 Our next speaker. Hacks banks by day and other random things at night. Currently sex toys. So his focus for his talk today is to explore the under-research branch of IOT and the security and privacy threats that exist. So to present on his talk of IOT of dongs, ladies and gentlemen, render man. So yes, I am render man, this is Murdoch monkey. Just so you know, I did a little bio hacking on my liver last night and so when I was working on the slides, I guess you forgot to hit save. So I was just sitting in the back hacking together or something so if this seems a little disjointed, I apologize. This is a serious talk. Let's, you know, try to be adults here vaguely. I mean, there are no children in here, right? Okay, good. I want to pay 30 peoples. So yes, Internet of things. We all know about it. Manufacturers not, you know, the security on them is terrible. They don't have a way to update them or they just don't care. Users don't consider the security and privacy of using these things until it's way too late. Groups like I am the cavalry are doing amazing work on automotive, medical, but nobody wanted to touch sex toys for some reason. But you know, this shows that IOT is permeating every part of our lives, including one of the most private, bedroom activities. So yes, sex toys are now being connected to the Internet. For a lot of people, that's like they can't grok that, you know, initially let alone that there's security issues. Basically what we're looking at is sex toys, kegel exercises, general rings. If it goes into your genitals, your genitals go into it or it goes around genitals. That's when we're worried. Those are some of the devices we're worried about. A large number of IOT research firms, yeah, they didn't want to look at this because there's stigmas around sex. We have a very weird thing in North America about sex. We'll watch all the violence we want on television, but we can't see two people have sex. Makes no sense to me. So it started basically because I had the idea rolling around in my head for about ten years, happened to mention it to the purveyor of an adult toy store back home in Edmonton, and she was like, this is a good idea. I do all these in-home demonstrations and, you know, it's like a Tupperware party but different kind of rubber made. But it's like, yeah, I've got some, you know, old models, you know, ones with batteries don't work or broken power connector and that gave me these old demo ones. And, yeah, started diving into this stuff and it got real, real quick because when you now realize it, the question is, is hijacking the remote control of a connected sex toy, sexual assault? I hear that uncomfortable gig line, but no, think about it. You know, you, you know, you have a partner, you give them permission to control this device, someone else hijacks the connection, that person does not have permission, that fits the definition of sexual assault. There has been several cases of rape by deception where it was like, you know, if your twin brother has sex with your wife kind of thing, it's very interesting because they usually are dismissed on some sort of technicality. Again, I'm not a lawyer. I really want to put an interesting query into the EFF about this. Canada's sexual assault laws specifically define, you cannot, consent obtained by fraud is not consent. So in this case, yes, if you're impersonating someone, you know, by hijacking their account or whatever, yes, that is not, you know, consent goes to the person on the other end, not the account. But it gets really weird when you start looking at laws because these are devices that are voluntarily used. It's the same data that, you know, their intimate partner would be sending, but not by that same person. But if you find out that it wasn't the person you thought it was controlling it, the emotional horror and trauma from that is, you know, should not be anywhere dismissed or, you know, feel any less than a physical assault. So probably all heard about the Weave Iblos suit after DEF CON last year. For those of you who weren't around, a Goldfisk and follower did a talk where they found a number of issues with the Weave vibe. Full disclosure, I had actually put in the exact same talk that came to the exact same conclusions as them. They got selected. They were first-time speakers. I've spoken away too many times here. All boiled down to they didn't have the right privacy policy in the app. It basically was the privacy policy from their website. So it didn't, you know, it was getting cookies and stuff like that. It didn't disclose, you know, some of the information that they're collecting from the app and the device. And, yeah, they got nailed to the wall because, hey, you know, if I had known that this was doing this, I wouldn't have bought it. Deceptive advertising, such. Absolutely no evidence of malfeasance, you know, dated in leak. They weren't abusing it. You know, weren't doing dossiers on users or anything. It was just literally a paperwork oversight. So the biggest lawsuit regarding all this stuff had absolutely nothing to do with, you know, actually technical privacy or security but just legal paperwork. They settled for $5 million in a class action lawsuit. And we should be finding out next two, three weeks how much people actually get out of that. Could be up to 10 grand if you'd use the app and the device. The interesting part is WeConnect was actually one of the better apps even before all this. You know, they were one of the best ones I had tested. You know, they still had some issues but, yeah, they were actually doing SSL, at least half a ways right. They were, you know, doing a lot of things that you would expect. After they got hit with this