IoD - Internet of Dildos, a Long Way to a Vibrant Future

Presented at DeepSec 2018 „I like to mov &6974,%bx“, Unknown date/time (Unknown duration)

In recent years the internet of things has slowly creeped into our daily life and is now an essential part of it, whether you want it or not. A long-existing sub category of the internet of things is a mysterious area called teledildonics. This term got invented about 40 years ago and described (at this time fictional) devices, allowing their users to pleasure themselves, while being interconnected to a global network of plastic dongs. In the 21st century, teledildonics actually exist. Multiple devices are on the (multi-million dollar) market, offering the ability to pleasure an individual, while being connected to the internet. Those devices offer functionalities like remote pleasuring over local links as well as over the internet. They implement social media-like functionalities such as friends lists, instant messaging, movie chats and explicit-image sharing. With great pleasure comes great responsibility. A responsibility, which is not taken enough into consideration by the smart sex toy manufacturers as much as it should be while handling extremely sensitive data. As long as there is no serious breach there is no problem, right? This was the basis for a research project called "Internet of Dildos, a long way to a vibrant future", dealing with the assessment of smart sex toys and the identification of vulnerabilities in those products, including mobile apps, backends and the actual hardware. After the assessment of a selection of multiple smart sex toys an abyss of vulnerabilities was revealed. The identified vulnerabilities range from technically interesting vulnerabilities to vulnerabilities which affect the privacy of the users in extreme and explicit ways. It was possible to gain access to thousands of users' data records, including cleartext passwords, explicit images, real-world names, real-world addresses, and many more specific facts. Furthermore, we were able to remotely pleasure individuals without their consent over the internet, or over a local link. Talk outline: 1. Why? o Explanation as to why it is necessary to conduct penetration tests in the area of teledildonics and why the topic was chosen for further research. 2.Quick introduction into basics like o Internet of Things (IoT) o Sextech o Teledildonics o Internet of Dongs (IoD) 3.The "Test Devices" o A quick introduction of the test devices examined during this project. o Explanation of their feature set including areas of application and use-cases. 4.Let's get dirty - An overview of the identified vulnerabilities o .DS\_STORE File Information Disclosure o Customer Database Credential Disclosure o Unrestricted Access to administrative interfaces o Weird authentication implementation o Unauthenticated Bluetooth LE Connections o Missing Authentication in Remote Control o And many more… 5.Bluetooth LE Protocol exploitation o Brief overview over Bluetooth LE security features o Brief overview over Bluetooth LE authentication/pairing methods o Brief overview over Bluetooth LE exploitation Hardware o Brief overview over Bluetooth LE exploitation Software o Hands-on example 6. The "Swinger Club Problem" o How the manufacturers tried to downplay the vulnerabilities. 7.Legal Issues - Rape over the wire? o How are current laws dealing with sexual pleasure without consent over the internet? 8.Responsible Disclosure Process o Coordinated vulnerability remediation with the German CERT-Bund and why it was necessary to consult an independent 3rd party. 9. Ongoing/Similar Research

Presenters:

• Werner Schober - SEC Consult
  Werner Schober has been working as a professional IT Security consultant for SEC Consult since 2015. Besides being quite active in the SEC Consult Vulnerability Lab, where he identifies vulnerabilities in standard software, he is a penetration testing generalist. He likes to probe for vulnerabilities in everything which runs code, ranging from Android apps, smart homes, Wireless Networks, heavy-duty machines to whole Windows domains. During his research at the University of Applied Sciences St. Pölten he focused on smart meter and smart grid best practices concerning IT Security resulting in graduating with a Bachelor of Science. Pushed by the knowledge he gathered during his daily work at SEC Consult with various IoT devices, he decided to go a step further and analyse a myth-enshrouded IoT category for his Master Thesis - Smart Sex Toys. The research project "Internet of Dildos" was born. Werner is now focusing on the identification of vulnerabilities in smart sex toys for his master thesis.

Links:

• https://deepsec.net/archive/2018.deepsec.net/speaker.html#PSLOT347

Similar Presentations:

• Hackfest 2016 / Hacking the Internet of Dongs
• ShmooCon IX (2013) / How Smart Is Bluetooth Smart?
• DEF CON 24 (2016) / Breaking the Internet of Vibrating Things : What We Learned Reverse Engineering Bluetooth- and Internet-Enabled Adult Toys