 So, to our next talk, stand to relax. You know what that means, a glass of wine or marta, your favorite easy chair, and of course it is Wi-Fi enabled toy compromising your intimate moments. Barbara Wimmer, as free author and journalist, will tell you more about the Internet of Fails. We'll tell you more about where IOTs got wrong. She's a free author and journalist at FutureZone for dot AT, the ORF, and will in the near future release one or two public stories and the book. Thanks. Applause. Hello everybody. I'm waiting for my slides to appear on the screen. Where are my slides, please? That's not my slides. Oh, thank you very much. So, welcome to the talk Internet of Fails when IOT has gone wrong. This is a very negative topic, title, actually, and you're getting a lot of negative stories in this next hour, but I don't want to talk only about negative things, so you can see fail as a first attempt in learning. So, actually, at the end of the talk, I want to talk about solutions as well, and I don't want to provide only bad and negative examples, because that's what we hear every day. And this is perfect for the Congress motto, two wads, because this is all about let's two wads together. So, nobody, most of you in this room will not know me, so I'm going to introduce myself a little bit and why I'm talking to you about this topic, because that's probably what everybody asks me when I appear somewhere and say, oh, I will give talks about IOT. And so, actually, I work as an IT journalist since more than 12 years, and I got in contact with Internet of Things in 2014 when I talked to the local team in Austria, I'm from Vienna, and they first told me that the first refrigerator was caught that was sending out spam meals, and that was in 2014, and actually, that was really a funny story back then, and we were all laughing about it, but on the same time, we already knew that is something coming up, which is quite going to be a huge development, and so, from back then, I watched the whole IOT development in terms of security and privacy, and in the next 45 minutes, you will hear a lot of stuff about IOT, and where the problem with IOT is currently, and examples of fails in terms of security and privacy, but like mentioned before, I also want to talk about solutions, and when we talk about solutions, it will not be like only one side, like only the consumer, only IT security, only developers. Actually, what I'm going not to provide is detailed IT security stuff, so if you want to focus more on any story that I'm talking about, I'm mentioning most of the sources in the slides, and if you really want to know how this example got up, please look it up if you're really interested deeply into it. I'm a journalist and not an IT security person, so please don't expect me to go into details in this talk. That's why it's also in the Essex talk, Essex session of the Congress, and not the security part. So, coming to the Internet of Things, I want to start with a few numbers, because these numbers show the development of IOT. In 2016, we had 6.3 billion of devices out there. This year, we already had 8.3 billion of devices, and in 2020, we are going to have 20.4 billion connected devices out there. So, the numbers are from Gartner Institute from January, and I have one more slide with more accurate data from June this year, and actually, this slide shows that the development is actually really growing. 17% more compared to the previous year, and by 2021, global IOT spending is expected to reach about $1.4 trillion. So, maybe some of you are asking yourself what is the Internet of Things. Maybe some of you also expect that I'm only talking about a smart home, because IOT is often related to the smart home, and we're having, like, all these smart devices that we put in our living rooms, but that's actually not the main focus, because it's more about the connected everything, which means toys, sex toys, home automation, light bulbs, surveillance cameras, thermostats, but also digital assistance and variables. So, I want to start with a few examples of the classical Internet of Things stuff, which is actually a smart coffee maker. So, what is smart about a coffee maker? It doesn't get smart when you regulate your coffee machine by app, because what's smart about that? You can just press the button on the machine, but when you connect your coffee machine with fitness and sleeping trackers, the coffee machine already knows when you get up if you need a strong or soft coffee in the morning, and so that might sound comfortable for some of us, but it also has a lot of dangers inside, because you never know that the data is really safe and only stays with you. Maybe your insurance company gets them one day. So, you all know cars, probably, the film, and this is McLeod and Queen, and it got toy nowadays, which is sold for $350. No, sorry, euros. And this car is able to sit next to you and watch the film with you, and it's going to comment on the film. And this sounds very funny, and it is funny, but it means that it has a microphone integrated, which is waiting for the terms in the film on the right stories, and then it makes comments. And the microphone can only be turned off by app, so there's no physical button to turn it off, and actually, another thing is when you first, when you actually got this present for Christmas, which is a really expensive present with $350 euros, it's actually first updating for more than 35 minutes before you can even use it. The next example you are already loving