 And I have one last announcement before we begin this talk. This is a personal announcement to whoever slapped the sticker saying for recto use only onto my microphone. Microphones are not supposed to be used this way. Please trust me, I am very familiar with microphones. I know how they are supposed to be used. However, our next speaker is going to tell you about things that are supposed to be used this way and about how to secure and protect those things. So please welcome Vione and the talk you all came here to see, Internet of Donks. Hello, welcome to the chat room of Kathie and Kaste. Today we are going to translate this lecture on Internet of Donks, which is what we call love for you and we hope that you have a fantastic evening. Hello, my name is Werner. I work for SecConsult as a security consultant and it is about the penetration of security systems. I studied computer science in the last five years and I was in the University of St. Paulton. And about a year ago, I had a major challenge. This challenge was to choose a topic for my master's thesis. You might know, there are always those pre-defined topics. Some of them are really interesting. Most of them are very quickly gone and you have the last boring topics. I didn't want to be too stressed and I wanted to look for my own topic. The first thing I did was to get a better overview and I looked at what other people were writing. And these are the really interesting topics like Bitcoin, GDPR, Cyber, Cyber, Cyber, DevOps, Management, MailWare. But some of you may have noticed that there is a missing topic. This is very, very important in 2018 and this is the Internet of Things. I guess I don't have to explain what the Internet of Things is. It is, so to speak, the connection from all devices that used to be analog. And they are actually still connected via the Internet. And I thought, maybe I can combine the knowledge of sec-consult with pen-testing. The problem is, there are millions of products and I only have one job to write. So I have to find a sub-category of what the Internet of Things is. Especially when it comes to pen-testing. And the first thing that came to my mind was smart home devices. Yes, we have already heard a lot of interesting stories. For example, coffee machines, lawns, lamps, thermometers, something like that in the direction. But this category has a few problems. There is a lot of research on this and the other problem is the influence that it has on society. I don't really want to talk about it now, I don't want to talk about it. But when there are weak spots, when a DDoS happens on your lawn, then you go into the garden and then you're in the lawn yourself. And I thought I had to choose a sub-category where there is a big influence on society. And then I dealt with smart dolls, for example. There was this Puppe Keiler. Someone found out that it had an built-in microphone and that the data was sent to a strange server in strange countries. And it was actually also called illegal and had to be destroyed. And there were a lot of research on baby monitors. And a colleague of mine wrote a very good blog post. And there are also devices that influence our bodies. For example, the brain-maker, for example, from Science & Medical. They have the largest manufacturer of brain-makers. They have produced a brain-maker that is controllable via Bluetooth. But they just forgot the authentication. It's a very, very big problem because basically everyone could influence your brain-maker. But as you can see, these categories, that would be really hard. So that's really not good. So the deadline came to me and I really had to get into the topic. And I did a lot of brainstorming with myself and then a lot more. That there is one category that has a very, very big influence. But there is no big research on it. And that is the Internet of Dildos. That's basically the integration of sex toys in the Internet of Things, where you can connect with each other, for example, and with the Internet. But before that, I would like to show you what I found on the Internet of Dildos. A bit of history, so to speak. You might think it's something new, but the Internet of Dildos actually exists for about 50 to 60 years. And whenever there are new discoveries, the first ones actually appear in films. And that also applies to the Internet of Dildos. There are, for example, Barbarella, or Flash Gordon, or Orgasmo. And in these films, there are real films, actually. The Internet of Dildos actually appeared in these films. For example, in Barbarella. The bad guy used Orgasmo-tron to produce such a hard memory that people died. So the Internet of Dildos was actually a mass destruction weapon in the 60s and 70s. And not a mass of memory. That also resulted in a new research area, which is called Teledildonic. Of course, that's also a joke, but not from me, but from Ted Nelson. He's a technical philosopher, and he has some quite well-known terms, like Teledildonic. For example, virtuality and Teledildonic. And that was first mentioned in his book, Dream Machines. You can recommend it, you should maybe read it. In the book there are interviews with