 Good morning. How are you doing? Sorry about that. We're having some dildo issues. It's a common problem doing talks like this. Thanks coming on. I think the first thing I want to say is this talk is definitely not suitable for children, so if there are any juniors in the room, now would be a really good time to go. Otherwise, frankly, all bets are off because it gets really rude really quickly. Now, there's definitely also a health warning on this talk, so please, if you'd like to be offended, cover your eyes, cover your ears, leave. With that in mind, let's go and learn some stuff. This talk comes in two parts. There's a part that starts which is most definitely suitable for work and then there's part two which really isn't. So anyway, let's move on. I want to start with looking at the security of digital video recorders for your CCTV. The reason for this will become clear as we progress. We're going to be showing you some live hardware hacking, some reverse engineering. All these techniques will become really useful as we progress into slightly less savoury devices. It's probably the way to go. Now, we started off looking at digital video recorders some 18 months ago. We started looking initially at an MV Power DVR which records the footage from your CCTV system you put up at home. This is an amazing device. It port forwards using UPNP by default so it opens up port 80 inbound from the public internet. No tell net though, but bear in mind this is before we started hearing of Mirai. This is pretty creepy actually. You can start looking for them quite easily, find them on showdown. At the time we found 44,000 of them pretty straightforward. And it was pretty bad. Andrew, tell me a little bit more about that web interface. So the web interface had authentication on it, but it was really broken. All it did is it set two cookies, password and username, but it didn't care what the values were in there. Any value. So the username could be not my username and not my password and you're into it. So at that point you can view the footage through the web without the username and password. This is already quite bad, but it got even worse. Once we got access to the firmware on it we found there was this particular command shell and then you should put command after it and you're running commands as root on the DVR through the web, 44,000 of them. Yeah, that's really quite bad. We've got no idea why that would be in there. But then it kind of got worse, not from a kind of owning the box kind of way, but a privacy aspect. Within the firmware we found that the device every three seconds was taking a still of channel one of the camera and emailing it to this email address. So the guy got in contact with us and he said, oh, this is pre-production. It was never meant to be released. So we sent him frame by frame, Rick rolled in with a kids TV series, about 44,000 frames I think it was. It was good fun. He wasn't really into disclosure until we Rick rolled in, but there we go, now we're in a good place. Now that got us into DVRs and then 12 months ago we started to see Mirai and we saw the big effect at Brian Krebs' website was DDoS. People started looking at it. The source code was released and there was some amazing work done by Brian Krebs and lots of other security researchers looking at the source code, found some really, really cool stuff. However, once the source code was taken apart there were 63 sets of default root telnet credentials discovered and an effort was made to try and attribute those and pick up the particular devices in question. Now I think what people did is they compared the default credentials they found with lists of known default credential sets and tried to match them up and a lot of devices were misattributed. Now we went through the list and we went through with our knowledge of DVRs and started looking at all these and discovered actually Mirai, the original Mirai was just about DVRs and IP cameras. Now the IP cameras it affected happened to have DVR functionality. So they were running a DVR helper process and that's what was causing the problems. So the initial disclosures you saw about Mirai affecting VoIP phones, routers, printers, it was wrong. It was all about DVRs and that's where we started getting interested. So we wanted to see what more we could do. So Mirai, beautifully, beautifully simple just using root telnet credentials. We wanted to know a bit more. See what Mirai had missed along the way. It was simple, it was brilliant, but what else could we find there? So we bought over 30 different DVRs, lots and lots of them and started reverse engineering them, pulling the hardware apart, looking at the firmware, seeing what bugs Mirai had missed. We found loads and loads of vulnerabilities. We found lots of DVRs that no one knew could be part of Mirai. We found additional telnet credentials that you could add to the list of 63 known credentials. We discovered one vendor, they'd done brilliant things. They'd taken the telnet port and moved it to port one, two, three, two, three, get in. And then we also found a way to make Mirai persist to blow up beyond the power of reboot. But the problem is, whilst you could use it to fix Mirai and heal Mirai from infected DVRs remotely, by publishing a route to persistence, we felt that