is Internet of, I call it Internet of Shit because you can't say anything else. To that example, it's a toilet IoT sensor, which is actually a small little box which is put into the toilet, and this box has sensor, it's an Intel box, but I don't know, and this box has sensors, and these sensors help analyzing the stool. And this data that is collected is going to send into the cloud, and actually this could be very useful for people who are having chronic diseases like colitis ulcerosa or others, chronic diseases with digestion stuff, but it is mainly designed for healthy people who want to make better nutrition and reduce their stress levels through the stool analyzes. And maybe it sounds good at the beginning, but this data that is collected could also be used for other things in the future. So it's a perfect example for Internet of Shit, but there's another Internet of Shit, which is a Twitter account that collects all these funny little stories. It's not from me, so I'm not behind that. I tried to reach the person, but I never got a reply, so I can't tell you anything about them, but they collect examples if you don't follow them now and are interested in this topic you might do after this talk. So after presenting a couple of IoT examples with the good and a bit of the bad sides, I first want to focus a little bit on the problem, because as I said before, you might now think that everything is nice, comfortable, why shouldn't we do that, and stuff like that. So the problem is that most of the vendors that are doing IoT stuff now that started to connect everything, they were creating manually operated devices without connectivity for long years, and they had a lot of knowledge in terms of materials, ergonomics, mechanical engineering, but almost zero in the fields of IT security. Actually, I don't say that without having talked to vendors that say exactly that to me when I interviewed them. Like there was a light bulb vendor from Austria who is a really big vendor who is making light bulbs for years and years and years, and actually they started to make connected light bulbs in 2015, and when they did that, they actually, and I asked them, oh, how big is your IT security department? One person. So they didn't actually have the knowledge that IT security might be more important when they start to connect things. And actually, the result is that these vendors are making the same sort of security errors than the high-tech industry was dealing with 15 years ago. So the early 2000s called and want their web security, their lack of security back. So there are all kind of problems we already know from the past hard-coded passwords, unsecured Bluetooth connections, permanent cloud server connections, and a lot of other stuff. So we are going to have from all these 20 billion devices out there, there will be a lot of unsecured devices. And the problem is that they are collecting to a botnet and are starting DDoS attacks, and we are going to have internet outages. For those who are not familiar with the terms, I made a really, really, really short explanation so that you are also understanding what I'm talking about. A botnet is a network of private computers infected with malicious software and controlled as a group without the owner's knowledge. Like the example of the refrigerator that was sending out spam I told you about earlier. This refrigerator sent out, one refrigerator was sending out 750,000 spam mails, by the way. And the botnet that has a botnet owner, of course, because it's not only a zombie botnet, and the botnet owner can control this network of infected computers by issuing commands to perform malicious activities like DDoS attacks. So DDoS is a distributed denial of service attack, and actually that's an attempt to stop legitimate visitors from accessing the data normally available on a website. And this actually can lead to a completely shutdown of a service. And we had this already, so I'm not talking about something in the far future, but we had this in 2016. And where most people already recognized it, but they didn't recognize why. The Twitter accounts did not work. They couldn't use Reddit or Spotify or they couldn't pay with PayPal at the moment. And behind that attack was Mirai. So several other major services were offline because an infrastructure provider was attacked by zombie IoT devices. And this was one year ago and now, one year later, Mirai botnet infections are still widespread. So not every zombie device is already secured, so there are still some around and not so little. And actually there is a study saying that every unsecured, no, every botnet infection, that's every security hole, that there is staying there for at least seven years, which means that all the unsecured devices which are out now could get infected and could stay infected for seven years. So that's why it's very important that we are going to do something really quickly and not starting like in 2020. So Mirai was supposed to continue in 2017 and actually a lot of DDoS attacks and similar attacks like Mirai happened in 2017. This is an example could unleash at any moment, which was in November. A few days later, exactly this attack was unleashed. So it happened. In 2017, we also had a huge increase in DDoS attacks. 