Internet of Dongs

Video thumbnail (Frame 0) Video thumbnail (Frame 1833) Video thumbnail (Frame 2575) Video thumbnail (Frame 3975) Video thumbnail (Frame 4799) Video thumbnail (Frame 5866) Video thumbnail (Frame 6499) Video thumbnail (Frame 7633) Video thumbnail (Frame 8421) Video thumbnail (Frame 10233) Video thumbnail (Frame 11678) Video thumbnail (Frame 12421) Video thumbnail (Frame 13169) Video thumbnail (Frame 14031) Video thumbnail (Frame 15690) Video thumbnail (Frame 16429) Video thumbnail (Frame 17075) Video thumbnail (Frame 17741) Video thumbnail (Frame 18564) Video thumbnail (Frame 20118) Video thumbnail (Frame 20744) Video thumbnail (Frame 22574) Video thumbnail (Frame 23940) Video thumbnail (Frame 24818) Video thumbnail (Frame 26054) Video thumbnail (Frame 27120) Video thumbnail (Frame 28560) Video thumbnail (Frame 29609) Video thumbnail (Frame 30528) Video thumbnail (Frame 31346) Video thumbnail (Frame 32148) Video thumbnail (Frame 32912) Video thumbnail (Frame 33695) Video thumbnail (Frame 35735) Video thumbnail (Frame 36425) Video thumbnail (Frame 37225) Video thumbnail (Frame 37949) Video thumbnail (Frame 39734) Video thumbnail (Frame 40947) Video thumbnail (Frame 42961) Video thumbnail (Frame 45243)
Video in TIB AV-Portal: Internet of Dongs

Formal Metadata

Internet of Dongs
A long way to a vibrant future
Title of Series
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
With great pleasure comes great responsibility. A responsibility, which is not taken enough into consideration by the smart sex toy manufacturers as they should, while handling extremely sensitive data. As long as there is no serious breach, there is no problem, right? This was the basis for a research project (Master Thesis) called “Internet of Dildos, a long way to a vibrant future”, dealing with the assessment of smart sex toys and identification of vulnerabilities in those products, including mobile apps, backends and the actual hardware. After the assessment of a selection of multiple smart sex toys an abyss of vulnerabilities was revealed. The identified vulnerabilities range from technically interesting vulnerabilities to vulnerabilities which affect the privacy of the users in extreme and explicit ways.
Keywords Security

Related Material

The following resource is accompanying material for the video
Video is cited by the following resource
Roundness (object) Internetworking Musical ensemble
Information security Information technology consulting 2 (number) Hypothesis
Cybersex Word Malware Digital rights management Internetworking Multiplication sign Analogy Universe (mathematics) Point cloud Student's t-test Internet der Dinge Hypothesis
Category of being Plastikkarte Software testing Internet der Dinge Semiconductor memory Hypothesis Product (business)
Authentication Web service Blog Telecommunication Plastikkarte Bit Denial-of-service attack Asynchronous Transfer Mode Vulnerability (computing)
Category of being INTEGRAL Internetworking Flash memory Energy level Internet der Dinge Hypothesis
Area Internetworking Term (mathematics) Virtual machine Virtualization Mass Computer Library (computing)
Multiplication sign Expression Ordinary differential equation Website Bit
output Function (mathematics)
Statistical hypothesis testing Internetworking Software testing Software testing Vulnerability (computing)
Statistical hypothesis testing Real number Software testing Bit Hypothesis Vulnerability (computing)
Medical imaging Android (robot) Mobile app Bus (computing) output Software testing Smartphone Line (geometry) Distance Hypothesis Product (business) Front and back ends
Mobile app Group action Social software Digital media Real number Computer-generated imagery Electronic mailing list Mathematical analysis Control flow Software maintenance Mereology Local Group Online chat Medical imaging Software Function (mathematics)
Randomization Information Multiplication sign Bit Mathematical analysis Number Revision control Software Personal digital assistant Computer hardware Software Computer hardware Information Vulnerability (computing)
Web page Computer file Strut Directory service Database Side channel attack Metadata Web 2.0 Content (media) Root Information Configuration space Module (mathematics) File format Server (computing) Computer file Electronic mailing list Data storage device Mass Database Directory service Content (media) Integrated development environment Video game Configuration space Routing
Interface (computing) Domain name State of matter Port scanner Database Statistics Medical imaging Web application Message passing Internetworking Web service Password Interface (computing) Videoconferencing Address space
Web page Slide rule Password Interface (computing) Video game Social class Mass Bit System call Vulnerability (computing) Hypothesis
Identifiability Process (computing) Personal digital assistant Object (grammar) String (computer science) Multiplication sign Authorization Directed set Object (grammar) Vulnerability (computing)
Digital rights management Dependent and independent variables Object (grammar) Password Directed set Software testing Smartphone Computer-assisted translation
Authentication Server (computing) Server (computing) Authentication Medical imaging Personal digital assistant Different (Kate Ryan album) Object (grammar) Authorization Limit of a function Directed set Authorization Message passing Vulnerability (computing)