would probably result in worse problems. So we're not going to disclose that, I'm afraid. What we are going to also talk about is how you can use a shell on telnet, there's a shell on other ports. We're going to show you directory traversal and we're going to finish up with remote command ejection as well. So there's all sorts of really crazy vulnerabilities in these DVRs. The first one we found, this made me laugh, is XM, that's Zhong Mai. The XM remote control applications called XMI. And you can log into it using a daily changing SU password that's supposed to be kept private, but a Nigerian CCDV installer put it on his LinkedIn profile. That was kind of a bad day. So you just need to know that and you've got route on the DVR. Other crazy things. So a bunch of DVRs that no one had tagged as being attributed to Mirai, so we had Flareons, Lilins, Lorex, Flare, Big Brand, Night Watcher, QVis, Home Guard and a bunch of others I'm not going to talk about. We found a load of other vulnerabilities too and also a rather interesting shell. Andrea, I think it's time for you to have a go now. Yeah, so I'll show you how we actually reverse these DVRs. What I'm going to do is I'm going to switch you to this camera that's looking at one of the DVRs we've got here. So there's a common factor in nearly all of these Mirai vulnerable DVRs and that's they run a chip made by a company called High Silicone. So that's the main processor set here. The board, if you flip it over, it's got an SPI flash chip on the other side so you can see this chip here. That's where it stores the firmware. It's also got a serial console on it, which you can see these three wires connected to there. It's kind of a very typical piece of embedded hardware. Now to get the firmware off it, there was a number of different ways and it depends on how well protected the devices were. Some of them it was as simple as connecting to the serial port. Unfortunately this one isn't. So what we had to do is we had to use a technique to break out of U-boot and dump the memory that way. I'll just show you how it works. It's pretty easy to do. So if we jump through to a console, what you can see on the screen here is I've booted the device and this serial console showing me what it's spitting out. And you can see at the bottom there it says uncompressing Linux and you don't get a console into Linux. So we can't do anything at that point. There's no way of me interacting with the device. But we can actually break out of this, get into U-boot which is the boot loader and then dump the memory really, really quickly and easily. And the technique we're going to use to do that, thanks for moving the dildo, the technique we're going to use for that's called glitching. And all we do when we're glitching is we just short one of the data pins from the memory to ground. And the reason that we do that is it stops the memory chip being read. And if you stop the memory chip being read at exactly the right moment in time, U-boot will stop because it can't load the kernel and you get access to the console. Now the timing of this is a touch sensitive. So it may not work, but let's see what happens. So I've power cycled it and you're starting to get output and I'm going to short the pin now. And you can see instead of getting that uncompressing Linux, it now says high silicon and hash. We can type question mark to get the help come up and we get this big long list of commands. Now if we want to dump the memory off the device for U-boot, this is painfully slow but it nearly always works. MD is memory display. So we do MD zero, that's the base address in 100. I hit go and we're dumping the memory as ASCII to the screen. So all we need to do now is capture that into a file and there's a little Python script that takes that file because you've got all that fluff that we don't need and then it puts it into a binary file. It takes about nine hours for a 16 meg chip because you've got a slow connection all this but it gives us access to the firmware. Once we've got access to the firmware, we can unpack it, we can see what the hash password is and we can crack that and get access to the device. So we started looking at this in more detail. So what I'm going to do is I'm just going to reboot it again. And this does take a second. So we're just going to get it back up and running. And we found quite quickly it was running Telnet, it was running a web interface, it was running RTSP for the video and a few other bits and bobs. We've got the Telnet password. It was literally sat there in the mirror I creds. So it's root XC3511. Just give this a minute to boot when it beeps, it will be done. I should make polite conversation now, shouldn't I? So it does take a second to come back up again. Once it beeps, there we go. So now I can log in as root XC3511 and we've got a root shell on this device. So it's just Telnet straight into it. They don't document it. I mean, people don't Telnet into their DVRs. You can't modify the file system. There's nothing useful you can do but it lets us examine how it works. So what we found was a lot of vendors when they found out about Mirai was they shut Telnet off. That sounds like a good idea, doesn't it? Telnet should just go. So they'd stop running Telnet. But the device has also got another port