different people who had innovative and interesting ideas, but the technology was not so far away. And here's a guy who's involved, he's called Hal Voxpress. He talked about AudiTac, you can google it. There you can find a few pages where you can look a little further. He's still looking for a manufacturer who can help him to build the sonic stimulator, the audio stimulator. At the end of the day, it's a radio-controlled Dildo. It has an antenna. They go into a radio and from there two exits go, one for the stimulator and one for the headset. It even has a patent. You can search it on Google. The signals are connected to sound waves that are directly connected to the signal of the life. They're connected directly to the signal of the life. They're connected directly to the signal of the life. They're connected directly to the signal of the life. The technology was not so far away in the 1970s, but in 2018 we're definitely ready for it. That's why we're going to test the Internet of Dildos now. Before we take a closer look at the devices, I have to say that I really want to keep this project as serious as possible. I'm going to try to keep the Inuendos Pro Minute as low as possible and make as little as possible recordings. So, now we're going to talk about the test devices. I've chosen three devices. On the right side we have the Vibratissimo Pantybuster, i.e. the Höschen Springer. In the middle we have the Magic Motion Flamingo, i.e. the Magic Movement Flamingo. And on the left side we have the Vibratissimo... They are manufactured in China and the device on the right side is manufactured in Germany. And the first device is manufactured in Germany. And I have to admit, I was a little overwhelmed. And I thought, well, I could also look at the Chinese devices first. They are the low-hanging fruits, but a question to the audience. Who could think that I have found the most gaps in Chinese devices? Who believes that I have found the most weak places in the German device? Who believes that I have found the most weak places everywhere? Yeah, you're basically all right. And when I looked at the German device closely, I found so many weak places that I really listened to them and wrote my complete work about one device. Okay, so the Pantybuster is a product of a complete series of products, but it was the cheapest of all. All use the same back-end, the same apps. And the Pantybuster is a device that is connected to a smartphone with Bluetooth. It can be used, for example, for remote relations, but there are many more behind these apps. There is a complete social media connection. You can make chats, group chats, for example. You can create images galleries, you can make friends lists. Yes, it's true. It's not a joke. Yeah. And now we're going to analyze. And now we're going to analyze the software. Yeah, we're going to analyze the software. I'm going to tell you a little bit about the transport layer and the hardware, of course. So I'm going to start with the software. The first weak point that we have to talk about is the information disclosure area. So there are just a few version numbers. Yes, actually, in most cases it's pretty boring, but in this case it's really critical. I found a so-called de-store, a so-called de-store data in the web route. It's created by Mac OS Finder. There are a lot of metadata in it, for example. And if you find such a data in a web route, you have a side channel directory listing. It has a proprietary format. There is a Python module with which you can decode. And I just decoded it. And then I was shown that. So to speak, a complete side channel directory of the whole device, all the data, for example, old page example. I don't know why that has to be in this production environment. It's a database folder. But the most interesting thing is the config folder. And we'll take a closer look at this config folder. There is one data in it, the config.php. And there are the following information in it. Basically, I don't have a access to a localhost, a dbname, a username and a pass. The problem is that this host is just local. It could be that it is not really available directly on the Internet. And then you have to find a corresponding interface for it. Of course, this is the first thing I did. I did a port scan. A lot of interesting ports. So the most interesting for me is the MySQL port. But some of you may remember it. We call it the MacWiddy-orange-brown web application, the PHP MyAdmin. And then I found a subdomain that ran the application. And with that, I had a direct access to the database and had access to all the data immediately. So basically, I had access now to the real-life addresses on all real-life data, on all addresses, the member access, on all galleries, on the pictures, on messages, on everything. And the passwords were also in the clatex, so that's really bitter in the 21st century. So there wasn't much more to be done. I already had everything. In the real-life sense, I had just passed 30 minutes and I already had access to it. And I wanted to write it down as quickly as possible and send it to the German Zertbund. And then after an hour, I got a really