 And I have one last announcement before we begin this talk. This is a personal announcement to whoever slapped the sticker saying for recto use only onto my microphone. Microphones are not supposed to be used this way. Please trust me, I am very familiar with microphones. I know how they are supposed to be used. However, our next speaker is going to tell you about things that are supposed to be used this way, and about how to secure and protect those things. So please welcome Vianne and the talk you all came here to see, Internet of Donks. Around of applause. Okay, so hello everyone. My name is Vianne. I am working for a second consultant as an IT security consultant, and besides penetrating all the things at the Second Consult vulnerability lab, I have been studying information security for the last five years at the University of Applied Sciences, St. Pölten, back in Austria. And about a year ago, I was facing a massive challenge. Some people might know this challenge. This challenge was to select a proper topic for my master thesis. You might know there are always those predefined topics by the universities. Some of them are quite interesting. They are taken most of the time quite fast by all the other students, and you are left with the boring topics. And I thought to myself, yeah, I don't want to stress myself. I just want to define a topic by myself. And that was the challenge. So the first thing I did to get a better overview of the topics was to take a look at the topics my colleagues have chosen and created a word cloud out of that. So we have basically all the interesting topics there. We have Bitcoins. We have GDPR. We have cyber, cyber, cyber. We have DevOps, management, mailware. But some of you might have already noticed it. There is one topic missing at my colleague's thesis, which is very, very important in the year 2018, and that's the Internet of Things. So I guess I don't have to explain here at the Congress what the Internet of Things is. It's basically the interconnection of all the devices which were analog a few years ago with each other and even worse over the Internet. And I thought, yeah, maybe I can combine the knowledge together at SecondsOut and conduct the penetration test in this Internet of Things. The problem here is still there are like millions of products and I just have to write one thesis, so I had to select one subcategory in this Internet of Things to conduct the penetration test on. And of course the first thing which came to my mind were smart home devices. We already had a lot of interesting talks about smart home devices. There are like smart coffee machines, smart lawnmowers, light bulbs, thermometers and stuff like that. But this category has two problems. So first of all, there is already a lot of research done. And the other problem is the impact. So I don't want to downplay the vulnerabilities which were found there, but when there are vulnerabilities found, I mean, yeah, if there is a DDoS on your lawnmower, you can just go out to your garden and mow the lawn yourself. It's not that big of a deal. So I thought I have to select a subcategory where the impact is a little bit more critical. And I came up with the following devices. So for example, dolls, smart dolls, there was this doll kyla. Some of you might know it. Someone found out that it has a built-in microphone and the data was sent to some dubious service in some dubious countries and it was even declared as an illegal telecommunication device. It had to be destroyed. Or there is a lot of interesting research at baby monitors. A colleague of mine wrote a very interesting blog post. You should take a look at it. Or devices which affect our body. So for example, smart pacemakers. They were developed by Sanchu Medical. That's the biggest manufacturer of pacemakers in the world. And they built a pacemaker which is programmable via Bluetooth. But yeah, they forgot authentication, which is quite a big of a problem when everyone is able to reprogram your pacemaker. So as we can see, this category is the impact would be quite critical. But there is, again, a lot of research done. So the deadline was coming closer and closer. I had to hand in some kind of topic for my master thesis. I was doing a lot of brainstorming with myself. And then suddenly it came to my mind. There is one category out there where the impact would be very critical. And there is not a lot of research done. And that's the Internet of Deal Does. So that's basically the integration of sex toys into the Internet of Things, where we interconnect the Deal Does with each other and over the Internet. But before I'm going to show you what I found in this Internet of Deal Does, we have to talk about history. Because you might think now that's something new, but that's not true. Because the Internet of Deal Does, as we know it, is existing for about 50 to 60 years. And as always, when there are new inventions or interesting ideas, they first appear in movies. And that also applies to the Internet of Deal Does. So those are quite old movies. We have, for example, Baba Rella or Flash Gordon or August Mo. And in those movies, those are real movies. It's not a joke. The Internet of Deal Does appeared first in this movie. So, for example, at Baba Rella, the evil guy used a device called the August Motron to cause so high levels of arousal in humanity to kill people. So basically, the Internet of Deal Does was in the 60s and 70s a weapon of mass destruction and not a weapon of mass pleasure as it should be. So, a few years later, a whole research area was formed. This research area is called Teledildonics. And that's also not a joke, again. And it was first mentioned by Ted Nelson. He's a technical philosopher. And he coined quite well-known terms like transclusion, virtuality, and intervingularity, and Teledildonics. And he mentioned this term at first in a book called Computer Lib Dream Machines. Very interesting book, by the way. You should read it. And in this book, he did interviews with people who had, yeah, innovative and interesting ideas for the time, but the technology was not just ready yet. And he did an interview with a guy called Hauwaxpress. And Hauwaxpress