lawsuit and the gold fisk and followers talk, they stepped up and basically completely re-engineered their app. It's now kind of like the gold standard I have for other vendors. It's like you need to be doing all the stuff that they're doing. You know, they got rid of things like you don't need to create an account to use it. So there's no personal information being collected there. It allows for, you know, you started out the first time and says, hey, would you like to opt out of anonymous data collection? Cool. You know, gives people the chance right there the first time. Looks like they're actually doing certificate pinning. Like, holy crap. Still some issues. My favorite is that you still can't visit their website over SSL. Like, I've been hammering on them that for like 18 months and they still have not gotten back at all. It's just hilarious. Probably also heard about the CMI controversy. This is a viper with an embedded webcam. Hey, I don't judge. Basically, it's because it's doing video it needs bandwidth. So it uses Wi-Fi. When you start it up, it becomes its own access point. So you connect your tablet, phone, whatever, to it. So it's not actually connecting to the internet or anything like that. So you can, you know, view the stream, control it from your phone. It's basically it's an RA link system on a chip running busy box. Interesting to note, yeah, I smuggled my GPG key chain across the border on a dong. Because there was about eight megs of storage available on there. So proof of concept. I had to do it. I've also, there's the embedded web server. And yes, I have actually hosted a website, you know, an internet on a dong. Literally, all it is is a reworked, you know, cheap Chinese IP camera that they, you know, made fit in the particular container. That's a picture of my nose. Pentest partners, Ken Monroe. Is he here? No? Okay. It's probably over by OT Village. Literally, this thing was in the air from Amazon when they released their report. They had found all the same things I had already in the software. I didn't have the hardware yet to confirm a last view. While the report was factually correct, there was a lot of like innuendo and jokes and just juvenile humor. They released it under a pseudonym of, you know, Bill DeGiorre. That's like, really guys? You know, come on. We're professionals here. So I took some exception with that. Post-it rebuttal saying that, yes, your evidence of risks was true, but you blew it out of proportion. Like, oh my god, these things are Wi-Fi, so they're broadcasting to anyone and, you know, war drivers can pick this up and add it to, you know, Wiggle.net. You know, show a screenshot of Wiggle.net. Well, if you log in to Wiggle and, you know, use the CMEI SSID in search, you find two. Both of them are roughly the same location outside a four-story sex shop in downtown Tokyo. So out of Christ, I forget how many they're up to. They're like, you know, 600 million access points cataloged. Two. And it's, you know, demo stuff in like an incredibly packed part of town. So like, yeah, the risk is very, very minimal on that. Yes, there was a default pin that, interestingly, their previous software didn't give you any way to change it or none of the instructions. It would tell you repeatedly, change the password, change the password. Not how. So I posted this rebuttal and, you know, working with Ken Monroe and that they made a bunch of press, but unfortunately, you know, this whole project didn't get mentioned. So I'm like, Ken. But no, it got them on the same page, but it shows that people are paying attention, you know, that the public is now considering this. So vendors were already freaked out by the Wii Vibe suit. Seeing this, you know, getting dragged through the mud didn't help them much either. It was also a great example because they tried to, you know, do a coordinated disclosure with the vendor, but they never replied. Like this is why you need vulnerability disclosure programs that actually, you know, are acted upon problems. The problem with these things is that you have, you know, the potential for really dumbass regulations and stuff like that. I mean, you got some 70 or 80-year-old geriatric, you know, congressman or senator trying to figure out this technology and it's like, oh my God, that's aberrant. You're like, oh my God, you know, sex. You know, considering that they're probably also doing their secretary or something. You know, it's like you're looking for solutions to a problem that doesn't exist. It may not be your thing, but doesn't everyone deserve privacy and security and what they do? Even if you don't agree with it, if not, you're wanting people to be hurt. You're a terrible human being. And it's issues like that. There is why I started this project. So, Internet of Dawn.GS, if you're in case you're wondering, .GS is South Sandwich Islands. So, I mean, so I had actually inquired with some friends that do issue CVEs. There's a big thing with like IoT stuff. They don't know how to issue a CVE for some of it because it's, you know, using other project software, but, you know, it's only for this device, it's configuration. So, I was like, it's great. So, I'm doing dog vulnerability exposure IDs. Mostly for my own sanity, when I was submitting things, it would be like a half a dozen things that I wanted to make sure that none of them were forgotten. So, having, you know, an identifier helped. But also the reports, you know, you can actually start seeing what sort of issues are happening. I've already helped a number of vendors build vulnerability disclosure and management programs. Because if somebody finds something, why the hell aren't you just making it easy to report? They're giving you