 So to our next talk Stand to relax You know what that means glass of wine or Marta your favorite easy chair and of course it is Wi-Fi enabled toy compromising your intimate moments Barbara Wimmer as free author and journalist will tell you more about the Internet of Fails Do has like Where IOTs got wrong? Do has like Internet of Things from 34th Chaos Communication Congress in the Übersetzung von Andre and I've been one or two Public stories and the book. Thanks applause Hello everybody. I'm waiting Good evening. I'm waiting on my slides that they come Where are my slides? These are not my slides. Oh, thank you very much. Oh, thank you Welcome to the talk Internet of Fails. We come to the talk Internet of Fails where IOT There is a very negative topic It's a very negative title And there are a lot of negative stories In the coming hours Only about negative things. But I don't want to talk about negative. It's a first attempt in learning A mistake is actually the beginning of a learning process So that we are at the end of the talk about solutions and negative examples And I don't want to just bring negative examples every day So that we can learn something from it This is perfect for the Congress motto to what this is perfect for the Congress motto to what Then we're supposed to be a gemeinsamen what to Nobody most of you in this room don't will not know me The most of you don't know me a little bit and why I Why I'm talking about this topic because that's probably what everybody asks me when I Appears somewhere and say oh And I Actually, I work as an IT journalist Set 12 years and I got in contact with Internet of things I've been in contact with the internet of things And I talked to the local chat at a team I talked to the local chat team in Vienna And they told me that there was the first ice cream or refrigerator in Germany Frigidaire that was mixed with the Spabernas And we all laughed at that time and thought it was funny But on the same time we already knew that it has been coming up Which is why we are going to be a huge development And from back then In the next 45 minutes A lot of stuff about IoT In the next 45 minutes In the next 45 minutes I'm going to tell you a whole bunch of things about the Internet of Things And examples of fails in terms of And the problem is at the time a collection of mistakes On security and privacy We will not only talk about the problem but also the solutions And the solutions So both for consumers and for IT developers What I can't deliver is detailed IT security I always mention the sources in my slides And if you really want to know how it works Then if you really go deep into it I'm just a journalist, I'm not in detail Then please contact the authors who will be quoted everywhere In the Essex session of the Congress Is it and not in the security part Because I'm not a security specialist I want to start with a few numbers Let's start with a few numbers They show pretty nice the development of the Internet of Things In 2016 there were 6.3 billion devices This year we already had 8.3 billion In 2020 we will have 20.4 billion connected devices out there They are gardeners from Vienna I have another slide with me They are possibly from June This slide shows that the development is actually Expenses, so the growth like the hell The expenses in 2017 were 17% in the previous year And by 2021 global IoT spending Is expected to reach about 1.4 trillion dollars 1.4 billion dollars in 2020 If you are from Gaben If we ask ourselves What is the IoT? Some of you also expect that I'm only talking about the smart home I'm not only talking about the smart home But IoT is much more than smart home And we are having like There are all these smart devices like Light, medium But the thing that shows in the living room is not The main theme, the main theme is That the connection of sex toys Home automation, cameras Digital assistants, wearables So the things that you can wear I'll start with a few examples The practical internet of things Actually a smart coffee machine What is smart about a coffee machine? It doesn't get smart when you regulate your coffee machine by app It won't be smart only if you can use an app Your coffee machine is there That is like a button to press on the machine But if I connect my coffee machine with fitness and sleeping trackers Then my coffee machine knows when I stand up And starts to cook coffee when I stand up That is maybe cool But that is also very dangerous Because you don't know if the data that is around there Are safe So what you all know Cars, probably Are controlled by internet of things That is a toy That was sold for 350 dollars No, 350 euros And this car can Sit next to you And watch a movie with you To see And it can also comment on the movie That actually sounds pretty funny But it is funny But that means that it is a microphone And it waits for the right words in the movie And then it makes comments The microphone can only be activated through an app With no physical buttons Another thing is When you get this gift for Christmas For 350 euros, which is pretty expensive Then you can update it for 340 minutes Before you can use it The next example You are already laughing I call it internet of shit You can't say anything else Because you can't say anything else It is a toilet IoT sensor It is a sensor for the toilet What is a small box That you put in the toilet And this Box has a sensor These sensors Then analyze the chair These These data are then sent to the cloud These These things could be very helpful For people with chronic Health problems With chronic health problems But it is Designed for healthy people Who are interested in a healthy