 Welcome to SHAR 2017 and tonight we have Barbara Wimmer and she's going to tell us about science fiction in the present, so maybe it's science fiction, a little bit of entertainment and show business, but also some more serious stuff like privacy and security. So give a welcome and warm applause for Barbara Wimmer. Hello everybody, I hope that you will enjoy the next 45 minutes. The topic is best of IoT fails and actually I wrote a song about this called Smart Lies and it goes like this, look how smart we are, sensors everywhere because we care, we connect ourselves with devices and can't see the upcoming crisis, apps for lamps, sensors for flowers, fridges and signals, TVs get witches, everything is connected and we unplug our brain but lives are affected with stupidity and pain. Welcome to the Internet of Things. You all should know that I'm not a security researcher but a journalist, so everybody that expects to get any details about the things I'm presenting please don't, I can't explain you the details. It should only be a presentation of more funny examples and a little bit of mix with science fiction, I also talked to a couple of science fiction authors that are going to be mentioned in quotes in advance of this talk and well the Internet of Things can be the connected coffee machine and the connected vibrator. One example is a smart coffee maker that can connect with other things like even fitness and sleeping trackers via IFTT and so it can automatically mix you as drunk coffee when you had a short night as an example and actually the numbers of how many connected things are expected in the near future is collected by Gartner at the beginning of this year in January 2007 they said that eight million three and eight point three million connected devices are already around and into 20 we will get 20.4 million connected devices so we are getting a huge increase in a couple of years ahead of us and we are already having a lot of devices out there and the problem is that most of devices that are out there are not really secure or privacy friendly yet and there is actually a little bit of sign that they will in the future but not too much apart from the Internet of Things there's the Internet of Shit which is actually you all know the Twitter account Internet of Shit but there is some really there's some toilet IoT sensor out there by an Israeli startup named Outsense and it has a display at the toilet with a box of sensors attached to the seat with a tiny intercomputer that connects to a mobile app that helps analyze execrations and the stool analyzes data is sent into the cloud from there it can be used to manage health and nutritional and stress issues actually there are certain issues around certain diseases around that where the sensor could really be helpful like there are diseases like Morbus crone or Colitis or Zerosa these people they need they kind of really can use this kind of sensor but the startup aims not at these people but aims at the normal people that just want to connect everything and get better health out of their stool analyzes and they really are people around that send their data to the cloud well you all know the Internet of Shit Twitter account probably if not now you know it a site that collects every kind of IoT fails and apart from the Internet of Shit we got the Internet of Donks which is the name of a project that hacks sex toys to keep your intimate life private with this website and this is how the website looks like and there's a collective I didn't speak to them yet so I can't present you any more details about this project but they are actually getting supported by Pornhub because they got equipment sent by them and to test and actually they work together with the vendors and the vendors they really fix the security issues they report so actually I think this is one of the good examples in the scene that is really helpful to make IoT devices better in the future but we all want to know what could possibly go wrong this is actually a question everybody who is an author asks themselves every day when they write on a plot it's like oh what could possibly go wrong but actually this question also society should ask themselves or ourselves before we connect everything the science fiction author of Lord of Rings Lord of Things sorry not Lord of Rings in German this book is called Hertha Dinger Lord of Things it's a German science fiction author he thinks that IoT is the new recipe for a new range of disaster plots I think he's right and actually we already have some because there are thousands of fails around already in terms of privacy security updates and planning actually a use case is essential for Internet of Things product and not every thing is actually having one for example there is this startup called Treesero you've probably heard of it it was funded with 120 million dollars it's an internet connected Trees machine and it was sold at the beginning for 700 dollars and it didn't have any use case because the fruit could be pressed by hands easier and there was no use of the internet connection at all and actually this is a fail in planning and well now I want to get a little bit back in the timeline because I presented the numbers of things connected in 2020 but there are like already a lot of devices and at the beginning nobody did care about security the first hackers showed that already in 2013 at Black Hat and in 2014 there was the first fridge around called sending spam emails in a botnet attack and it was the first documented attack