can't say anything about that. But they collect examples and if you follow it now and you're interested in the topic, you can do it after that. After presenting a couple of IoT examples, with some good parts and some bad parts, there are few problems. Because, as I said before, you might think that everything is nice, comfortable and things like that. But the problem is that most of the vendors that are doing the Internet of shit are trying to connect all the devices without connecting. They're connecting devices that for many years were manuals without internet connectivity. And they knew a lot about ergonomics, about engineering and materials, but almost nothing about computer security. And well, I don't say it without talking to producers who tell me exactly that. When I interviewed them from Austria, who is making light bulbs for 100 years and years and actually they started to make connected light bulbs in 2015. They did that and when they started to connect the bulbs to the IT security department today, how many people in the IT security department or one person didn't have the knowledge that IT security could be more important when they start to connect the bulbs and in fact the result is that these producers are making the same mistakes that the technology industry did 15 years ago. So the 2,000 called and wanted their IT security back. The lack of security. So what's the problem? Well, those of us who know password, bluetooth connections permanent servers and permanent connections and of these 20,000 millions of devices there will be a lot of insecure devices and the problem is that they are collecting they are joining a botnet and they are starting to make attacks they are being used for d2 attacks and for the people who don't know the botnet or the terminals I have prepared explanations and short definitions so you know what I'm talking about a botnet is a network of private computers infected with malicious software and controlled like a group without the knowledge of the owner like for example the friorifico spam that I talked about before this friorifico sent 750,000 emails in fact and the botnet has a owner because it is not a zombie botnet and the owner can control that network of owners to make malicious attacks like d2 a d2 is an attack distributed that the server offers its services this can this can lead to a complete end of the service offered and well that already happened this is not something that happens in a distant future but in 2016 most people already people already recognized them but they didn't recognize why the twitter accounts did not work the twitter accounts didn't work they couldn't use reddit or spotify or they couldn't pay with paypal at the moment and behind that attack was Mirai so several big services were offline because the infrastructure the infrastructure provider was attacked by several various attack by various IoT zombies and this was a few years ago and in fact a year later now Mirai still appears quite in fact not all the botnet devices are secured there are still some in fact there is a study that says that all the insecure devices all the botnet infections all the security errors are there for at least 7 years in fact what it means that all the insecure devices could be infected and could be infected for 7 years that's why it's very important that we do something very quickly and not from 2020 so Mirai supposedly should continue to exist in 2017 and in fact many incidents and similar attacks like Mirai happened in 2017 this is an example that could appear at any moment as in November and a few years later that attack occurred so it happened in 2017 there was 91% increase from Q1 there was a very big growth compared to the quarters 2 or 3 and they will continue to grow I have to drink a little water for a second drink a little water sorry now we will return to other examples a very good example is the university that was attacked by their own machines of selling and other bombs and other attacks and other small IoT devices and it was very difficult to correct because they couldn't take the network of the university and activate it so they had a very complicated solution to return to activate the network and the only reason they discovered it is because the students complained that the internet was very slow and another example that has nothing to do with DDoS but with computer sensors in a aquarium in an American casino North American there were sensors that were checking the temperature of the aquarium so that the fish don't die those sensors were sending the data to a computer in the casino and that computer was using the same network that the sensors the cyber criminals could cyber criminals could access those data from the casino and they were sent to their own servers in Finland in Finland and there were a few gigs per day and another example which is one of my favorites I don't know why but it's the example that I like the most of the examples that I collected in 2017 but I saw a security camera bought by a woman she wanted to check her dog when she was working but what did she do with this camera well yes she checked her dog when she wasn't at home but when she was at home the camera chased her through the room and was watching her everywhere and she had an integrated microphone and one day she started talking to her and she said hello miss and the woman was very scared so scared that in fact she started recording the camera she thought no one is going to buy this camera again no one is going to believe me that the camera in fact the camera was watching the dog and she was watching her and it was a very cheap camera she bought it in the supermarket but we don't know the name of the producer in this case so changing from a cheap camera to a very modern camera what you see here is a camera that is integrated in many companies and there was a security