91% increase from Q1 and it's going to increase more. So I have to take a short sip, sorry. Now we are coming back to examples. One really good example is the university that was attacked by its own vending machines and smart light bulbs and 5,000 other IoT devices. This was very, very, very difficult to get fixed because they couldn't take the university network down. So they had to find a really difficult solution to get it back up. And actually, how did they even notice about it? Because the students complained that the internet was going so slow. Another example which has nothing to do with DDoS attacks anymore, but with IoT sensors. Actually, in a fish tank in an American casino, North American casino, there was sensors which were measuring the temperature of the aquarium and the fish tank that the fishes didn't die. And these sensors were sending the data to a PC of this casino and this PC was using the same network than the sensors. So actually, the cyber criminals could access to this data of the casino and we're stealing them and sending them to their own servers in Finland. And the amount was about 10 gigabytes of data. Another example which is actually one of my most... I don't know why, but it's the example I personally like most of the whole examples I collected in 2017. So there was a surveillance camera bought by a Netherlands woman. Actually, she wanted to... She wanted to swail her dog when she was out at work, but what did this camera do? It did swail the dog when she was out of work, but when she was at home, the camera followed her through the room and we're watching her all over the place and it had a microphone integrated and one day it started to talk with her and it said, Ola Senorita. And this woman was so frightened that she actually started to record that because she thought, oh, nobody will buy this story. She always think I'm crazy, but this camera actually did not swail the dog, but was hacked and swailed her. And it was a very cheap camera, by the way. She bought it in a supermarket, but we don't know the name of the vendor in this case. So coming from a very cheap camera to a very high-tech camera, the cameras you see here is one that is actually built in a lot of companies. And there was a security hole found by some Vienna security specialists from SEC consults and actually they demonstrated me how they could actually hack into this camera and how they could make it possible that this camera shows pictures of an empty room in a bank. So the pictures from the empty room in the bank were shown to me and in reality the bank was robbed. Okay, not in reality, but it could have been robbed. So that's actually sounding a little bit like a movie scene. And actually this camera which is sold as a security camera is kind of useless when it doesn't have security and doesn't really show the picture. And the problem with this camera was hard-coded passwords. And the hard-coded passwords got fixed after. So it was responsible to close the process and this camera is safe now. So I'm coming to a different example now and this now finally explains why this toy is sitting here. Before my talk everybody was telling me, ah, you brought your favorite toy to protect you during your talk. And I was loving it now. No, no, no, no, it's not protecting me. It's one of the most unsecured devices out there. But before we come to this in special, I'm going to talk a little bit about connected toys. So the Germany Stiftung Warentest had made a study regarding connected toys. The people were testing them. And actually all of the tested beers, robot dogs and dolls were very, very unsecure. And some of them were even critical and extremely critical and others were critical. And actually what was the problem with the toys and also with this? They were using Bluetooth connections. And these Bluetooth connections are not secured by a password or pin code. So every smartphone user close enough could connect to the toy and listen to children or ask questions or threaten them. And another problem are the data collecting apps related to this stuff. So actually this little unicorn has an app where you can send the messages. So what does this actually? It can play messages. And as a child you can record messages and send it to your mom or your dad. And when you play messages, you never, the heart blinks. So actually there's a message waiting for you now. And I'm not sure if it's the same that I recorded earlier before. Maybe now it is. Maybe at the end of the talk when I will press the button again, it might not be. And so everybody can, so this, sorry, this device does have an app where you can send the message to. And it also has a children interface. And when you are using the children interface, you're seeing that there are ads integrated. And in the children's interface there are ads for porn and other stuff which are not really in the best hands of child. And this is also what Stiftung One test has actually, yeah, has actually found out. The data is also used to send to third-party companies and they put trackers to control the online behavior of their parents. This is also done with this device. So the Stiftung One test advises a not-connectable dump teddy might be the smarter choice in the future. And before I finally press this button, you're probably curious now, but first I'm going to talk a little bit about Kaila. You probably have heard of Kaila as a very unsecured doll. Actually it got forbidden in Germany by law. It is judged as a prohibited broadcasting station and parents who do not destroy it will be actually fined. And I tried to buy Kaila in Austria and didn't get the doll. So actually it should be really off the market in the German speaking area. And actually that is also a result of a campaign from Norway