of this kind and IoT has been used as part of that sending over 750,000 spam mails and this was just the beginning this is also a nice quote the early 2000s web security called and they want their lack of security back well 2016 we had this big mirai I am sure I don't tell you anything new with this but I can't let it out because it was really an important attack and a botnet with approximately 100,000 unsecured IoT devices took an integral internet infrastructure provider partially offline and the people actually also the media did notice that mainly because Netflix and Twitter disappeared offline for from the internet for a short time and like suddenly everybody was oh why Netflix is not working Twitter is not working what hackers oh my god so it was mirai and they didn't really know what was going on because but you probably are not surprised we're not surprised at all it also disrupted the Deutsche Telecom and talk talk in UK and Bruce Schneier said expect more attacks like the one against in in the coming year so I'm also sure that we will expect we will see much more attacks in the future because devices out now are not really improved yet but you're probably all waiting for the funny fails now because that was like more serious kind of stuff so let's talk about this nice little car you all know it from the film cars it's the ultimate lightning Mac Queen and it's toy now sold by Sphero for 349 euro and this little car got in our where our work we tested this and actually it took one hour to even start it because of a software update before you can use it it takes one hour until it even starts working with anything and it can only be run by an app and not it doesn't have a physical button on the car but only runs by app and well and for and it also has in a camera integrated no that was wrong it doesn't have a camera it has a microphone sorry and when you want to watch the film car cars sorry this little car can sit next to you and comment on the film and actually you have to turn on the microphone with an with this app that also controls the car and then it can command on the film oh sorry that was too early don't look at this now I don't want to talk about the car anymore and not about the coffee machine but all a different example about update processing that could probably go wrong a bit there's also a story about porn film producer that gets regularly sent vibrators to test in the before they might be useful into to integrate into films and she actually got this tool which is also very expensive four hundred dollars she said and she she packed unpacked it and started it by an app and then it started to vibrate and then the app was saying this tool needs a software update right now and the app couldn't the vibrator couldn't be turned off for 30 minutes and it was standing like here next to her on her desk and was vibrating the whole time for 30 minutes and she was getting kind of scared because she's not really used to that and there was no off button as well as this thing and this is actually and it what I wanted to say with this example and the last one is that there are very expensive toys around that just fail with having the most essential button physical off button and are connected to the internet well yeah so what you see here is the coffee machine I we were bothered by the coffee machine before but this is a special funny case from Germany because there was a fabric in Germany that did not connect the coffee machines to its own isolated Wi-Fi network but the internal control room of the chemical fabric where the processes were made so the operator that did not contact the support about his monitoring system not working and he forgot to mention the coffee machines were showing the same error so the coffee machines actually affected the whole chemical fabric and it was a ransomware attack and of course the system was running on Windows XP but the operator said that he wanted to upgrade it but it's not possible due to some law stuff and of course the problem was fixed but the guy responsible for that was really angry because the vendor of the coffee machines just did some make some mistakes this was also not the first example of network connecting failure you maybe remember the vending machine that was attacked by their own I mean not the vending machine but the university that was attacked by their vending machine and their light bulbs it was about five months ago and the firewall analyzes identified over 5000 discrete systems making hundreds of DNS lookups every 15 minutes and these machines were also connected to the network for easy management so the whole university network was for the students for the teachers for the machines were all the same so that's why this problem could arise and the botnet could spread from device to device by brute force forcing the default passwords and actually there would have only been two solutions to solve it either to get all get rid of all the machines which isn't actually a solution for a university so the university used a packet sniffer to intercept a clear text malware password for a compromised IoT device and with these passwords the developers were able to write the script to remove the infection across all devices at once there's also another dildo well sorry it's all about coffee machines dildos vending machines whatever so there's actually a dildo around that is a vulnerable wi-fi dildo camera endoscope and this is especially funny because it's a wi-fi access point as well and it connects hidden functionality to