open on it which is 9527. So 9527 and we've got this quite curious console here. Now it's asking for a username and a password and it's not the root XC3511 that we saw before. It's the username and password that the user sets for the web interface which is going to be admin and blank by default. So on nearly all of these devices admin and blank and we've now got this kind of test console on the device. Again, we type shell and then we've got access to run commands as we want. So we just cat it ETC password. So again, even if they shut Telnet, we've got this other root into the device and you can't close this port off on this device. It doesn't have IP tables so you can't firewall it and this is part of the big binary that runs on it. So the question is how would we get that password if someone had changed it? Well, it gets even better because this thing has got unauthenticated directory traversal allowing us to access all of the files on the device. So I'm just going to jump through to here. So it stores your hashed password for the web interface and of course, just with a simple get request with a couple of dot dots there. Give that a second. It runs a little bit slowly and there at the bottom there, you've got the admin password hashed and dumped. So this is absolutely and completely broken. There's just so much wrong with it. But still even deeper it gets worse. So via the web interface, how many are exposed to these? Hundreds of thousands. Yeah, I think we clocked about 720,000 on showdown. It has unauthenticated buffer overflow via the web interface. So at the moment we can ping it, we can do what we want, but we simply make a request with a long string and initially we thought this was just going to be, this was just going to be a denial of service, but it turns out that you can use it for remote code execution as well. So we're just going to tell that into the device just so we can monitor what's going on. So I run PS and you can see there's two processes there. DVR Helper and Sophia. This is a huge binary. It does that port 9527. It does the web interface. It processes the video. It does face detection. All in one binary, one monolithic mass. So by just sending this get request like that, we come back here, run PS again and you can see that Sophia's vanished. So now your CCTV DVR has stopped recording. So just by exposing it to the web it's died. We've also got control of the program counter. Of course they're not turned on ASLR or anything like that, so it's not particularly hard to exploit that. There are a couple of quirks. But yeah, all in all, these devices are absolutely ruined. They are terrible. So we've got remote code execution on nearly three quarters of a million DVRs on the public internet. If you thought Mirai was bad in the first place, this is just terrible. It also made me chuckle. You can also restart the Telnet demon through the console 9527. So even vendors that have fixed the firmware and disable Telnet, you can re-enable it and start Mirai all over again. This is just nuts. So all of the chips are made by a company called High Silicon and it's really difficult to write all of the code that processes video does face detection and so on. So there's a company that we mentioned earlier called Zhong Mai and what they do is they produce these binaries but people want to put their own logos on to it and things like that. So what they do is they have this tool called Makepack and we found this wiki completely open to the internet and it allows you to do these things like change the logo, change passwords and so on. So this kind of pulled everything together and told us why we found 30, 40 different DVRs that had exactly the same vulnerability on it. So what we're using, on every single one of these we've looked at so far, they've had this same message. So if you go to the IP of it and you type in er.htm, all of them have this message. The machine is suspected to be using a prior to the program of Zhong Mai. So we don't know, has anyone actually bought this software or are these big names actually pirating the software? We've just got no idea. Just to point out there, so we saw when Andrew made the request, he was looking at the ASCII representation of Hex of capital A is 41. And there we go, GDB, scrape memory and there we see everything's overflowing. Fantastic. Control the program counter and we've got code execution. Get in. We've got absolutely no idea what this thing is. This is another one of their apps called Look at the Mail and we really don't know what it's for. We have no idea. Anyway, moving on a bit. What we took from this is that Mirai was beautifully simple. It was amazing that such a simple root telnet credential issue could take down very large websites. But what got us was the fact that because it was so simple a lot of other really important vulnerabilities were missed. So what we tried to do is try and fill those holes. Now Zhong Mai fixed initial problem, but they didn't fix it properly. So it's very easy just to recreate Mirai over again. There's a huge botnet that's got potential to be exploited out there right now. It's not good. It's really quite nasty. All right, we're going to move on now. If anyone isn't comfortable with what we're about to talk about, we are going to be talking about adult