called Toy Fail, which is a Norwegian consumer organization who actually, this is Kaila, you can see her now, which is actually going to the European Parliament to make them understand how unsecured toys is doing a lot of harm and how we should put more security into toys. And I've brought you a short little video and I hope we can hear the audio here as well. We will see. No, you don't hear anything. But that doesn't matter because they have subtitles. He's speaking now at the moment. We don't trust Kaila and we also don't trust our little unicorn. Okay, somebody has hacked it. Okay, that's what I recorded earlier. But there is some time left. Maybe, maybe, but you're all sitting too far actually. And nobody of you brought your computer. But we will see. I will try it later on. But actually you shouldn't trust this unicorn because this unicorn is from the company called Cloud Pets, which is a, no, sorry. It's a toy called Cloud Pets and the company is Viral Toy from the US. So this is Cloud Pets and there are cats and dogs and unicorns. And it's very ugly but it's a unicorn. And actually now I'm already talking a lot about this why I'm explaining it now. There already was a data breach with this toy. So the children's messages in Cloud Pets data actually was stolen and was public on the Internet. Two million voice messages recorded on the Cloud Pets toys has been discovered free on the Internet. And actually, Viral Toy said there was no data breach, but the data was there. So that's also why I brought this. It was still very easily available. And actually, as I said before the app for a child, the interface shows porn ads. So I would not recommend that for your child. Actually, there are already a lot of institutions out there which are warning for connected toys. Also the consumer group, which actually did a study about this and other, like also the Furby connected, they analyzed. The German Stiftung Wand has the Austrian Fahrein Konsumenteninformation, the Norwegian Consumer Council and the FBI. The list is to be continued. So consider if you really need a connected toy for your child or yourself because the next section is about sex toys. It's not necessary to say a lot about this example. It's actually a connected vibrator that has a built-in camera. And this camera is very, very, very unsafe. Also this toy is really expensive. So you can't say it's only the cheap stuff that is so unsecure. Also the high-tech stuff can be really unsecure. I mean, this vibrator costs $250. So it's very expensive. And it has a built-in web-connected endoscope. And they found out that it's massively insecure. The password of this, and if you forgot to change it, it's a few more players than expected that might be watching your used video about your private sex adventures. There was another example. Actually, in this story, go back one more time to this example. There's a very funny video on YouTube about it. Maybe you want to watch it. I didn't bring it because I couldn't reach the makers of it. So I'm going to the next example, which is about a case of a sex toy company that actually admits to recording users' remote sex sessions. And it called it a minor bug. It was this LoveSense remote app. You can see the icon here. And actually, this is a vibrator and an app. And the vibrator-controlling app was recording all the sex sounds or the sounds you're making when you're using this vibrator and stores them on the phone without your knowledge. And the company says that no information or data was sent to the servers. So this audio file exists only temporarily and only on your device. And they already had an update. So actually, this is not as funny as the other story, but still it's an example of how unsecured sex stuff can be. So there are a lot of, lot of, lot of more sex examples out there. One, you should actually definitely search for after, please don't search for now, but after this talk, you could Google or DuckDuckGo or whatever you use. The terms blowjob injection and please add security, because otherwise you will land on other sides. And this was a female security expert who was doing this research about a device which actually was supposed to your girlfriend could make you a special program, your special blowjob. And this could be hacked. So somebody else's blowjob might appear instead your own. So there's also a story about a map of butt plugs in Berlin that are unsecure. Also, if you are interested in that, please, please also search for that story. Because it's funny to talk about this, but I also want to talk a little bit about things that we could actually do. And one of the projects in this part is actually doing something that's called the Internet of Dogs project, hacking sex toys for security and privacy. And as you can see, it's supported by Pornhub, which in this case means that they get money from Pornhub that they can buy the sex toys for their research. So Pornhub is sponsoring them. Actually, I did talk to the guy who is behind this project. He's called Render Man, and that's a render of him. And this is the website, by the way. So he told me that he's currently, they're currently a team of about 15-20 people out there that are doing the security research in their own spare time. And they are not getting any money for it, and they also don't want to get any money. But they're already looking for more security experts that want to join the team and also they have also an ethical codex and stuff like that. And actually, one of the most important things that he