connect itself to skype and to save videos automatically to a network file share the device's default password is easy and if you use this and you change to the you forget to change the default login credentials well you will have a few more players than expected that might watch the newest video of it this is how it looks like yeah and actually this was done by pent test partners and this is the disclosure timeline and they didn't get any response and then they after a certain time they did release this to the internet okay then I have a few examples of update failures I don't think I will need to tell a lot with the couple of things here so we talked about updates before but of course there are things updating that are actually currently in use and it's really not helpful if somebody wants a drink now and can't get one because the machine is updating this is also valid for a ceiling fan and light bulbs well there are a lot of light bulbs around that need updates and it takes a long long long time and if you can't turn on the light for 30 minutes and sit in your dark room that might not really be helpful and it gets worse if you want to use an elevator and the elevator is doing a weekly virus scan instead of bringing you up to the floor I mean if you're a disabled person that is not funny but it's serious for actually but updates of course are important nobody even if the internet of things stuff is updating itself it can be secured but there are so many devices around that can't even get any updates so actually it's funny to to think about the fails when it takes such a long time but on the end it could be helpful because this way the devices can be secured otherwise they might not never get secured so I asked myself as an author and journalist does technology be science fiction nowadays and I asked a couple of science fiction authors around and they did have quite different answers everybody has his or her own view around Bruce Sterling answered me that's like asking is reality stranger than fiction and of course reality is stranger than fiction because fiction needs to be plausible while reality is real so everybody everything an author is getting written down needs to be plausible while everything that is just happening is just happening because it's happening I also talked to Johannes Grenzfurtner from the Vienna collective monochrome and he said in some respects yes I would never have thought that I would see self-driving cars in my lifetime and they are only five to ten years away from widespread everyday usage the science fiction author Anne Lackey said I'm not sure I'd say that science fiction is primarily about technology as such I think science fiction isn't about technology as much as it's about how we deal with technology which is also a really good point and Andreas Eschbach I quoted before I don't know if you can read this but I'm reading it for you science fiction depends on scientific and technology contexts the reader can understand in order to follow the implications of the story but today's technology is far beyond common understandability so it has become almost impossible to build a plot on these things anymore with the result that science fiction is mostly backdated spaceships aliens laser weapons and galactic empires at infinitum Mark Elsberg who wrote the book blackout also an Austrian author he is saying nope or it depends on the fiction so there's not really one answer there are many answers around and when will the time come when a coffee machine says no you are not allowed to drink anymore otherwise your insurance policy will be cancelled this is actually fictional example but we don't need any fiction right now we have Roomba which is the eye robot and the eye robot which is I mean is a robot by eye robot that is making our homes is mapping our homes and the CEO Colin Angel did say he wants to share this data from the maps to improve the furser of small smart home technology so actually Roomba's want to do something which is even allowed yet in the terms of service and the privacy policy because everybody clicks yes and nobody thinks what he's doing and he's but he's not allowed to sell it yet so he's just allowed to share it but not sell it and there was a big discussion about it because he actually wanted to sell it to other vendors and actually there was a big big media hype around that so um people were crying oh no we are not we don't want our data to be sold to other things which are recording in your own private room but actually this is this will be happening in the new new future I think and we have to ask ourselves what we do want as a society do we really want an internet of unsecured things connected to everything or do we want to have a secure internet and is it maybe not not important to connect everything when there isn't even use case for it or how should we deal with it there are a little bit of answers yet but like you could do some standards which is which are working in other parts of the security stuff but not for the IoT there are no standards yet and also like vendors could be punished if they make unsecured devices and that would also be a possible solution but I don't see actually right now in which direction it is going to get and I thank you for your attention yes yes if there are any I think it's good hear me yes so um for the next minutes we have a question and answering opportunities so is there somebody who would like to have a question bad light nobody okay then let's have a warm applause for Barbara Wilmer thank you