Authentication Implementation Information Token ring Authentication Password Bit Mereology Revision control Mechanism design Process (computing) Personal digital assistant Password Authorization Limit of a function HTTP cookie Remote procedure call Implementation
Email Mobile app Email Link (knot theory) Remote administration Link (knot theory) Authentication
Random number Game controller Email Mobile app Link (knot theory) Internetworking Authentication Musical ensemble Control flow
Email Reading (process) Game controller Computer-generated imagery Authentication Password Database Internetworking Software Process (computing) Information Source code Vulnerability (computing) Link (knot theory) Range (statistics) Product (business) Number Internetworking Software Schmelze <Betrieb> Orientation (vector space) Software testing Social class Smartphone Information security Videoconferencing Address space
Game controller Link (knot theory) Line (geometry) Hidden Markov model Mass Website 2 (number)
Authentication Email Multiplication sign Maxima and minima Mass Software Quadrilateral Software Encryption Energy level Office suite Information security Website Information security Vulnerability (computing)
Asynchronous Transfer Mode Personal identification number Multiplication sign Characteristic polynomial Floating point Number Web 2.0 Revision control Web service Musical ensemble Energy level Pairwise comparison Information security Task (computing) Pairwise comparison Key (cryptography) Forcing (mathematics) Counting Usability Bit Schlüsselverteilung Category of being Message passing Remote procedure call Information security
Android (robot) Real number output
Mobile app Mass Line (geometry) Communications protocol Vibration Vibration
Proof theory Multiplication sign Demo (music) Bit
Scripting language Order (biology) Randomization Scripting language Different (Kate Ryan album) Personal digital assistant Physical law Expert system Bit Object (grammar) Preconditioner Twitter
Computer hardware Interface (computing) Interface (computing) Plastikkarte Bit Vulnerability (computing) Firmware
Meta element Open source Projective plane Open source Plastikkarte Bit Airfoil Twitter Software Different (Kate Ryan album) Internetworking Volumenvisualisierung Software testing Metropolitan area network
Mobile app Cuboid Musical ensemble Remote procedure call Game theory Semiconductor memory Local ring System call Vulnerability (computing) Twitter
Trail Graph (mathematics) Mapping Information Multiplication sign Bit Database Number User profile Term (mathematics) Personal digital assistant Website Musical ensemble
[Music] and I have one last announcement before we begin this talk this is a personal announcement to whoever slap the sticker saying for recto use only on to my microphone microphones are not supposed to be used this way please trust me I am very familiar with microphones I know how they are supposed to be used however our next speaker is going to tell you about things that are supposed to be used this way and about how to secure and protect those things so please welcome Jana and the talk you all came here to see Internet of Donn's a round of applause
okay so hello everyone my name is veena I'm working for a second salt as an IT security consultant and besides penetrating all the things that the second salt availability lab I have been studying information security for the last five years at the University of Applied Sciences and pelton back in Austria and about a year
ago I was I was facing a massive challenge some people might know this challenge this challenge was to select a proper topic for my master thesis you you might
know there are always those predefined topics by the universities some of them are quite interesting they are taken yeah most of the time quite fast but all the other students and you are left with the boring topics and I thought to myself yeah I don't want to stress myself I just want to define a topic by myself and that was the challenge so the first thing I did to get a better overview of the topics was to take a look at the topics my colleagues have chosen I created a word cloud out of that so we have basically all the interesting topics there we have bitcoins we have GD P R we have cyber cyber cyber we have DevOps management malware but some of you might have
already noticed it there is one topic missing at my colleagues thesis which is very very important in the year 2018 and that's the Internet of Things so I guess it don't have to explain here at the Congress what the Internet of Things is it's basically the interconnection of all the devices which were analog a few years ago with each other and even worse over the Internet and I thought yeah maybe I can combine the knowledge together it's a consult and conduct the
penetration test in this Internet of Things the problem here is still there are like millions of products and I just have to ride one thesis so I had to select one subcategory in this Internet of Things to conduct the penetration test on and of course the first thing which came to my mind were smart home devices we already had a lot of interesting about smart home devices there are like
smart coffee machines smart lawnmowers lightbulbs thermometers and stuff like that but this category has two problems so first of all there is already a lot of research done and the other problem is the impact so I don't want to