diet So they analyze their chair It may sound a bit strange at the beginning But these data Can be collected For other things Used in the future It is a perfect example For the internet of shit But there is another internet of shit That is a twitter account The funny little stories I am not I am not behind it But I try To contact the person But I never got through They Collect examples Of The internet of shit You can follow them If you are interested After I showed A few examples Of the internet of things I want to focus On the problem As I said before As I said before Not everything Is nice Nice, comfortable The problem is That most manufacturers The IoT devices Just Connect everything They Before they did that They made Manual They had a lot of knowledge About the materials The ergonomics And so on But they didn't have The knowledge About the IT security And I say That I found out When I actually interviewed And they said For example In A manufacturer from Austria Who has been making glues For many, many years That he recently Built In 2015 Connected glues And when they did that I asked them How big their IT security Is And one person They said They actually didn't know About What could really be important In the security field They didn't know anything They do The result is That these people Make mistakes Than the high-tech industry Made 15 years ago They called 2,000 And said They would like their lack of security back And so we are there What are the classic problems? First of all hard-coated passwords Unsafe Bluetooth permanent cloud server And We are going to have From all these 20 Billions Devices There will be a lot of Unsafe devices That exists Botnet And the DOS attacks And the internet will also go into the books For those who don't know Botnet is I'm trying to make a short explanation About What I'm talking about A botnet is a network On an infected private computer Or with a Shared software Infected Without the owner Or the operator Just like The spam sender Like the ice-coaster 750,000 spams One such ice-coaster Has 750,000 spams Unscaled So a botnet has Of course a owner Who controls this botnet And he can Of course Like the DOS Attacks That are distributed service attacks That are Distributed in all of service You just send So many requests On a certain website That other users Can't reach it That usually leads To a complete shutdown of this website I'm not talking about something I'm not talking about any Theoretical possibilities That already existed The biggest internet Never on the internet Why? He has Twitter Reddit, Spotify, PayPal And other big services In 2016 He set up Was Mirai Mirai is A DOS For Structured provider was intact By zombie IoT devices So called zombie IoT devices One year ago And A year ago Mirai botnet infections Are still widespread They are still widespread That is a bit The children have written off here So there are still some around And not all of the devices Are secure There is an investigation And they say Every botnet infection That is there Is staying there for at least Seven years Unsecure devices Unsecure devices They can Can still Get infected And stay there for another seven years We should Think about it as soon as possible And don't wait until 2020 To enter Was supposed to continue In 2017 Mirai was supposed to continue Until 2017 DOS attacks and similar attacks Like Mirai Happened in 2017 In 2017 there was a series of Other distributional Of service attacks Which was in November There was a botnet attack A few days later Exactly this attack Unleashed So it happened In 2017 We also had A huge increase in DOS attacks 35% More DOS attacks And it's going to increase In the first quarter Almost double the amount With 91% increase And it will continue to increase It has to drink some water Now we are coming back An example A beautiful example Is a university Which was attacked by their own Selling machines And their smart bulbs And in total 5000 5000 IT devices And they didn't know What they were supposed to do What they could do To turn the whole university To make it part by part Because it wasn't complicated And they only came because The students complained That the internet wasn't so slow Yes Then there was an aquarium That hacked a casino Actually in a fish tank In an American casino In an American casino Because a fish tank So in an aquarium Sensors Were observed at a temperature And The quality of the water So that the fish didn't die Of this casino And the sensors Of course they sent the data To a computer The sensors So actually The cyber criminals could The Attackers, the attackers Could take over this computer The sensors And sent it to their own server In Finland And collected a lot of data The next example I don't know why But it's my favourite example Of one example That I collected last year Because of the surveillance camera Of a Dutch woman She wanted to Surveil her dog when she was out Actually she only wanted to watch her dog When she wasn't home And that's what the camera did But when she was at home When she was at home She drove the camera After And permanently Integrated her microphone Integrated her microphone And one day it began To speak in Spanish Or a senorita And she fell out of a cloud Was totally destroyed And she tried She recorded it When she thought that She wouldn't buy it If I didn't have proof Actually she wanted to watch her dog And she was hacked It was a very cheap camera She bought it in the supermarket In this case we don't know The name of the manufacturer Now we come from a cheap camera To a very high-tech camera You can see it here It's one that Is built Which is used in many companies It was found safely In a