toys. So if you're not comfortable with that, please don't. Please just leave the room. Anyway, we're going to move on. This is going to explain to you why my Amazon recommendations are absolutely screwed. If you buy adult toys on Amazon, you get some really weird recommendations. Some other things that we learned as well. Yeah, we're going to show you how you can do stuff that we showed you on DVRs to get a shell on a dildo. Anyway, now what I will say as security researchers, this is the first time we've really done any work on adult toys. And there are a couple of really important things that we learned along the way. The first problem is that if you publish security research on your website, you get a lot of hits. We got 77,000 hits on our blog in an hour, and we accidentally dosed our own website with a computer. One of the other issues as well is that when you're blogging about stories that involve this, the way that Twitter will pick up the first image from a link that you embed, so if you post a blog, I think actually it was Motherboard Vice published this. And Twitter picked up the wrong image from their blog, so Motherboard Vice tweeted a picture of a woman's cervix, which was kind of bad. You need to be really careful when you're blogging. This is the whole area of what's known as tele-deal donics, which was coined about 40 years ago. The idea of augmented reality using smart toys to improve experiences. It's a scary place. And I'll start at the very beginning with a story we published a couple of years ago. This is the Love Ents Nora. The idea is you have a smart app. It connects the app over Bluetooth and then whoever you want to connect to has one of these and maybe the other ones. And then you can have a remote control video session and people can control your toy and vice versa. I didn't realize you can actually have group sessions as well. So wow, okay. Do you want to just throw up the APK, Andrew? We started having a bit of a poke around, having a play, see what we could find with it. The first thing we discovered that it can render stills from your video feed and when it goes through the process of rendering from a bitmap to a JPEG, it creates a temporary image and writes that's a really, really bad place to put temporary image files. Yeah, that's not so good. The other issue we found this isn't really so much of a problem. We found a lot of pairing issues with all of these smart sex toys we looked at. It has a default Bluetooth pin of four zeros. The good news is though, it's only in a parable state for about a minute after you power on. So yes, you could in theory take remote control of someone's sex toy over Bluetooth, but it's probably a little impractical to do so. I also want to tell you about a story. A new guy started with us three weeks ago now. And one of my colleagues was working on one of the smart sex toys. He was working on close up, taking the hardware off, getting the firmware out of it. And he turns around and out loud in the office goes, oh, I've got a smart butt plug. At which point, everything goes very, very quiet. Everyone turns and looks at him and says, Alex, is this something you want to share with us? Oh no, no, I've got it for research. Really? Okay. He actually shared it with us as well. This is it. This is not one we bought. We've got his butt plug anyway. So most of the toys that we look at had pairing issues with Bluetooth. Now if we think about the risk profile, I don't think it's particularly significant because they're generally local RF attacks. So you've got to be physically within RF range of somebody. So I don't think these are particularly significant, but it's still worth pointing out. You can actually take over and hijack someone's butt plug because the pairing process is a bit screwed. It just pairs without a pin. So if anyone's within Bluetooth range, you can hijack their butt plug. It's also worth noting, we found another bug as well. Within the FAQ the vendors often state that we encrypt everything, it's supposed to be secured, it's great, and that gives you lots of confidence. Unfortunately, that bug was in plain text, which wasn't so good. So it was being stored and processed in a way that really wasn't very good. Now we disclosed this to Levent's and we did it privately and they came back and said some stuff. But what's really weird is they've got a new version of the app, which is called BodyChat, which does SSL, it's really secure, it's really good. It's only some old users of the app that have this problem, the old wearables app. I don't understand why they don't just pull the old weird. Very, very odd discussion. We've still got some stuff to work on, the next thing we want to do is pull the firmer off the butt plug. Unfortunately Alex says he wants it back. Okay, fair enough. He doesn't know where that's been in the last couple of days. Anyway. It's also worthwhile noting as well, if you want to do some research on anything that's smart, go and use the FCC website because you can pull internal photographs and get the chipsets from them, it's really good. So on that one we found the TX and RX was really straightforward to use. It saves you a lot of time when you're reverse engineering because you don't have to buy the product first. You can go and use the FCC website and it's