free work. Like, you know, makes sense. Again, non-judgmental, just want to see, have people, you know, use these things privately and securely. So, the vast majority of these are Bluetooth. Bluetooth LE is about the only Wi-Fi one. They pair it to a smartphone or a tablet for local control, but also as a gateway for remote control via the internet. A few have some desktop applications as well. XMPP is a very common control channel on these, provides, you know, text chat functions as well. But they'll also do text, audio and video chat. Like, they're full-fledged, you know, video teleconferencing and telebuildonics suite. So, lots of interesting attack services there when you think about it between the text, the audio and the video. Almost always there's some sort of interaction with a company server for brokering the connection or, you know, finding each other or something. But, you know, it's trying to convince vendors it's like you need to be as hands-off as you can possibly be. Because, yes, it might be easier to do things this way where you tag unique identifiers to everybody, but no, that's where things get weird. So, more hands-off, you can be better. This is basics. Yeah, we're all pretty familiar with how this sort of thing should work. So, so far 27 vulnerabilities reported. 17 fixed, though I haven't checked in the last week. Four complete or partial user databases. Two complete remote hijacks. One set of GPS locations for all users that were online at the time. I've got eight vendors that are on board with doing vulnerability disclosure programs. I'm helping them basically to realize, hey, you're a software company now, whether you want it to be or not, you're going to have to do certain things. Four of reach, I consider a trusted partner level and means that they have a very good and well-established vulnerability disclosure program. They're being proactive and just fully embracing the idea that, okay, we need to be secure. 22 test devices in this lovely hand-cut foam case, which is really fun as carry-on. One corporate sponsor and a very confused mother. So, yes, we were supported by Pornhub. Wait, you're all familiar with it? I thought it was just something to obscure a little site. Drunken email to their marketing people saying, hey, here's the project. We're going to buy some of these devices. They're expensive. Can you help somehow? Immediately you've got to reply, yeah, we're on board. We love this. Originally they were trying to get some of the vendors to set in free stuff. Eventually just settled on, here's a big pile of cash. So, yes, I got a bank transfer from Pornhub for keeping my clothes on. That just seems weird. Again, try explaining that one to your mother. This is really weird research. I'm generally not embarrassed or shocked or anything like that. But still, it's the things you see. You know, it's not necessarily for the timid because people have some interesting fetishes. There are people who like the idea of a random anonymous person on the internet controlling their vibrator. But that's, you know, informed consent. You know, that's your thing. But the vulnerabilities you find are just shocking. So, not everyone knows how to do SSL if they're using it at all. User information, personal information disclosure, partner disclosure, GPS permissions, blah, blah, blah. Almost, I'd say at least half, if they're doing SSL, allow all host name verifier, which basically turns off SSL certificate checking. So you can stick any certificate in there for easy man in the middle. So why did you implement SSL in the first place? You just turned it off, basically. A lot of these devices, when you think about it, you know, a spouse traveling for work or something. You know, they're probably using them in hotels, which are shared networks a lot of times. So I don't know if anybody here has ever done sniffing on wireless networks, but it's amazing what other people will be doing. It's amazing how many people watch porn in airports. Yeah. User enumeration, you can found variations of this where you could basically find out if a certain email address has an account there for whatever purpose. So it's LoveEnts. You could basically do a simple query and it would just come back with true or false. No authentication, no tokens required, no nothing. Like anyone anywhere in the internet can just do a request and, you know, it comes back with true or false. So took my personal address book of about 275 addresses and ran that through, just through the concept. I have some friends with some surprising interests. I didn't know. But the shows, you can find out things about people that maybe they don't want to share. So one of them was a friend doing a Bluetooth research and had some of the LoveEnts devices. He didn't know about my project, so it was really funny to email him and say, dude, why do you have these? He's like, holy shit, you know, that I was able to find this. I ramped it up with the Madison dump, dumped all the government addresses I could find. You know, query about enough damage to their lives. I'm not going to disclose anything, but there was a handful of truths from very interesting places. Oh my God. The app has a search function for finding potential partners. If you do some of them, if you have a privacy bit set for public, you could do a partial username search and you'd come up in the list. If you had the privacy bit set to private, you had to know their username, and that's the only way you could connect. But in the GUI, it limited you to, I believe, three characters as the minimum, but only through the GUI. If you did the query directly, single characters, which means A through Z, 0 through 9, you now have all the public. Lots of interesting information there, but it got worse because my Padawan, a student I'm mentoring, figured out that you just throw a couple of double quotes and yeah, you click and it's like oh, this is taking a while. This is a 32 meg JSON reply of everything. Private or not. Like the whole bloody database. 