interesting call and they already called the manufacturer and they wanted to raise the problem. I always had the problem that I had to write my master's thesis and now I had to write a few more pages, so I had to find a little bit more and of course I continued to research and found something. And now I want to talk about insecure direct access to objects. So at the end of the day, there's always a vulnerability that leads to two sub-problems or two sub-problems. So normally it's like a random string which shouldn't be guessed. Normally it's like a random string that shouldn't be advisable and the second thing is that you still have authentication tests. So even if you can advise the random identifiers, there should still be an access test that prevents you from downloading it afterwards. And in this case, it was just really easy to guess them and it was also a lot easier to advise the identifiers and there was also no access protection on it. I had to learn that on the hardcore tour. There is a feature in these smartphone apps. It's called Galerin. You can see it just your friends are able to see it yourself. And you can also give it a password. And just for a test, I have a gallery with cats and I have the request here that I need. You have to give the ID at the back of the gallery. And then I just changed the ID and then I found another gallery and I also found a penis picture. And that's relatively simple because every picture is given to the server with a global ID. So it's just unnamed. And the ID is simply counted. And there are no authentication tests. It's just put away and it doesn't matter if there are passwords on it or visibility. The weak spot I found is called unambiguous authentication. Now of course there are many different ways to implement an authentication. They are either good or bad. In that case, it just makes no sense. It's a bit like HttpBasic, but it's just a bit worse. What's normal is that you get a username and a password to the server and if the password is correct, I usually get an information that is secret and that makes the authentication like a cookie or a token. But in this case, it was just that every request has a username and password in clear text. That's really just crap. So if your password is compromised, then you also have to change your username in the future, because otherwise it's just still broken. So the next weak spot is called unambiguous authentication. There is a feature in these apps. I can send remote control links without any extra authentication or confirmation. Now let's take a look at this button. In this email there is a button called Quick Control. And there is of course another ID. It's just a global counter again. It's just a global ID. It can simply download the app. Create your own Quick Control link and then change the ID. Just count one down and then tell your favorite stranger on the Internet to have fun. I'll show you guys a video now. I'll show you a video where I do exactly that. So when the video is going to start, it's going to start perfect. On the right side we're going to see an attack device. It's just connected to the network. It just creates a link and then it's going to tell the ID and on the left side you can see a smartphone connected to the SmartSexToy. That's the attack device on the left and on the right is the victim. So now in a few seconds that's just what I'm going to explain. There is no confirmation, no question, no search or app. Now I have to talk about software. There is still more stuff in there like cross-site scripting and the like. But I don't have that much time. Let's talk about the transport layer. I've already talked a little bit about your weaknesses about your weaknesses and I'm going to tell you now about Bluetooth LE, what it's about in general and how authentication and connections work at a high level. You can imagine that Bluetooth LE works like a web API, it's a very, very high-end high-end, there are API endpoints and there are properties, the name of the device, for example, and it can be read and written and there are also a few other characteristics that are very important when it comes to remote pleasure 2.0, so it's a very, very short explanation, but we don't really have much more time. There are a few reasons for what the security is. Bluetooth LE uses AES-CCM, it's Counter-CBC on Mac, it's safe to keep, but as we all know, security is always a question of key exchanges and with Bluetooth LE, when keys are made, when pairing. With Bluetooth LE, we have different variants of the pairing, where we just throw packets into them and any device that is in the environment is just done with these packets. We have JustWorks, we have Out-of-Band-Pairing, PASCY and Numeric Comparison, so a numerical comparison. So you know this, for example, where you have to enter a number to pair devices. And it's just, yeah, okay, it's your device, we have Out-of-Band-Pairing, for example, like with the headphones, with NFC and JustWorks, it can just be brute-forced. It just works. And these five variants, what do you think, what does this sextoy no pairing use? Does one of the other variants use