security company Sec consults And they demonstrated How they could hack into this camera And how they Made it possible That this camera Is shown by a teaching room In a bank So that The pictures of the teaching room Are shown to me That the bank Could be robbed during the time Of course she wasn't robbed But she could That sounds almost like a Scene from a movie But That's a camera that Is sold as a security camera Which Of course is useless When She can be hacked While this camera was Hard-core password With all the words Which were presented She was Caught After That Was shared with her We come To another example And That explains Why this toy is here Before this Talk was told to me That This is certainly your favorite toy And you brought it To protect yourself And I laughed at that That this is one of the most Unsafe devices Before we come To this device I will talk about Connected toy Games The German Test was A study About connected toys The people The people Have tested different toys And All the bears and other toys Had all Big safety gaps And some were super critical And others were only critical The problem With these toys Was They were using Bluetooth Connected And these Bluetooth Connected are not By any form of password or pin That means Someone who is close enough And Could Talk to them Or Talk to them Talk to them In fact There is this little unicorn That has an app With which you can Send messages To the unicorn What can it do? It can play messages As a child And to Dad If you want to play the messages The heart Blinks That means Here is a message For you I don't know If it is the same That I mentioned Maybe Maybe it is not So Everybody Can Sorry This device Has an app With which you can send these messages It also has An interface for the children And if you use the interface for the children Then you see Advertisements And for example In the children interface Advertisements for pornography And other stuff What is not The best for the children That also has a certificate test Found out about this About the devices The Data is also On third delivery And they were able to understand The behavior of the parents That also happens With this game That means The certificate test Recommends that a non-connected device Would be a better choice Before I press the button I talk a bit about Kayla Kayla You probably already heard Of Kayla It is a very Unsafe doll It was even banned In Germany Because it is a Banned Broadcasting station And Parents Who do not destroy them Will actually be punished That does not help If you buy it in Austria Or similar That is the result of a campaign From Norway Hashtag Toyfail That is That is a Norwegian Organization That has looked at Kayla And they Go to the European Parliament To Show them Unsafe Games Create a lot of damage And how we should take care To create Games I brought you a Video And I hope we hear the audio too No No, you do not hear anything But there are subtitles That is Kayla and Iqio Internet connected toys They are not as sorry As they look They do not give They go up Unsafe with very simple steps I can do it As a device with which I Do not hear You go far I can go And it always scares You still hear me And this conversation With the kid You put a company And they can do What they want Those are the The conditions you accept And you open And they do the whole advertising With advertising analysis That would be a tracker They can At some point When they want They break up The law Can I Trust you? I do not know Great mistake We do not trust Kayla We do not trust Kayla And we do not trust The little unicorn Perfect, I do not hear Okay Somebody has hacked it Somebody has already hacked it Yes Hello Hello Hello But there is some time left Maybe Maybe But you're all sitting too far Actually And nobody brought your computer So Trust this unicorn Trust this unicorn Trust this unicorn Yes What should you not trust this unicorn Cloudpads The company is called Cloudpads It is called Cloudpads It is called Cloudpads There are cats And dogs And unicorns It is a unicorn And Actually Now I am already talking a lot About this Why I am explaining now I am already talking Why I am telling you Why I am telling you With this With this toy A data breach was already A data leak Was already stolen And data Two million voice messages Were published on the internet This time for free So otherwise We don't know why But The data was there So That is also why I brought this That is also the reason Why I brought this The toy is always Available And That can happen And that shouldn't be For a child So There is Actually There is a series of organizations That warn The British Did a study Which group The German Stiftung warns The Austrian Consonant Information The Norway And the FBI The American Federal Bureau of Investigation So Consider if you really need a connected toy Think about If you really need a connected toy For your child Or for you Because Here we come to the sex toys Yes, this is a word game An internet connected Vibrator With a built-in web camera It tells you It is not necessary To say a lot I have to say nothing It is actually A connected vibrator Actually a vibrator With an internet camera Very, very, very Unsafe This camera is like most Pretty insecure So you can't say It is only the cheap stuff No, no, no, and not Not only the cheap dildos There are the smart dildos Also the high tech stuff are pretty insecure They cost $250 And more With a built-in web connected Endoscope That was The UK security outfit And tested And they found a series Of heavy security errors The password is 8 times If you forget to change that More players than expected You could Look at more people