developed a device or had the idea for a device called Audituck. When you Google for Audituck, you find quite an ancient website called Audituck.com. And when you dig a little bit deeper, you can find out that he's still looking to find a manufacturer to sell his sonic stimulator. Sounds already quite interesting. And he even has a patent and a small graphic for it. So it's basically a radio with one input and two outputs. One input, of course, the antenna. And the two outputs are one for the headphones. And the other output is for the sonic stimulator, which is inserted from below in the human life form. You even can find the patent and Google patents. And he writes there, in his abstract, random or controlled electronically synthesized signals are converted to sound waves that are directly coupled to the skin of a life form, such as a human body, for example, to stimulate the skin or internal portions of the life form. So as we can see, the IDs were there, but the technology was just not ready in the 1970s and 1980s. But now we are in the year 2018, and we are definitely ready for a penetration test in the internet of the others. And before I'm going to talk about the test devices and the vulnerabilities, I'm going to make a promise now. I will try to keep this as serious as possible. I will try to keep the, I will call it the IPMs, the innuendos per minute as low as possible. Yeah. And now I just want to talk about the test devices, because those are very important. So I selected three test devices for my math thesis. On the right side, we have the, that's not a joke again, VipratisimupentiBuster, that's the real name. In the middle, we have the magic motion Flamingo. And on the left side, we have the real love Lydia. So the devices on the left side in the middle have one thing in common. They are manufactured in China. And the device on the right side is manufactured in Germany. So I have to admit, I was a little bit biased, because I thought I'm going to take a look at the Chinese devices first, because there will be a lot of low hanging fruits. Question to the audience now, who believes that I found most of the vulnerabilities in the Chinese devices? Raise your hand. Who believes that I found most of the vulnerabilities in the German device? Who believes that I found vulnerabilities everywhere? Yeah, you're basically all right. But when I took a look at the German device, I found so many really, really critical vulnerabilities that they immediately stopped there and wrote my whole thesis about the Pantybuster. OK, so the Pantybuster itself, it's just one product out of a whole product line. I just bought the Pantybuster because it was the cheapest one. They are basically using all the same back ends, the same iOS and Android apps. And yeah, the Pantybuster is basically a device which is connected via Bluetooth to a smartphone. And it can be used, for example, for long distance relationships. But there is way more behind those apps, because there's like a whole social media network built in. You can make group chats. You can create image galleries. You can maintain friends lists. Yeah, that's real. That's real. It's not a joke. Yeah, and now we're going to analyze this Pantybuster and take it down to the last parts. Yeah, we're going to analyze the software. I'm going to tell you a little bit about the transport layer and the hardware, of course. So I'd like to start with the software. So the first vulnerability where we have to talk about is a so-called information disclosure. So you might think, no, boring. Just some random version numbers. Yeah, that's true. Most of the time, information disclosures are boring. But in this case, it's really critical. Because I found a so-called DSStore file in the web route. A DSStore file is basically a metadata file, which is created by the Mac OS Finder. And it contains a lot of metadata, like files and folder names. So when you find such a file in a web route, you have basically a side channel directory listing. This DSStore file has a proprietary format. But for all problems in life, there is a Python module to decode it. Yeah, and it decoded the DSStore file, and it was presented with the following contents. So that's basically a side channel directory listing of the web route. There are a lot of interesting files and folders. For example, old page example. I have no idea why it's there in the productive environment. There is a database folder. But the most interesting folder is the config folder. So when I navigate to the config folder, there was real directory listing enabled. And there was one file in there. And it was called config.php.inc with the following contents. So basically, I had no access to the database host name, database names, user names, and passwords. The problem now was that, as we can see, the database host is just local host. So there might be a chance that it's not directly reachable via the internet. And we have to find the so-called exposed administrative interface to connect to the database. Yeah, of course, the first thing I did was to do a port scan. A lot of interesting ports, sadly no SQL ports. But some of you might remember this, yeah, let's call it weird, brown, orange web application called PHP MyAdmin. And I found a subdomain which contained the PHP MyAdmin installation. And I was able to use those credentials to connect directly to the database and get access to all the data. So I basically had access now to the real-life addresses, to messages in clear text, which were exchanged, images, videos, and a lot of other stuff. So yeah, and what hurt me the most was the following slide, because the passwords were stored in clear text. And that's really not necessary in the 21st century. OK, so in real life, about 30 minutes have passed by, and I tried to do a write-up as fast as possible and submit it to the German Z-Bund. And a few minutes later, I got a really interesting call from the German Z-Bund. They told me that they already informed the manufacturer and they're already trying to fix those problems. So my problem was now that I still had to write my math thesis. And I just have content for about 30 pages now, and I need like 100 pages. So I did a