50,000 users, here's everything. Of course, I also include the URL for all the profile photos and I made the mistake of downloading all of them. I have now got more dick pics than I know what to do with. Some apps are more social. They have ways to find new friends. Sometimes the server provides more info. Like you can post so you can post a vibration pattern and do so anonymously, but in the return from the server it still includes the user's email address. So you're not helping. An anonymous user name now has its associated email disclosed to others for high-jacking purposes. But think about this. Things like cam model sites. The potential for stalking and harassment, if information is disclosed about their location or their private details. That's scary. Partner disclosure. Larry Pesci, DEF CON 22 showed this one. Didn't report it at the time, the bastard. But it has been reported and fixed now where he was basically able to query for a username or a vagina and it would respond with your partner's nickname. Hacks are the matrix. Yeah. So you could tell and build social graphs of who was connected to who because you could connect to multiple people over time and it would still report over time. Skip that one because we're running short on time. Yeah. I'll let you figure out what that's about. Embedded API keys. They're always fun. I have one that has left their admin MailChimp API key in the app unobfuscated. Full access to their marketing mail lists, user subscriber lists and everything so you can query all that and send mail as them if you really wanted to. They're not replying to my emails. I may have to send an email to them from themselves or to drop an O-day. So it's all good for a reason. Some of this is funny but there are serious concerns. Screen privacy should be in all IoT, especially these devices. As you've seen, this is just a quick few examples. There's a lot more where they're not. This industry literally does not know what they don't know. They have been hardware manufacturers of manually operated devices until very recently. They don't have people like us around to say, hey, that's not a good idea. They just are never interacting with us. So I'm trying to build some bridges to wake them up to the reality and when you hand them their 50,000 user database on a silver platter you have their undivided attention. Yes, this means I have a bag full of sex toys to travel with but for me this is a serious issue and the difference between screwing around in science is writing it down. Basically several of the vendors that I'd helped have actually approached me and wanting to start some sort of trade group or consortium or something like that to adopt a voluntary privacy and security set of standards that they then would adhere to through like a third party audit or some sort of transparency report to basically say, hey, we take security seriously, here's how we take it seriously. Full disclosures and having vulnerability disclosure programs. It makes consumers aware, yes there are risks, yes we are dealing with them. It's not just, you know, ignoring them or anything like that. Still trying to figure that out, I don't know if it's going to be a seal of approval on the box, you know, you can see my face on their gang. It's secured, no. Still ways off, still trying to figure out how to do it because I have no idea what I'm doing with this project. It's a new area for me. There's other things like, you know, Google Play and the App Store, they will ban adult apps for random reasons. Well then that means you break the update cycle. So yes, the manufacturer may fix an issue, but it's not getting pushed out. So you have to, people have to sideload apps and stuff like that, so you're making the turn off security. That's dumb. Data collection from users in places where sex toys are illegal. I believe one of the southern states, it is still illegal. I believe Texas. It is illegal to own more than six sex toys, so I won't be going to Texas anytime soon. But, you know, you can see how data harvesting might be an issue. Physical harm, as we found out with Samsung, you know, lithium ion batteries burst into flames. Considering where these things are generally put, that would make your day suck. And I'm waiting for things like the first divorce case to cite, you know, oh yeah, the guys, the remote vibrator app was connected to a secretary's device, not his wife's, you know, like that sort of thing. Anyways, hope I convinced you that there are some serious issues here. Because they're not regulated like medical devices, there are no standards or anything like that. So as the public, we have to hold them to set standards. Get over the discomfort. These are the exact same chips that are in so many fridges and children's toys and everything like that. It's just different packaging. I can't help to educate people and say, hey, guys, let's raise the bar. If you're interested in this, I will be around. I'm trying to organize a hackadong, probably the IoT village to, you know, people can start taking apart apps and give you some help there. If you're good at policy writing and stuff like that, I could really use some help for the voluntary framework. Buy me a beer so I can wipe away some of the memories of the things I've seen. I also have a Patreon to just offset the few op costs we have for, like, server time and software and that. Alright, cool. Thank you.