all on there for you. So this afternoon we might have a bit of a go at this and see what we can do, see if we can pull the firmware off it. Another piece of research. This wasn't us. This is a guy called Alberto Segura. He published it three weeks ago. We had no idea it was going out there. It was published a day before we did a talk about this. There is also a new version of this, the cam girl version, which is interesting. He looked at the Chrome plugin that the user is supposed to use and discovered a bunch of security flaws. It was also really dodgy the way that you actually installed it. So this is absolutely brilliant. On the Lovent's website, what they actually recommend is you download their own build of Chromium with the plugin built into it. It's unsigned and you need to turn off your antivirus to install it. Now this doesn't, the one piece of software on your computer you want to be signed and secure is your browser. And yet you don't want to use it. Now what Alberto found is that there is XSS all over the place and also you've got the ability to take remote control using the API of someone's sex toy. And you can also carry out denial of service attacks so you can knock the cam girl offline. But you have to know their email address, which is going to be pretty tough to find, right? Except their API has got a call that allows you to enumerate their email address and enumerate whether they're a cam girl or not. Wow. How useful is that? You can also take control of the device through the API again. All you have to know is the email address of the user, I believe. Some research that was published last year. You might remember WeVib that did a main stage talk in DEF CON. There was a search called Follower and another one called Got Milk did a really cool reverse on WeVib and found all sorts of issues to do with the way that the We've Died by device was collecting excessive information. And what was really interesting is over the last couple of months, I believe the settlement was for 3.7 million Canadian, which was used to compensate users. They've just been taking too much data. But what freaked me out, if you can pop the slides up. We had a look. So this is an organization, a business that's just been taking to task over excessive data collection. And we had a quick look at the permissions on the Android app and even today it's still collecting network based location. Wow. What do you have to do to convince people? They've just settled out of court. Yet they're still collecting location data. Why? That's crazy. Another device we found, this is the Lilo, which is over here. A stimulator and again, complete lack of pairing security, which isn't so good. We're going to be having a go at the controller later today. It uses JTAG spy by wire. Nice needs to use. You can get the screenshots from FCC. You'll see there's the link, so we've got a good chance of getting the firmware off there. This is a bit odd. This is a Kiru Onyx. This is a flashlight. We've borrowed from my bag. I'm sure you'll know what these things does. And actually not too bad. We didn't find too much wrong with it, although we did discover that the pairing link, so if you share this link with somebody else, this is how you can set up a session. The link never expires like that. Yeah, we won't go into that. What are the issues here? We've got a pairing pin problem. Again, it's really low risk. Actually, I'm more worried about that link. It doesn't expire. That's not good. What I want to point out with all this is that there is not much in the term, not much in terms of interactivity with the toy. This is good. Because if there aren't many sensors, there isn't much data gathering going on. Because it means that compromise of these devices isn't that significant. It's not involving anything more than is it buzzing, is it not, how is it buzzing? So that's not so serious. But as I'm sure you've seen from recent media coverage, smart sex dolls are on their way. This is one from a company called Real Doll. Again, we've got jaws, ears, eyes, all collecting much more data. Now, I have to say, it does a great job of it when we start to see sex dolls. Will they become satient? Will they actually realize what's about to come? If you saw this, the security robot that committed suicide, I think the sex dolls are probably going to do something very similar where they realize what's coming, don't you think? So I want to move on to now, which is a story we published about three, four months ago, which was the first sex toy we found with interesting feedback, operator, camera, endoscope with stuff in the end. And it's really quite scary. We did a bunch of research on this and found a stack of quite worrying security holes. The first one is that it works over wifi, so all the rest of the toys generally have a bluetooth, this one is wifi. And unlike most IoT devices, which only act as an access point until you've configured it, this stays as an access point. And of course that means there's some interesting things that you can do as an access point. It shows up on wiggle, so you can actually geolocate these devices. Now in fairness, we only found two and one of them, I think was in a sex shop in the Akihabara district of Tokyo. But yes, you can geolocate sex toys, which is just a bit freaky. Yeah, that