downplay the vulnerabilities which were found here but when there are vulnerabilities found I mean yeah if there is a DDoS on your lawnmower you can just go out to your garden and mode alone yourself it's not that big of a deal so I thought they have to select a subcategory where the impact is a little bit more critical and I came up with the following devices so for example dolls
smart dolls there was this tall Kiowa some of you might know it someone found out that it has a built-in microphone and the data was sent to some to be a service in some dubious countries and it was even declared it's an illegal telecommunication device it had to be destroyed or there is a lot of interesting research at baby monitors a colleague of mine wrote in very interesting blog post you should take a look at it or devices which affect our body so for example smart pacemakers they were developed by as tube medical that's the biggest manufacturer of pacemakers in the world and they built a pacemaker which is programmable via bluetooth but yeah they forgot authentication which is quite a big of a
problem when everyone is able to reprogram your pacemaker so as we can see those at this categories the impact would be quite critical but this again a lot of research done so the deadline was coming closer and closer I had to hand him some kind of topic for my master thesis I was doing a lot of brainstorming with with myself and then suddenly it came to my mind there is one category out there where the impact would be very critical and there is not
a lot of research done and that's the Internet of dildos so it's basically it's basically the integration of sex toys into the Internet of Things where we interconnected dildos with each other and over the internet but before I'm going to show you what I found in this internet of dildos we have to talk about history because you you might think now did something new but it's in true because the internet of dildos as we know it is existing for about fifty to sixty years and this always when there are new inventions or interesting ideas the first appear in movies and that also applies to the internet of fuels so those are quite old movies we have for example Bob Aquila of Flash Gordon or a Cosmo and in those movies those are real movies it's not a joke the Internet of deals it appeared first in this movie so for example at Papa gala the evil guy used the device called the orgasmic on to cause so high levels of arousal in humanity to kill people so basically the
internet of dildos was in the 60s and 70s a weapon of mass destruction
and not the weapon of mass pleasure as it should be so a few years later a whole research area was formed this research area is called teledildonics and it that's also another joke again and it was first mentioned by Ted Nelson he is a technical philosopher and he coined quite well-known terms like transclusion virtuality and intervene hilarity and teledildonics and he mentioned this term it first in a book called computer lib dream machines very interesting book by the way you should read it and in this book he did interviews with people who had yeah innovative and interesting
ideas for the time but the technology was not just ready yet and it did an interview with a guy called how Express and how Express developed the device or
had the idea for a device called awed attack when you google for out attack you fight find a quite an ancient website called ode attack calm and when you dig a little bit deeper you can find
out that he's still looking to find your manufacturer to sell this sonic stimulator sounds already quite interesting and and even has a patent
and a small graphic for that so it's basically a radio with one input and two outputs one input of course the the antenna and the two outputs are one for the headphones and the other output is for the sonic stimulator which is inserted from below in the human life-form
you even can find the patent on Google patents and he writes there I mean it's abstract random or controlled electronically synthesized signals are converted to sound waves
that are directly coupled to the skin of a life-form you have such as a human body for example to stimulate the skin or internal portions of the life-form so as we can see the ideas were there but the technology was just not ready in the 1970s and 1980s but now we are in the year 2018 and we are definitely ready for a penetration test in the internet of dildos and before I'm going to talk about the test devices and two vulnerabilities I'm going to make a
promise now I will try to keep this as serious as possible I will try to keep the the the I will call it the IPM stinger and those per minutes as low as possible yeah and now I will just want to talk about the test devices because
those are very important so I selected three test devices for my master thesis on the right side we have the that's not a choke we can be producing more Penta Buster that's the real name in the middle we have the magic motion flamingo and on the left side we have the real love Lydia so the devices on the left side and the middle have one thing in common they are manufactured in China and the device in the red right side is manufactured in Germany so I have to admit I was a little bit biased because I thought I'm going to take a look at the Chinese devices first because there will be a lot of low-hanging fruits question to the audience now who believes that I found most of the vulnerabilities in the Chinese devices raise your hand