little bit of more research and found way more vulnerabilities, of course. And the next vulnerability I'm going to talk about is a so-called insecure direct object reference. Sounds cryptic, but it isn't. It's basically always a vulnerability, which is consisting of two sub-problems. So the first problem is when someone uploads resources to a backend, those resources are most of the time renamed to a random string, which shouldn't be guessable. The first problem would be if it would be guessable. But the second thing is there should be authorization checks in place. So if someone is able to guess those unique identifiers, there should still be some process which should check if the user should even be able to download these resources. And in this case, yeah. It was just really easy to guess the identifiers, and there was no authorization whatsoever. And I had to learn this the hard way, literally. There is a feature in the smartphone apps called galleries. So you can create galleries. You can set the visibility to no one is able to see it. Just your friends are able to see it. Everyone is able to see it. You can even set the password on those galleries. And just for a test, I created a gallery with a few cats. And when you request this gallery, you see the following requests, user manager, PHP, blah, blah, username, password, and some ID. And I thought, yeah, maybe I should change this ID. And it was presented with a dick pic. So yeah, the problem behind this is quite easy. Everything which is stored on the server is renamed to a global counter. The global counter is incremented by one after every upload. And there are no authorization checks whatsoever because the images are just stored on a server. So it doesn't matter if you set a password or set the visibility. That's just nonsense to do it. OK. So the next vulnerability, yeah, I called it improper authentication. To be honest, it was just a weird authentication. So at second salt, there's already a lot of different ways of implementing authentication. Some are good, some are bad, but it can be fixed. But in this case, it was just weird. I've never seen something like that. It's basically like HTTP basic authentication, but a little bit worse. So normally, authentication works as follows. You're sending a username and password to a server. And if this process is successful, you get some kind of authorization information like a cookie or an API token. You can use this cookie or API token to authorize all the other requests. In this case, every request contains just username and password in clear text to authenticate the request. That's just weird, to be honest. And also, if your password is compromised, it will also mean that you have to change your username because it's part of the authentication information. So weird, weird implementation. OK, the next vulnerability is called the Remote Pleasure Version 1.0. It's 1.0 because there is a 2.0. Yeah, there is a feature in those apps where you can create remote control links. They can be sent via SMS or email. And everyone who is in possession of those links can directly control the devices. There is no extra confirmation needed. We will take a look at the email now. There is a button in the email called Quick Control. And there is an ID again. Yeah, the thing is, yeah, it's just a global counter again. And what an attacker can do now is download the app, create his own quick control link, decrement the ID, and pleasure just random strangers on the internet. OK, I will show you guys a video now where I'm doing exactly that. So when the video is going to start, it's going to start perfect. On the right side, we're going to see an attacker device, which is just connected to the normal mobile network. And the attacker creates his own quick controlling and decrements the ID. And on the left side, we can see another smartphone, which is connected to Wi-Fi, to have internet access, and via Bluetooth, to the smart sex toy. And this attacker device should now be able to control. Yeah, we'll see that now in a few seconds. That's just what I explained. There is no confirmation whatsoever, so you can directly control all the devices. OK, I have to stop talking about software now. There is a lot more like cross-scriptings, HTTPS problems, outdated software. But there is not enough time left now, so we have to talk about the transport layer. Before I'm going to tell you something about the vulnerabilities I have identified, I will tell you something about Bluetooth low energy. In general, the security basics and how authentication and encryption works on a very high level. So you can imagine that Bluetooth low energy basically works like a web API. So that's a very high level explanation. You have API endpoints. Those are the service characteristics. And you have properties where you can read and write to. So for example, the device name can be read or written to change the device name. There are also a lot of other characteristics which will be very important when it comes to remote pleasure, version 2.0, a little bit later. So that's a very high level explanation I know, but we don't have enough time left. Talking about the security basics, Bluetooth low energy is using ASC-CM that's counter-CBC with Mac that's basically considered secure. But as we know, security also depends on the key material and the key exchange. And at Bluetooth low energy, the key exchange is defined as the pairing methods. For Bluetooth low energy, we have five pairing methods. We have just no pairing. So yeah, we basically throw packets into the air. And if a device is nearby, it tries to do something with those packets. We have just works. We have out-of-band pairing, pass-key, and numeric comparison. I don't have to tell you the details now. You all know those. It's numeric comparison, very compare numbers. To exchange the key material, you have the pass-key, which is always 0, 0, 0, 1, 3, 4. We have out-of-band pairing where the key material is exchanged via NFC, for example. And we have just works that's really secure, where the key is just set to 0. And it can be, of course, brute-forced with ease. But it just works, of course. So out of those five methods, what