more or less secure? Yes, it actually doesn't use pairing. Really? Yes. And they just throw packets and the device that is in the environment, it just does something with it and it's fun. Yes, that's actually, you can knock it out very quickly. You can just sniff it and I did that. I used the Bluetooth LE sniffer. It works really well for that. And I have it between the sextoy and the smartphone app. And I just snipped a little bit with it and found some nice endpoints. And there's the 1F handle. It's like initialization. And there's a handle 25, where it's about the vibration intensity of the device. Well, and now it's a little bit of war dildoing, so to speak, war dildoing. I wrote a little Python script. It just looks at Bluetooth LE devices in the environment. Then it tries to say, when is it a sextoy? And if not, then at some point it will be switched on. It will be switched on, exactly. And the next thing I want to talk about is not so funny, to be honest. But please don't laugh, because when we published this, many of you asked me on Twitter, it's violent, very serious. Take a look. There's a man who wants to drive an attack and sits, for example, in the U-Bahn in Vienna. And he just starts this script like that. And he just looks at people. That's violence. In Austria we have violence and sexual harassment. And we have violence and freedom of speech, but we have a special paragraph. It's really hard to translate, but we can say the pograb paragraph. That's why I chose this term in the English version. And according to this paragraph, it is just an unwanted sexual act over a third device, so to speak, which is difficult to define. The hardware. The biggest problem is that company updates are not possible. That was confirmed by the manufacturer. The problem is that many weak points are easily solved by making a company update. And the manufacturer had this idea. You could send this sextoy as a user to make a company update, but honestly, that really doesn't do anyone. And the other problem is that there are no debug interfaces. So there are serial interfaces. And you can pull out the company. And then you can also do a little more research with the company. So what can you do with it? Yes, I would like to use the smart sextoy. What can I do? Well, allopholy works, not really. Let's be honest. There are a lot of interesting open source projects. For example, Internet of DONGs project. There is a very interesting person behind it. He is called RenderMan. You can find him on Twitter. He found this project to make the Internet of DONGs a little safer. He does penetration tests. And he also gives so-called DVIs, DVIs out. And then you have Batplug.doct.io, Metaphatish, which develop open source firmware for many different devices. And they are independent of the manufacturers. There is also something like OnionDildonics, which has the goal of rerouting all the smart sextoys. They worry about rerouting the traffic of the sextoys via the Tor network to make it all a little safer. Okay, there is one more thing. I had a lot of calls with the manufacturer and one was particularly nice. We have tried to explain to the manufacturer that it is not good that you can simply save everyone from the Internet with it. It should at least be a feature that you select actively and not just work from home. The manufacturer said, no, of course that is not possible, because most of its customers are swing clubs and you do not know who is in there. And that is why there is no opt-in, because we are always there. Thank you. That was my talk. Thank you. That was very educational. Thank you. That was very informative. Who wants to ask questions now on Twitter or in the ISE? Ask whatever you want. So apparently people on Twitter are engaged in a drinking game where they were drinking. Apparently they played a drinking game on Twitter every time when there is penetration. They drank it. In the meantime we have a question from microphone So now we have a first question. Have you ever seen the patent role and the Tiller-Dedonics? Were companies somehow declared out of it? Yes, there was actually something that was the Tiller-Dedonics Appreciation Day. The patent just ran off. So you can actually just use the term as much as you want. Thank you. Microphone number three, please. So this was very funny, obviously. And you showed us the real, easy-to-pick things. But have you also found the social graph of the user on the website? Have you already looked at other devices? And can you show us a little bit what I think is difficult? For example, the profile of user preferences and so on? Yes, actually, I haven't looked at the data in detail. And I actually contacted the manufacturer, but I can't give you any information there. But I have looked at tracking, for example. And in this case, there wasn't much tracking. What the German sex toy is about. But if you compare it to the Chinese sex toy, there was a lot more tracking. But I didn't really look at it in a very detailed way. Thank you again for the educational and entertaining talk. Thank you again for the interesting talk. And hopefully, a big round of applause for you.