who believes that I found most of the vulnerabilities in the German device who believes that I found vulnerabilities everywhere yeah you're basically all right but when I took a look at the German device I found so many really
really critical learner abilities that the image immediately stopped there and wrote my whole thesis about the penta bus stop okay so the Penta pastor itself
it's just one product out of a whole product line I just bought the Penta pastor because it was the cheapest one it's they're basically using all the same backends the same iOS and Android apps and yeah the Penta pastor is basically device which is connected via bluetooth to a smartphone and it can be used for example for long distance relationships but there is way more
behind those apps because they are just like a whole social media network built in you can make group chats you can create image galleries you can maintain friends lists yet that's real it's real it's not a joke yeah and now we're going to to
analyze this Penta Buster and take it down to the last parts yeah we're going
to analyze the software I'm going to tell you a little bit about the transport layer and the hardware of course so I'd like to start with the
software so the first vulnerability
where we have to talk about this is so-called information disclosure so you might think not boring just some random version numbers yeah that's true most of the time information disclosures are boring but in this case it's really critical because I found a so called you
store file in the web root at the store file is basically a metadata file which is created by the Mac OS finder and it it contains a lot of metadata like files and folder names so when you find such a file in a web brute you have basically side-channel directory listing this new store file is a proprietary format but this for all problems in life there is a Python module to decode it yeah and the decoded the D store file and I was presented with the following contents so that's basically a side channel directory listing of the web route there are a lot of interesting files and folders so for example old page example I have no idea why it's there in the productive environment there is a database folder but the most interesting folder is the config folder so when I navigate to the config folder that was redirect URI listing enabled and there was one file in there and it was called config dot PHP dot Diane C with the
following contents so basically I had not had my access to the database hostname they did his names
usernames and passwords the problem now was that as we can see the database host is just localhost so there might be a chance that it's not yet directly reachable via the internet and we have to find the so called exposed
administrative interface to connect to the database yeah of course the first thing I did was to do a port scan
[Applause] a lot of interesting ports sadly no no SQL ports but some of you might remember this let's call it weird brown orange web application called phpMyAdmin and they found a sub-domain which contained the PHP myadmin installation and I was able to use those credentials to connect directly to the database and get access to all the data so I basically had access now to the real-life addresses to messages in clear text which were exchanged images videos and a lot of other stuff so yeah and
what hurt me the most was the following slide because the passwords were stored
in clear text and that's really not necessary in the 21st century okay so in real life about 30 minutes have passed by and they tried to do a write up as fast as possible and submitted to the chairman said pooned and yeah a few minutes later I got a really interesting call from the chairman said bond they told me that they already informed the manufacturer and they already trying to fix those problems so my problem was now that they still had to write my master thesis and it just have content for about 30 pages now and I need like hundred pages so I did a little bit of more research and found way more vulnerabilities of course and the next
tool or ability I'm going to talk about is a so-called insecure direct object reference sounds cryptic but it isn't it's basically always a vulnerability which is consisting of two sub problems so the first problem is when someone uploads resources to a back-end those resources and most of the time renamed to like an random string which shouldn't be guessable the first problem would be if it would be get simple but the second thing is there should be authorization checks in place so if someone is able to guess those unique identifiers there
should still be some like process which should check if the user should even be able to download these resources and in this case yeah it was just really easy to guess the identifiers and there was no author it's a authorization whatsoever and I had to learn this the
hard way literally there is a feature in the smartphone apps called galleries so you can create galleries you can set the visibility to no one is able to see it just your friends are able to see it everyone is able to see it you can even set the password on those galleries and yeah and just for a test I created a
gallery with a few cats and when you request this gallery you see the following requests user manager PHP blah blah blah username password and some ID and I thought yeah maybe I should change the city and I was presented with a dick pic so yeah the problem behind this is quite