makes me feel very uncomfortable. We also then started looking at the Android app and this is where things got really weird. Can you flick up the APK for us, please? So we pulled the APK apart and had a bit of a look and discovered that it had a lot of classes that dealt with a sky viper drone. And we realized after a while that actually what had been happening is it looks like the dildo manufacturer had simply used the code from a camera drone to control their dildo. And there are classes in there that deal with propeller speed. What? It's just crazy. It's got a static pre-shared key so you can geolocate these. The key you can't be changed as far as I know. The key is 8-8, which is just brilliant. I actually had a chat with the guys at Sky Viper who were quite surprised that code that they used in their drone was being reused in a dildo. I don't think they owned the IP on the code, which is why that happened, although they're later drones, it's their own IP and they have control over it. So you also found within the APK hard-coded IP address, hard-coded port 192.168.11. Port 80. Andrew would you like to see if you can open it up? Unfortunately it's rebooted. The worst thing about, well maybe not the worst thing about this, it reboots all the time. So we're just waiting for the AP to come on back up on it and then we'll show you how you kind of get onto it. So yeah, it's got default credentials of admin and blank to log into the web interface. So once you're on the Wi-Fi with all the data as you would normally and then you can start looking through the camera. It kind of gets more interesting though because we don't just want to control it as a normal device, we want to take it further and actually root the dildo. This is something I hadn't said until about six months ago, which is quite cool. Yeah, it's also worth noting because it works over Wi-Fi. Unlike the Bluetooth devices, which is a one-to-one pairing process, so if someone else is paired with it then, you know, there's one to many, so it's a Wi-Fi access point. So you can have multiple people join the access point concurrently. So even if the legitimate user is using it, someone else can jump onto it unauthenticated and take control. Has it come up yet? Yeah, it's come up. Oh, good. Great. Sorry, I don't know why I get so excited by doing this. Right, so if we bring it up like this, it might take a second with the web interface to start up. It's still waiting a little bit. Come on. Okay, we're connected to it. Hopefully the web will come up. Come on. Never do live demos. Yeah, this is probably the least reliable live demo that we do. It's really, really fragile. Okay, let's move on. We'll come back to that. Oh, wait. Hang on, hang on. There we go. It's working. It's up. It's also very slow. It's very slow, yeah. So we're actually bringing up the IP camera interface. It is starting to that. We'll move on to the next slide and we'll keep on talking for a bit. There we go. So we can go to image stream mode. And we're now looking through the camera on the front of it. Which is great. Say hello. But yeah, there's loads and loads of functionality in here that we just wouldn't expect to see. So you go through here and you've got things like alarm settings. So it can actually be motion activated and then if it were connected to the internet it would allow you to send stills, which is just crazy. So as I said, we wanted to take that to a root shell. So what we always do with embedded devices is start looking for command injection. But unfortunately, we didn't have any way of getting output from this device. So what we thought we'd do is we'd rip it apart and start looking at it and getting the firmware off it. So we're going back to what we did with the DVR. But this time we're doing it with a dildo. I'm going to bring up the camera again so you can see. Now I think it'd be fair to say that my colleague Dave never let him take your dildo apart. Because he's not very good at it. But taking it apart, what we see is we've got a very similar thing to a DVR. You've got a Wi-Fi sock here on a little module. On the other side of the board we have that little chip there again that you can see. It's an SPI flash chip that we can read. So we pulled the firmware off it by clipping onto it and then we can inspect how the device operates. We also got on the side here a serial console. So again we can connect to it and see what happens. And what we found with a lot of playing about was within the record settings here when you have recording enabled and you're saving it to an SMB share as I often want to do with my dildo you could put command injection here so you could just run commands on it. So at that point we were able to arbitrary add users and do things like that and of course enable tellnet on a dildo. Do you want to do it live? Yeah so what we've done is we've kind of weaponised this. Well weaponised is that maybe? That's not a great word isn't it? Let's go a bit softer on that. I need to stop talking. So what we've done is we've scripted this and it's a simple python script and what it does is it adds a new user we restart tellnet then we log into it and we can view the video. So let's give this a go and see if it works. So it's trying to turn on tellnet it does take a little while to do