was telling me is that he doesn't want that you should stay off connected sex toys at all, but to find the security holes that we are all able to use them if we want without any fear. So, yeah, you can get in contact with him if you're interested. Coming to a different section now, you can see I'm switching from security to security and privacy, and now I'm landed on the privacy section. This is Google Home, and we all know that there's also Amazon Echo, and digital assistants are also smart IoT devices, and that's why I want to talk a very, very, very short time about them, because I'm sure a lot of people got those devices for Christmas. Actually, there was a big increase of digital assistants in the last year. In this quarter three of 2016, there were only 900,000 of such devices sold, and in the quarter three 2017, we had more than 7.4 million of those devices sold. So, there's a huge increase, and we don't even have the numbers of the Christmas time. Yeah, you have seen it. So, why I want to talk about it? Because when you put this kind of stuff in your home, it might be very comfortable at the beginning, because you don't have to look up the weather information. You don't have to read your emails. You can make the device read your own emails. You can use them to program your lists of what you're going to buy and stuff like that, but that's how they learn a lot about the user's habits and their personalities, and those devices will learn more and more information about you, and this information does not stay in your own home. It actually is going to send to the servers of Amazon and Google, and I don't need to tell you what Amazon and Google are doing with this data. Currently, they're only collecting it, but that's very valuable, and they turn around and use it or sell it in various ways to monetize that information in one of the future days. So, all digital assistants send the voice controls that are made after OK Google or Alexa to their servers, and the data will be saved there, and it was not possible for me to find out for how long and at which servers. It's not in the terms of conditions, and I couldn't find it anywhere. So, also the German data privacy delegate Andrea Wosshoff didn't find this information. She criticized that it's not easy for users to understand how, to what extent, and where the information collected is processed. Also, it is not clear how long the data will be stored. So, if you still want those devices in your home now, there are at least a physical mute button with Google Home and Amazon Echo, and you can also change in the settings to control the data. So, all the data that is collected is regularly deleted from the servers, but of course, you never know in how many backups it's collected as well. So, yes, it's only recording after this voice control, but both devices already got hacked, and, yeah, I didn't, as Amazon Echo got hacked in 2016, and Google Mini got hacked in 2017. Of course, both problems got fixed, and when I say got hacked, it means that the devices in your home were listening to the conversations all the time. So, I'm coming, unfortunately, the funny examples are over. I'm coming to the part where I want to speak about what we can do against the lack of security and lack of privacy with the Internet of Things. So, we are currently having the status quo, where we are having an information asymmetry between the vendor and the customer. Currently, the manufacturers do not need to provide essential information about how security of a device, such as how long it will receive security updates. So, when we buy a device, we never know, oh, is it going to be safe or not? So, what we need? Actually, what we need? I did write a couple of things, I write down a couple of things here, which are partly stolen by the green MEP, Jan Philipp Albrecht, from his program, because he's dealing a lot with that kind of question, what we can do with his work. And I also was stealing some of those suggestions from the render man from the Internet of Donk's project, he also had some helpful tips. And I also stole some of the information from security experts I talked in interviews all of the time, because we never talk only about the bad things, we always, we all want to get the Internet of Things safer at the end. So, some of them suggested that we could need a security star rating system similar to the energy labeling. And when we talk about security star ratings, that could mean that we use a label. When a device gets security updates for free for the next five years, it gets the A++ label. If it's no updates at all, and it stays unsecured, it gets the bad rating or such things. Actually, vendors should also be forced to close security holes instead of ignoring them. And they should provide the security researchers with email addresses where we can easily report security flaws. Because sometimes the hardest part of the game is to actually find the right contact to send out the information about what's unsecure and what's not. What we also need is a mandatory offline mode for electronic devices. So, this device at least has a button where you can turn it off. So, it doesn't listen to you permanently. And we need that for all devices, all connected devices. Also, an airbag and seat belt for the digital age. And we also have to talk about product liability and the clear update policy. So, there are also good examples that we are having now. Actually, all what I was talking about here is regulation. Regulation that is not existing at the