error that was found and they showed me how they could hack the camera and they could show images of an empty room in a bank the images of the empty room in the bank were shown but in reality the bank was stolen well actually not but it could have been well this sounds a bit like a scene from a movie but the truth this camera that is sold as a security as a security camera and it's not and it can't and it's not possible one of the problems is that it has some passwords fixed in the camera code so I'm getting to different examples for example and it explains the podium before I talk everyone is telling me you brought your favorite toy to protect yourself during your talk and she was laughing and she was laughing no, no, it's going to protect me it's one of the less secure devices on the street but before we get to this special toy I'm going to talk a little about toys connected to the internet the Stifton Vagantes in Germany did a study about toys connected to the internet people are testing them they tested them for example bears, robots dolls, they are all very insecure several of them are even critical and actually what was the problem with these toys they were using a bluetooth connection and these bluetooth connections were not protected by a password or a pin so any that was close enough could connect with the doll and see the kids or ask questions another problem were the applications to collect data connected with those dolls for example this little unicorn has an application where you can send messages and what it does it can play messages as a child you can record messages or as a child you can record messages and send them to your mom or your dad but when you listen to messages the heart that says there is a message that you have to listen I'm not sure if it's the same I recorded before maybe at the end of the talk now it's the same but later at the end of the talk it won't be what it means that sorry this device has an application where you can send a message and it also has an interface for the kids and when you are using the platform for the kids you can see that there is an integrated advertising even pornography and other things that are not really really good hands with the kids and this is what Steve Tung Van Test said what he found the data is also used to partner companies and other companies to control the behavior of the parents so the Steve Tung Van Test Steve Tung Van Test says that a very smart peluche bear that you don't know is the best option and before I touch the button I would like to talk a little bit about Kyla probably have heard about Kyla is a very insecure doll that was forbidden in Germany by the law that has been judged as a station of broadcasting that has been forbidden and parents that do not destroy it can have negative consequences that should be out of the market and it is a result of a campaign from Norway called TOIFEI which is a organization of Norwegian consumers that is Kyla which is actually going to the European Parliament to make them understand how to show them how insecure some dolls can be how much they can harm those dolls and to ask for more security for the dolls and I have brought you a little video I hope we can hear the audio here too let's see no we are not hearing the audio but it does not matter because they have their titles they are talking at this moment for advertising share it with practically any company and change the terms at any time without telling you and this in our opinion is a huge infection of the laws of consumer of consumer protection applause for the Republic well and we also do not trust our we do not trust Kyla nor do we trust the unicorn with our little unicorn laughs ok somebody has hacked it someone has hacked it laughs for the public yes hello Kyla's communication congress that's what I record that's what I recorded before but applause for the public there is still time there is still time but you are all too far and nobody you brought a ruler but we will see we will try later but you should not trust this unicorn because this unicorn is from a company called Cloudpets which is a sorry called Cloudpets and the company is a toy called Cloudpets and the company is called Viral Toy it's a unicorn but there are also dogs and rats and unicorns and it's very ugly but it's a unicorn and actually now I'm already talking a lot about I'm talking a lot about this why I'm explaining it now I'm explaining it now there was a fraction of data with this toy so the messages of the children in the Cloudpets data it was already stolen and it was in public on the internet publicly and it was found free on the internet actually publicly on the internet there was no data breach but the data and Viral Toy said that there was no a fraction of data but the data existed and that's the reason why you brought this unicorn and it's still easily can be found easily on the internet and in fact I can show you why on the internet they teach you pornographic advertising so I wouldn't recommend it for your children and there are various institutions that are that talk about the problems of these toys and they already analyzed several the group which already analyzed toys and Stifton Varentes in Germany also the group Ostraco and even the American FBI and in fact consider if you really are a game connected for your children or for you because in the next sections about sexual toys you laugh in the public a sound of a trumpet in the public and you laugh I am not it's not necessary to say a lot it's not necessary to say a lot about this example in fact it's a vibrator connected with a camera included and this camera it's very very insecure in fact this toy is very expensive so you can't say it's not only the cheap toys but also expensive things can be insecure in fact this vibrator costs 250 dollars so it's very expensive and it has an endoscopy connected to the