easy everything which is stored on the server is renamed to a global counter the global counter is incremented by one after every after every upload and there are no authorization checks whatsoever because the images are just stored on a server so it doesn't matter if you set a password or set the visibility that's just nonsense to do it okay so the next
vulnerability yeah I called it improper authentication to be honest it was just a weird authentication so it's a consult is already a lot of different ways of implementing authentication some are good some are bad but it can be fixed but in this case it was just weird I've never seen something like that it's
basically like HTTP basic authentication but a little bit worse so normally authentication works as follows you're sending a username and password to a server and if this process is successful you get some kind of authorization information like a cookie or an API token you can use this cooking API or API token for to authorize all the other requests in this case every request contains just username and password in clear-text to authenticate the requests that's just weird to be honest and also if if your password is
compromised it will also mean that you have to change your username because it's part of the authentication information so weird weird implementation okay the next one ability is called the remote pleasure version
1.0 it's Mondas Europe because there is a 2.0
yeah there is a feature in those apps where you can create remote control links they can be sent to your SMS or email and everyone who is in possession of possession of those links can directly control the devices there is no extra confirmation needed we will take a look at the email now there is a button
in the email called quick control and there is an ID again yeah the thing is yeah it's just a
global counter again and what an attacker can do now is download the app creates its own quick controlling decrement the ID and pleasure just random strangers on the Internet [Applause] [Music]
okay I will show you guys if we do you know where I'm doing exactly that so
when they witty is going to start this going to start perfect on the right side we're going to see an attack device which is just connected to the normal mobile network and the attacker creates its own quick controlling and decrements the ID and on the left side we can see another smartphone which is connected to Wi-Fi to have internet access and via bluetooth to the smart six toy and this
attacker device should now be able to control yeah see that now in a few
seconds that's just what I explained yeah hmm
yeah there is no confirmation whatsoever sir you can directly control all the
devices okay I have to stop talking
about software now there is a lot more
like cross scripting HTTP problems outdated software but there's not a little enough time left now so we have
to talk about the transport layer before I'm going to tell you something about the vulnerabilities are identified I will tell you something about Bluetooth Low Energy in general the security basics and how authentication and encryption works on a very high level so you can imagine that
Bluetooth Low Energy basically works like a Web API so that's a very high level explanation you have API endpoints those are the service characteristics and you have properties where you can read and write to so for example the device name can be read or written to to change the device name and there are also a lot of other characteristics which will be very important when it comes to remote pleasure version 2.0 a little bit later so that's a very high-level explanation to know
but we don't have enough time left talking about the security basics Bluetooth Low Energy is using a CCM that's count the CBC with Mac that basically considered secure but as we know security also depends on the key material and the key exchange and at Bluetooth Low Energy the key exchanged is defined as the pairing methods for Bluetooth Low Energy we have five pairing methods we have just no pairing so yeah we basically throw packets into the air and if a device is nearby it it tries to do something with those packets we have just works we have out-of-band pairing tasks in the Mara comparison I don't have to tell you that it tell you the details now we you all know those it's not very comparison very compare numbers to exchange the key material you have the pass key which is yeah like always your zero zero one two three four we have out of pain pairing where the key material is exchanged via NFC for example and we have just works that's really secure where did the key is just set to zero and can we of course brute force to these but it just works of course so out of those five methods what what do what does the audience thinks that the sex toy is using is it using no paring raise
your hands is it using any of the other more or less secure methods yeah it's using no paring it means that the Android and iOS apps just a throw the
packets into the air and if a device is nearby it starts to vibrate and that's of course easily exploitable you can just sniff the real traffic and repeat
it I did exactly that using a so called Bluetooth line which is sniffer I'll use the bluefruit device
it works very well and they placed it between the sex toy and the smartphone app and there's nifty traffic using