moment. But there is some regulation that is existing in a kind of data, which is the GDPR, the general data protection regulation, which is coming up in May 2018. And it has included some really, really helpful things. Privacy by design and privacy by default. And more possibilities for law enforcement. And this is very, very important because it doesn't say that because we are going to have a regulation about privacy by design and privacy by default, this is really done by the vendors. Actually, when I was interviewing some of them, they already told me that it's not their plan to integrate that in their products. They are going to wait until they are sued. They say, oh, we don't need it. Why should we do it work now? No. So, that's why the law enforcement comes into place. And maybe some of you know Mark Schrems. He's also speaking here in two days about something else though. And he's a data protection activist. And he says that everything that goes will be done in this phase we are now. But if vendors won't observe the law, we have to remind them to do it. So, this is how it looks like. And he says that with this new regulation, we can, as a customer, ask for compensation when data breaches occur. We couldn't do that so easily now, but with this new regulation, it will get a lot of easier. And if 4 billion people see a company and ask for compensation, that could be a bit expensive at the end. So, if you are not able to sue anybody yourself, which is not cheap, so nobody, not everybody will secure companies. You can support organizations that help you with that. Like the new organization for Mark Schrems called none of your business. Maybe you have seen this already. I'm not saying that you should support, especially this organization, but his plan is to actually do that stuff. I explained earlier, sue companies that are not abiding to the law. So, if you want to visit the website, they're currently collecting money. What else can consumers do? Data are now easy tips. But we can't do much except a few easy things. Does this product really need an Internet connection? Is it possible to turn it off? Is it still working after that? What do we find about it on the Internet? Can we reach the vendor? Does the vendor reply when I have a question? Do we get more information? Sometimes also click-tivism helps to stop vendors making stupid decisions. Here is another example from the vacuum robot cleaning machine, Rumba, who wanted to sell the data that is collected from the home, from the vacuum cleaner. And actually there was a huge, huge, huge shitstorm after he was announcing that. The CEO was announcing that. And after this shitstorm, the CEO said, okay, no, no, no, we're not collecting. We're not selling your data. No, no. So sometimes this helps as well. And of course, follow the basics in IT security. Please update everything that has updates. Separate networks for IoT products and use safe passwords. Support open hardware, open software, products where the data is stored locally is always better than in the cloud. And if you're a tech savior, which I think you are here, start building your own tools. Because you have the control. And what can developers do? Support privacy by design, security by design. Think about it from the beginning. Because you can change it and take responsibility. And IT security can also do some stuff or continue to do some stuff. Point the vendors to the problems. Make helping IT security stronger. Keep reporting the flaws. Publish your research. Help develop standards, labels and seed belts. And support each other's work to get a stronger voice about this. So I'm coming to the end of my talk now and to the topic back to the Internet of Fails. How many must be killed in the Internet of Deadly Sink Train Wrecks? This is actually an article I was reading with a huge interest myself because it was starting to deal with making comparisons to the great age of railway construction. It was likewise riddled with decades of disasters before the introduction of effective signaling and fail-safe breaks. And it was also a comparison with the automotive industry where the mandatory fitting of seed belts, designing the bodies of cars to reduce injury to pedestrians, airbags and measures to reduce air pollution were not introduced early enough. So this guy was asked, do we really need to kill a few people first? And he said, unfortunately, that will happen. So he says safety and security standards for the Internet of Sinks can't come soon enough. I agree with that. We need standards really soon. So at the end of my talk, and if we have some time left, I'm waiting for your questions, ideas and input now. Otherwise, I will thank you very much for your attention. Thank you, Barbara. A very warm applause. So a small information if you want to exit the room, please exit the room to your left over there. So questions. I see one question from the signal angel. Hello? Okay. The Internet wants to know, well, those companies don't have any IoT security work so ever or basically none. So what can we do to make them have more? What we as consumers? Yeah, basically. Yeah, actually, I would, what I said was I would write them and ask for standards. I would, I think it can be the first step that we can write emails or call them and say, well, what kind of security is built in this device? Can you tell me otherwise? I won't buy your product. Thank you. Any other question? Okay. In this case, again, thank you, Barbara, for your nice talk. A very warm round of applause. Thanks.