Than you actually Have imagined Another example Actually in this story Go back one more time to this example There is a very funny video On YouTube There is a very funny video about this thing If you want to look at it I wanted to show it to you But you could look at it Smart dildo Next example A 6-toy And an entrepreneur The 6-toy Has Added That they Cut From their consumers And called it a small mistake You see The icon There was A vibrator with a app And it controls And takes on Every sound you make And Stores it on your phone Without you knowing The company The entrepreneur said No information or data Was sent to the servers Of the company These audio files Only exist temporarily And an update Has this bug fixed Allegedly I just wanted to show How insecure Such a 6-toy could be There are a lot of other Examples out there One of them should be quite sure Not now But after, after, after Please Go or whatever Or maybe Google Injection Injection Injection Security Security Security Security Security Security Security Security Security Security Security Security Security Security Security Security Security Security Security Security Security Security Security There is also a batplug, if you know what that is. Yes, you could also search for this story. Batplug. I wanted to tell you a few other things. There is a project called Internet of Dogs Project. Hacking Sex, for security and privacy, is supported by Pornhub. They get money from Pornhub and they go there and buy their objects to do their research. Pornhub supports them. For talk to the guy who is behind this project, I talked to the random man behind the project. That is the website by the way. He told me that at the time there are 15-20 people who are doing security research in their free time. They don't get any money and they don't want to get any money. But they are looking for more security experts who want to join the team. They want to join the team. They also have a codex. One of the most important things he told me is that he doesn't want to... He doesn't want to go completely away from connected sex toys. He wants to make sure that we can use them all. If you want to use them without any fear. You can contact him if you are interested. Let's get to the other topic. You can see that we are changing from security to security and privacy. And now we are at the privacy. That is Google Home. We know that there is also Amazon Echo. That is a digital assistant that is also a smart Internet of Things device. I will talk to you shortly. I am pretty sure that many people got something like that during Christmas. In fact, there was a big rise of digital assistants this year. In Quartal 3, 2016 there were only 900,000 devices like that. And in Quartal 3, 2017 we had more than 7.4 million of such devices. So there is a big rise. And I don't even have the numbers of Christmas time. You have seen it. Why do I want to talk about it? When you put these things at home, it can be very comfortable. Because you don't have to look up the weather information. You don't have to read the e-mails. You can make sure that it reads your e-mails. You can let the shopping lists go and so on. But that is also the method that you learn a lot about yourself. And the devices learn more and more information about you. These information don't stay in your own home, but they go to the Amazon and Google servers. And I probably don't need to tell you what Amazon and Google do with this data. Currently it's very valuable. But it's very valuable. They turn around and use it in various ways to monetize that information in the future days. They sell it at some point or make money in other ways. All the language commands that are made to Google or Alexa are sent to the Internet and saved on their servers. But I don't know which servers are saved and for how long. And I looked for the terms and conditions, but I couldn't find them anywhere. Andrea Vollfossoff, a private sphere director, said it's not clear where the information is collected or processed, except how long it's saved. So if you still want to have these things at home, there's the physical mute button on it. And you can also change the settings so that the data that is collected is deleted. But of course you never know in how many backups it's saved. But of course you never know if it's actually done and if it's still in the backups. What's the recording after this voice control? Amazon and Google claim that their devices only start recording after the voice command Alexa. But both devices were hacked in the previous year. Those problems got fixed when I started. That the devices in your home were listening. Hi. Hi. Hi. Hi. Hi. Hi. Hi. Hi. Hi. Hi. Hi. Hi. Hi. Hi. Hi. Hi. Now we come to the serious part of the day. What can we do against it? What can we do at all? The lack of security and the lack of privacy on the Internet. That's the status quo. There is an information asymmetry between consumers and consumers. The manufacturers don't have to give any information about security and data security and how long it's going to be updated. You buy the device and you actually have no idea if it's going to be updated at all, how secure it is and if you're going to be sure of it or not. What do we need? What do we need? I did write a couple of things. I wrote a couple of things. We need an ad rating system. I made the green break, the European Parliamentary, out of his program. Because he has been sitting with each other for so long and his ideas are very good. I also was stealing some of those suggestions from the random man from the Internet. And I also stole some of the information from security experts I talked to. Some of you said