Wireshark and it found some interesting endpoints or handles there is the 1f handle which is like an initialization handle and there is the handle 25 where you can send values from zero to FF to set the vibration intensity yeah and now
it's time for a little bit of war dueling I wrote the small pipe and proof of
concept which basically scans the air for Bluetooth low-energy devices if it finds the device it tries to or try to find out if it is a sex toy and if yes yeah it basically turns it on to 200% to FF so the next thing I want to talk
about is not that funny so please don't laugh now because when we release this a
lot of people on Twitter asked is this rape so serious topic for example the evil attacker is using my for dealing script in the in the metro in the new Bond in vim in Vienna and you would pledge it just random strangers it's this rape in Austria we have two different things we have rape and sexual assault and they have two preconditions so that's violence are three preconditions we have violence threats or deprivation of Liberty which is just not the case in this scenario but we have a special paragraph called pewds regard to translate that it's called the polka paragraph and the old it's a little bit different in Germany and I'm not a law expert so it just kept the Austrian laws which get verified by tourists so and according to this paragraph this would be an unwanted sexual act via third party object so it's not rape but it's an unwanted sexual act okay
the hardware last but not least the biggest problem is that firm updates are not possible that was confirmed by any manufacturer the problem here is a lot of vulnerabilities can just be fixed by doing infirm updates and the manufacturer came up with the idea that the end users can send in their smart sex toys to do a firm wrapped it and I'm quite sure that nobody's sending in they use devices to conduct the firmware update and the other problems are debug interfaces the other just forgot to remove the or deactivate they are serial interfaces on the the sex toys it's just really easy to extract the forever and to a little bit of more research on the firmware ok so you might now think I
still want to use smart sex toys what can I do yeah the tinfoil is not working
but there are a lot of interesting open-source projects out there so first of all the most famous project is the Internet of dongs project there is a really interesting person behind it he is called render man you can find him on Twitter he invented this project to make this whole internet of thongs a little bit safer and he's doing like penetration tests and stuff like that and he's even even handing out DVDs so that's the equivalent to CVS then we have butt plug to dial and Mehta fetish they are developing open source firm versus for a lot of different sex toys and they are independent from all the manufacturers and there is also something called onion till tonics with which which has the goal of rerouting all the smarts extra traffic over the Tor network to make it a little bit more safer
[Music] okay there is one more thing I had a lot
of calls together with the manufacturer and the chairman said pund and one call was outstanding because we were
discussing the remote pleasure vulnerabilities and we tried to explain
the manufacturer that it's not good that you can basically out of the box pleasure everyone on the internet or if you nearby we told them that it should be at least like an opt-in feature where you can switch on this feature in the apps but the manufacturers said no that's not possible because at least they believe that most of our customers I read smear clips and you don't know beforehand who is in the swing a club so there is just no opt-in in a swing club because you're basically always in yeah thank you [Applause] [Music] [Music] taking questions we have five microphones two in the front and three in the back so please sign up and ask whatever you want so apparently people on Twitter engaged in a drinking game
where they were drinking every time you said penetration in the meantime we have a question from microphone number two yeah did you come across anything with the patent trolls in teledildonics I came across what sorry patent trolls there is a issue with teledildonics patent and some companies have been threatened to go out of business because of frivolous lawsuits yes yes there was I guess it was called teledildonics appreciation day in august because the patent ended so you can basically use the term wherever you want or yeah thank you microphone number three please so this was very funny of this leap and you showed us the really low-hanging fruit on the website in the database you would have been able to see the social graph of the users I don't know if you have managed to look at other devices can you elaborate a little bit more on something that I believe more serious which is the profiling of users behavior social networks and so on so of course it didn't took a look at all the data because it was a critical map unions that directly contacted the chaplain so I can't give you any information about the data of course I also took a look at like things like tracking and stuff like that and in this case there was not a lot of tracking going on at the German sex toys but when you compared it to the Chinese sex toys there is way more tracking and stuff like that going on but it didn't took like a detailed look into that okay thanks thank you thank you again for their educational and entertaining talk and hopefully [Applause] [Music] [Music]