does the audience think that the sex toy is using? Is it using no pairing? Raise your hands. Is it using any of the other more or less secure methods? Yeah, it's using no pairing. Um, that means that the Android and iOS apps just throw the packets into the air. And if a device is nearby, it starts to vibrate. And that's, of course, easily exploitable. You can just sniff the real traffic and repeat it. I did exactly that using a so-called Bluetooth Lineage Sniffer. I used the Bluefruit device. It works very well. And I placed it between the sex toy and the smartphone app. And I sniffed the traffic using Wireshark. And I found some interesting endpoints or handles. There is the 1F handle, which is like an initialization handle. And there is the handle 25, where you can send values from 0 to ff to set the vibration intensity. Yeah, and now it's time for a little bit of war-dealing. I wrote a small Python proof of concept, which basically scans the air for Bluetooth Lineage devices. If it finds a device, it tries to find out if it is a sex toy. And if yes, it basically turns it on to 100% to ff. So the next thing I want to talk about is not that funny. So please don't laugh now, because when we released this, a lot of people on Twitter asked, is this rape? So serious topic. For example, the evil attacker is using my war-dealing script in the metro, in the U-Bahn, in Vienna. And he would pleasure just random strangers. Is this rape? In Austria, we have two different things. We have rape and sexual assault. And they have two preconditions. So that's three preconditions. We have violence, threats, or deprivation of liberty, which is just not the case in this scenario. But we have a special paragraph called, pooh, it's really hard to translate that. It's called the Pograbsparagraph. I know that it's a little bit different in Germany, and I'm not in law export. So it just kept the Austrian laws, which got verified by Tornis. And according to this paragraph, this would be an unwanted sexual act via third-party object. So it's not rape, but it's an unwanted sexual act. Okay, the hardware. Last but not least, the biggest problem is that firmware updates are not possible. That was confirmed by the manufacturer. The problem here is a lot of vulnerabilities can just be fixed by doing a firmware update. And the manufacturer came up with the idea that the end users can send in their smart sex toys to do a firmware update. And I'm quite sure that nobody's sending in their used devices to conduct a firmware update. And the other problems are debug interfaces. The other just forgot to remove it or deactivate. There are serial interfaces on the sex toys. It's just really easy to extract the firmware and do a little bit of more research on the firmware. Okay, so you might now think, I still want to use smart sex toys. What can I do? Yeah, the tin foil is not working. But there are a lot of interesting open source projects out there. So first of all, the most famous project is the Internet of Tongues project. There is a really interesting person behind that. He's called Render Man. You can find him on Twitter. He invented this project to make this whole Internet of Tongues a little bit safer. And he's doing like penetration tests and stuff like that. He's even handing out DVEs. So that's the equivalent to CVEs. Then we have Pathplug.io and Metaphate-ish. They are developing open source firmwares for a lot of different sex toys and they are independent from all the manufacturers. And there is also something called Onion Dildonics. Which has the goal of rerouting all the smart sex and traffic over the tour network to make it a little bit more safer. Okay, there is one more thing. I had a lot of calls together with the manufacturer and the chairman, Tert Bund. And one call was outstanding because we were discussing the remote pleasure vulnerabilities and we tried to explain the manufacturer that it's not good that you can basically out of the box pleasure everyone on the Internet or if you're nearby, we told them that it should be at least like an opt-in feature where you can switch on this feature in the apps. But the manufacturer said no, that's not possible because at least they believed that. Most of our customers are in swingerclubs and you don't know beforehand who is in the swingerclub. So there is just no opt-in in a swingerclub because you're basically always in. Yeah. Thank you. Taking questions, we have five microphones, two in the front and three in the back. So please line up and ask whatever you want. So apparently people on Twitter engaged in a drinking game where they were drinking every time you said penetration testing. In the meantime, we have a question from microphone number two. Yeah, did you come across anything with the patent trolls and teledildonics? I came across what, sorry? Patent trolls. There is an issue with the teledildonics patent and some companies have been threatened to go out of business because of frivolous lawsuits. Yes, yes. There was the, I guess it was called the teledildonics appreciation day in August because the patent ended. So you can basically use the term wherever you want or... Thank you. Microphone number three, please. So this was very funny, obviously, and you showed us the really low-hanging fruit. On the website in the database, you would have been able to see the social graph of the users. I don't know if you have managed to look at other devices. Can you elaborate a little bit more on something that I believe more serious, which is the profiling of users' behaviors, social networks, and so on? So, of course, I didn't take a look of all the data because it was a critical mapping and I directly contacted the z-point so I can't give you any information about the data, of course. I also took a look at things like tracking and stuff like that. And in this case, there was not a lot of tracking going on at the German sex toys. But when you compare it to the Chinese sex toys, there is way more tracking and stuff like that going on. But it didn't took a detailed look into that. Okay, thanks. Thank you. Thank you again for the educational and entertaining talk. And hopefully, that's a lot of time to talk.