DeepSec 2018 Talk: IoD – Internet of Dildos, a Long Way to a Vibrant Future – Werner Schober
The Internet of Things has grown. Interconnected devices have now their own search engine. Besides power plants, air conditioning systems, smart (or not so smart) TV sets, refrigerators, and other devices there are a lot smaller and more personal things connected to the Internet. Your smartphone includes a lot of personal conversations, most probably pictures, sound recordings, and a treasure trove of data for profiling. Let’s get more personal. Let’s talk about teledildonics.
Teledildonics is the art and technology of remote sex. Call it cybersex (apologies to William Gibson), cyberdildonics (again, sorry, Mr Gibson), or whatever you like. It’s been around for a long time, think decades. The term was used in 1975 by Ted Nelson in his book Computer Lib/Dream Machines. It even has its own conference, called Arse Elektronika (which was first held in 2007, just like DeepSec!). The conference explores the impact of sex on technological innovation and adoption – which is right up our alley, too. Werner Schober from SEC Consult has investigated „smart“ sex toys. The work was done as his master thesis in computer science. The results are scary, because Werner found multiple vulnerabilities in sex toys which can connect to your smartphone via an app(lication). The list is impressive.
- Exposed administrative Interfaces on the Internet
- Cleartext Storage of Passwords
- Unauthenticated Bluetooth® LE Connections
- Insufficient Authentication Mechanism
- Insecure Direct Object Reference
- Missing Authentication in Remote Control
- Reflected Cross-Site Scripting
The devices combine a set of different technologies. One crucial part is the network protocol. The Bluetooth® SIG highly recommends version 4.2. Some of the toys use 4.0/4.1, thus allowing for a weaker key exchange. The hardware of the product is capable of using 4.2. By choice it was not used in order to be able to connect to older phones. The other weaknesses are straight from the tutorials of How Not To Code Securely.
The implications for violation of privacy are severe. Due to the public database disclosure in one product, the whole Internet could access information such as explicit images, chat logs, sexual orientation, email addresses, passwords in clear text, and more. This is a nightmare for customers and, in some cases, a great opportunity for people earning their money by blackmail. Given the fact that the phone app connects to its own social network platform, the nature of the social graph is definitely sensitive information.
The lack of authentication (Bluetooth® no pairing mode) is deliberate and activated by default. The reason are some use cases of the sex toy which require involve full access by random individuals. Even the new firmware will default to this mode, so authentication will stay opt-in. From the viewpoint of information security this is a bad choice.
Don’t get distracted by the nature of these devices. Teledildonics and the porn industry are the trailblazers for new technologies. Virtual reality is extensively being tested and developed, but not for computer games or office applications. The same is true for many other devices, code, and algorithms. The common denominator is access to the Internet. Ubiquitous connectivity must not lead to arbitrary access of data and management consoles. Web application learned this lesson the hard way – and are still vulnerable. The Industry of Things has to learn this lesson fast!
The full technical advisory is published. In addition you can read Werner’s own blog article about his findings.