this so what should we do while it's doing that? I think it took about two minutes last time didn't it? Did it take two minutes? The other thing that's really freaky is the functionality you find because they've essentially taken a consumer grade router they've got loads of additional functionality in there so it's got the function for example to do Skype which I was a bit shocked about and also deep in the the web code we've found an IP address that it looks to be reporting back to we can't prove it we can't see it's actually working but there are unusual characteristics in there which suggest there you go. Once it's popped the shell it starts up this page that dumps loads of other information so we've got a video stream and if we jump back on to where I was running the Python there we've now got a root shell on the Dildo which is absolutely brilliant I mean can it get any better than that? Oh careers where are they going to go? Yeah down the toilet I think So there you go you can actually go for some of the code here and if you look through you'll see references really? There are references to Skype in here we've found references to email addresses we've found references to calls to unusual IP addresses in the Far East this is all just a bit odd yeah I found a way to go for it Sorry Should just be there on it? Yeah it's just, oh no it's not So the point we're trying to make there is there's lots of really useful skills you can learn to do with hardware reverse engineering that's what you use them for can sometimes be quite odd we happen to choose an adult toy because it was interesting and different we found code injection on it we found you could re-enable telnet on it just like we did with the mirror worm and also finally once we've been to the firm where we found the root password which is recan4debug which we did try to crack but it weren't going to get through that in time were we? No You want to route? You can run our python script if you wish it's all there, it's all blogged as well it's on the website too, there's a full write up if you want to know how to do this disclosure was a train wreck as it is with most adult toy vendors we got no response from these guys we did try reasonably hard, I think we probably could have tried harder but we reached out to them on the email address that they published for contact and we got no response at all I just want to leave you with a thought that why on earth would you put a camera in a dildo, surely that's asking for trouble it's just bizarre I want to move on to the serious bit now because I think we could be accused of being a bit pure with some of these toys but actually there is a very serious message behind all of this pornography is a very big business and if you don't believe me go and see Emma Follmer's porn hub has toys are out there, people don't talk about it but there are a lot of toys out there this is a big area of business a lot of these toys sell in big numbers and I think we laugh about it we're a bit surprised that these vulnerabilities exist we're a bit surprised that we're seeing vulnerabilities that we've seen resolved on mainstream devices 10 plus years ago we're just a bit surprised and we feel a little uncomfortable so we laugh but I'm going to quote someone who says please stop laughing and actually I think he's right and that quote comes from Renderman who runs the internet at Dong's website and he does a lot of really really good stuff we can all as security researchers help improve things in this market I think we find disclosures often ignored but you'll find that Renderman can help you reach out to vendors and help you to get in touch with them help them to respond now just think about it for a minute people have had very personal data stolen very personal photographs stolen in other ways maybe through Snapchat for example and other things that has driven people to commit terrible acts such as suicide they've felt they've been extorted they've been held to ransom over data which is really scary I think there should be an offence of online rape I don't think the legal statutes in many territories actually consider this to be rape but I think it is and I think our lawmakers need to step up and I think they need to raise the bar so that people do steal these images they can be prosecuted it's very difficult to do there are some really good people out there driving hard into this territory trying to get the law to catch up but it's scary and it's nasty and it's horrible and people have died through similar instances the conclusion for me was that IoT adult toys have got a long way to go in terms of security we're seeing the basics are missing it's not just missing pinning it's missing SSL it's enumeration it's weak APIs it's everything but I think what we can all do to help improve the security of adult sex toys is frankly go screw up your Amazon recommendations just like I did go and get a toy have a play with them security flaws are disclose them and help the industry up their game so we see everyone have more confidence in their adult toys that's Andrew's twitter handle that's me that's the company blog we blog about stuff like this hardware hacking every day of the week go follow you'll find it really interesting thanks very much I hope you weren't too put off by it