internet included and they discovered it's very insecure the password maybe in the public and if you forget to change it there will be more people reproducing the image that you believe in your private sexual adventures there is another example in fact let's go back a second it's very funny on youtube about this maybe you want to see it I didn't bring it because I couldn't contact the producers so I will continue the next example about the case of a company of sexual toys that admits recording sex of its users and call it a minor error and you can see the icon and this is a vibrator and an app and the app that controls the vibrator recorded all the sounds of sex and all the sounds that you make when you use this vibrator and save them without your knowledge and the company says that none of these information was sent to the company so this file only existed temporarily in the app and the company corrected the error after a while but it's an example of what can be these sexual things there are a lot of more examples about the issue of sex about this and there is one thing that you should look for after please not now but after this talk you could search in google or in dacta code where you want the term blowjob injection and please add security to the search you will appear on other pages this was a female security expert who was researching a device that should that your girlfriend could make a special deflation and it could be hacked so that the deflation was from another person and not yours there is another story about a map of dacta code on the internet so if you are interested search it later because it's funny to talk about this but I also want to talk a little more about what we can do and one of the projects in this part that is doing something this project internet of dongs hacking sexual toys for security and privacy and as you can see it is supported by hornhub which means that hornhub pays money to the project so that you can buy the toys so hornhub is supporting the project and I have talked with the person who is behind this project and this is an image of yours this is the website in fact and he told me that at the moment there is a team of more or less 15 to 20 people who are investigating security in their free time and they don't receive any money for this and they don't want to receive money but they are already looking for more security experts who want to participate in the team and they also have an ethical code and things like that and in fact one of the most important things that they were telling me is that they don't want they don't want to use sexual toys connected but you find the security errors if you want to use them so that we can use them if we want without fear so you can contact them if you are interested changing from section you can see that I am changing from security to security and privacy and now I have come to the private section this is Google Home and we all know that there is also Amazon Echo and digital systems are also intelligent they are devices of the internet of intelligent things that's why I want to talk a short moment because I am sure that there are people here who have received this as a Christmas gift and there has been a significant growth in the use of digital devices intelligent devices in the first quarter and in the first quarter there were 900 devices and in the quarter two or three there were more than 7.4 million of devices sold so there has been a significant growth and we don't even have the numbers about the Christmas time Christmas time I wanted to talk about this because if you put these things in your house it could be very comfortable at the beginning because you don't have to look for the information about time you don't have to read your emails you can make the device read your emails and use it to program to make lists of what you're going to buy and similar things but the way they use a lot to analyze the personality and the habits of the users and gaining more and more information about your life and this information doesn't stay in your house but it reaches the Amazon and Google servers and I don't need to tell you what they do Amazon and Google with these data currently not only they're using it they're collecting it so it's very valuable and they use it to sell and they sell it and they're going to use it or they're going to sell it in the future all the digital devices they send the controls made by both to their servers and the data stays there and it's not impossible for me to know how long it's been in which servers they're not in their usage and I couldn't find it anywhere so so the delegation of the data security is not easy to find to understand how and until when and where the information collected is processed it's not clear how long it's going to take to keep that information so if you still want those devices in your house at least there's a mute button to shut them up and you can also change the settings to control or delete the data that have been collected so they're deleted so yes but this voice control but both devices have been hacked Amazon Echo was hacked in 2016 and Google Mini in 2017 of course both problems were solved when I say hack means what came out of those actions that are hearing your conversations all the time so I'm getting unfortunately the fun examples are ending I'm getting to the part where I would like to talk about what we can do against the lack of security and privacy on the internet of things we're talking about the status quo in which we have a information asymmetry between the producers and the users the producers don't have to give information about the devices how much time they make security updates safe or not so what do we need what do we need what do we need write a couple of things write a couple of things here which are partly stolen by Jan-Philippe Albrecht Jan-Philippe Albrecht