that we should have an ad rating system where we have the security, like the energy labeling system. Like the list of APSFs that are on your ice cream. So if it guarantees 5 years of security updates, then it will get an A rating. And if it doesn't guarantee it gets an F rating, manufacturers should be forced to fix the failures with email addresses. They should also get an email address where you can report it. One of the most difficult things is to find out who is responsible for it and who can handle it. What we still need is a unique offline mode for this electronic devices. As an airbag and seatbelt for the digital age. And it should also be a product attachment and a clear update policy. So there are also good examples and we are having now actually all what I was talking about here is that it is not existing at the time. So there are also good examples and we are having now actually all what I was talking about here is that it is not existing at the time. It is not existing at the time. But there is a kind of pre-script that is the GDPR, General Data Protection. So some of my rules for data protection, which comes out in May 2018 from the EU and a few very helpful things come out. So privacy by design, the things have to be so designed that they guarantee privacy and that they are so set up default that they do that. And it also has to give more possibilities that the law can intervene. There are currently no law-abiding pre-scripts at all and I can't force anyone for privacy by default. That's what the vendor does when he wants to. That it's not the plan to integrate. But some of us have already said no, we don't want to integrate that. We will wait so long until we are forced to do so. You don't need it. Ah, we don't need it. Why should we do that? No. So that's why the law enforcement can... I'm sorry. Max Schemps is an internet activist in Austria who has been on Facebook for two days now. He said that every new technology has a phase of enthusiasm. That's what it looks like. As a consumer, I can demand compensation, decisions for all data lags that occur or any other diseases of data privacy. If four million people complain about a company and look at it for all four thousand euros, that will bring it back to you. That should be pretty expensive. What can consumers do? So you can never complain about it yourself. But you can support organizations that help you to enter your rights. For example, a new organization by Max Schemps, the new EU. You may have already seen that. I don't want to swear at a specific organization, but you should seriously think about supporting organizations that set up concerted actions and can go against them, so that it might go into law. Take a look at yb.org. What else can you do? Always ask yourself, does this device really need an internet connection? You can't do much. This product really needs an internet connection. What do we find about it on the internet? Sometimes also click-tivism helps. Sometimes you can use a lot of questions. Click-tivism is what you call it. Producers force you to do it. You make stupid decisions. Maybe you can take it back from the home, from the vacuum cleaner. For example, the providers of vacuum cleaners sell the data that the vacuum cleaner collects in the apartments. That's why you could force them to do it. After the vacuum cleaner, the CEO has turned it around. Sometimes click-tivism can also help. You should always keep the basics of IT security in mind. You need to make updates, separate the network for the Internet of Things devices, use good passwords, support open hardware, support open software, products where the data is stored locally are always a better option for privacy. Of course, you can also build your own devices. What can developers do? You can support privacy design-wise, support security through design. You should think about it from the beginning, think about it and take over your responsibility. What can IT security do? You can make the manufacturers notice the problems. You can make the Internet of Things security stronger. You report the security gaps, you publish your research, and you support the work of each other to have a stronger voice. I'm coming to the end of my presentation and to the end of the topic. How many people have to be killed in the Internet of Dead Things before something happens? I... They compared it to the railway construction time period. There were many problems with problematical brakes and so on. It's also a comparison with the car industry. First, with the duty to do better with the duties, and that's why this person asks if we really have to kill a few people before something happens. He thinks, but unfortunately I think that will probably happen. That means security standards can't come early enough for the Internet of Things. And I agree with him completely, we need such standards very soon. At the end of my presentation, if we still have some time, I would like to have the questions and suggestions. Otherwise, thank you very much for your attention. Thank you, Barbara. That was a cool talk. Please, if you go to the left, ask a question. I see a question on the Internet of Single Angels. The Internet wants to know if these companies don't have IT security, what will it do to convince them more? As consumers. What I said, I would contact them and ask them to ask for standards. That could be the first step, to simply send them with a little email, call them and signal them that they are in need. And if you say, can you tell me, otherwise I won't buy a product, so connected to a real drug. Any other questions? In this sense, I have a very warm round of applause. Thank you. Thank you.