from his program a lot with that kind of question what we can do because he works a lot there's a lot of what we can do in his work and I'm also stealing some of the options of the person who does the internet of thongs who has interesting proposals and some security experts I talked about in interviews because we don't always talk about bad things we always want to make sure that the internet of things is more secure some of them said that we would need a rating system similar to the one of the elegy a classification by stars which would mean that we use a seal or a signal which says that security apps every 5 years or to show that there are devices that don't have this security close security holes instead of ignoring them it's also important to force the providers to close the security holes instead of ignoring them we can easily report security flaws we should also force them to give us email address where they can tell us about security security and give us information about what is secure and what isn't we also need an offline mode which is mandatory that there is an offline mode for electronic devices where there is a button where you can turn it off so you don't hear all the time and we need that and we don't need it for all the devices that are connected on the internet we also need an eBag and a security center for the digital era and we need to talk about update policy and liability examples for example regulation regulation that is not existing at the moment but there is some regulation but there is some regulation that exists data which is the GDP general data protection general data protection GDPR that will be in rigor in 2018 which has many very important things called privacy privacy for design and for default and it includes more possibilities to to demand by law that the privacy by default this is really done by the vendors the thing is that the privacy by design and default are things that the producers do what the producers told me is that their plan is not to integrate in the products because they say they don't need it because we would have to do it and how it is so that's why the reason comes into place and the legality comes in in we think it's important to know Max Friems who is a data protection activist who says that everything that goes the producers will not the producers will not change in their own way what he says is that this new regulation with this new regulation as consumers we can require our data protection before it was more difficult but with the new regulation this becomes much easier and if 4 million people ask for money for damages this could be very expensive for the company but if you don't have the means to do that yourself because it's a very expensive thing then you can support other organizations such as I don't say that you necessarily have to support this organization specifically but this is just what this organization does which is that what else can consumers do what else can consumers do what other things consumers can do these are not easy tricks it's not easy to do it but there are some easy things that we can accept and think for example this product really needs If I turn off the internet connection, it can still work after that. We can contact the company. They can answer me if I have a problem. Sometimes click-tivism works to prevent producers from making stupid decisions. For example, there is an example of the smart Rumba vacuum cleaner that collected all the data collected from the vacuum cleaner's house. There was a very big shit store after they announced it. The boss of the company announced it. After all these people who complained, they decided not to implement it. Obviously, what can the producers do? In general, the basis of computer security is to update, update, update, use separate networks for IoT and use secure passwords, use open hardware, use open software and build that each person builds their own tools. What can the programmers do? Support privacy by design and default privacy from the beginning from the programming of the device. What can security experts do? Explain the problems to the producers, improve the production standards of security in the Internet of Things, report all the errors that are found and help other people who work on these problems. And now I'm back to the Internet of Fails. This is the end of my talk and the question is, how many people are going to die from problems with Internet of Things? And I wanted to make comparisons with the time when trains were built and the amount of disasters that happened before security tools were installed or to compare it with the motor industry. For example, with the introduction of security tools, the introduction of the ebacs, etc., that did not happen pretty soon. And the question is, if we need to kill people in the first place before they improve their security, it is said that it will have to happen. And the answer is that the security of the Internet of Things will not arrive soon enough. This will arrive at the end of my talk. If we have time, I'm waiting for questions and input. If not, I thank you for your attention. Thank you very much. Thank you very much. Please exit the room to your left over there. Questions, I'm going to start the question round. Do you want to ask questions or questions? The Internet wants to know if companies don't have any IoT security whatsoever and if they don't have security experts, what can we do to ask for more? Who? The consumers? Yes, basically. What I said is that I would write letters to the producers and require standards. And this is the first step that we can do. We can write emails or call them. And say, well, what security do you have in these products? Because if not, I won't buy your products. Thank you. Any other question? Okay, in this case, again. Thank you very much for the chat. A big round of applause. Thank you.