Hi and welcome to the Internet of Vibrating Things. I'm Goldfisk. And I'm Follower. And we're
much more exciting than Mr. Robot. Uh yep so please set your phones to vibrate and we'll
begin. So uh before we get started we uh just want to uh cover some uh uh content
advisory. Um our goal with this talk is to uh create an inclusive and safe environment
for us and you to learn more about uh sex and technology and how they interact. Um there
are no sexually explicit uh descriptions or images in this talk. Uh and although we do
mention uh some legal aspects. And uh our focus is on the technology aspect and uh when
you're talking to people after the talk uh please ensure if you're talking about things
that aren't relevant to the topic that you're talking about. So we're going to start with
the technology that you have their consent and they're comfortable having that conversation
with you first. Alright so Bluetooth. Um it's in your phone, it's in your smartwatch,
your Fitbit, your doorbell, your door lock, your um your mouse, your keyboard, it's
everywhere. Yep. I understand that. Um so Bluetooth devices are everywhere. They're in
your Fitbit, your phone, your laptop, your the lock on your door, your doorbell. They're
everywhere. And Bluetooth devices are everywhere. They're in your phone, your laptop, your
computer, your computer, your computer. Uh a lot of people aren't really aware of the
security around this. So it makes sense that adult toys are going to have that technology
too. Uh generally Bluetooth internet connected devices are vibrators because it's sort of
the techy part. Um and increasingly they're becoming associated with mobile apps as well so
there's the internet connection through that. What could possibly go wrong with that?
Security more like sex security am I right? It's just a laugh right? It's just sex toys like
you know who actually uses those anyway?
So a lot of people have that attitude and one of the things that we wanted to cover
is what's actually at stake. Um because it's all very well and good to make jokes about
it but as one manufacturer talks about they have over two million people using their devices.
So what's at stake is two million people and that starts to become like hey this is
about people it's not just a joke. And that's just one of the manufacturers? Right so the
immediate thing is what if you could hack into someone's device and control their toy.
Turn it on, make it do whatever you want. That's sort of the immediate thing that comes to mind.
And um a lot of people in the past have said hey this isn't really a serious issue or if I hack
up a vibrator it's just for fun. Um but if you come back to the fact that we're dealing with
people here uh then in fact uh unlawful uh control of a device like a vibrator actually
counts uh potentially as sexual assault because it's unwanted.
Um there's not really much legal precedent for this kind of thing because in terms of
remote controlling devices um so this is definitely an interesting area.
So there's a spectrum of what we call intimate devices. Uh if you have someone that can control
your light bulb uh it's annoying um but it's not something that's particularly intimate
to you. But once you start moving into devices like vibrators or at the far end something
that's uh connected to your life like a heart uh like a heart pacemaker, they are
uh then you start to get a bigger picture of why the issue of uh of security in these areas
is uh particularly important.
Uh so then moving on from the control, what happens if people can find out things about you
using this? So at the very basic level what happens if people can find out that you're in
possession of this device? Um particularly in certain places it's illegal to own a sex toy um
and it is a criminal charge. Um and in some places there is a legal precedent of the possession
of sex toys causing a legal charge. Um yeah.
And it's uh not just overseas either. Um in uh in the US um Alabama is one state that uh bans sex toys.
Uh there's a town in Georgia that does as well. Um the situation in Texas is a little bit confused.
Up until very recently um there was a ban in place. Uh things we've seen have said that uh it was
declared unconstitutional so it doesn't apply.
But it's a legal charge.
But it still appears in the uh the code when we went to look at it.
Right. And then getting into an even wider sense, what sort of information can a device like this generate about you?
Um so there's all kinds of different data. There's your um temperature, your session information.
There could be other potential senses. We just looked at one product in particular but a whole lot of different senses
generating all this personal information about you. And a lot of apps have audio and video chat associated with that.
So when we started out.
Uh with this research we were wondering oh what are the potential exploits or vulnerabilities that uh a third party hacker could take advantage of.
But then when we looked more closely it actually turns out you might be more concerned about what the manufacturer is doing and what they're doing with your data.
So this is the Standard Innovation Corporation and uh they're the manufacturer of uh of the WeVibe device that we looked at.
And so do you want these people looking at your uh looking at your own uh temperature data potentially or uh real time data as you use the device about what patterns you like or what um intensity you like?
Um and what are what are the implications of who they're going to give that data to?
Um I mean these companies say that they they claim that they're very concerned they keep that secure and secure about their privacy.
Um but if we look in their privacy policy we can say see that they say we reserve the right to disclose your personally identifiable that's your name with your information if required to by the law.
Um and there's a bit of not much clarity about what if it's not required by the law but they have other reasons to.
So that's a little bit dodgy.
And so one of the things is that uh people can make the argument well you know usage data collection is just a standard part of mobile apps these days.
And we want to question that assumption and say you know if you're making devices that are um that are controlled by mobile apps that are of a more intimate nature maybe you should consider whether you should be collecting that information in the first place.
Because if the information isn't collected then it's not vulnerable to either security releases or legal enforcement uh of release of data.
Um so this is the specific product that we looked into and had the hardware for.
It's wearable so you can wear it under your clothes.
It can be controlled either with a remote or with and has two motors and so it's Bluetooth connected to your phone or the remote.
And what do you know it turns out this device does send information back to the manufacturer.
Um so the temperature data comes from uh as we understand it a thermistor inside the device itself.
Uh it's related to monitoring the temperature of the motor.
But we also determined that it is affected by um uh like contact with the human body.
So at a minimum you can determine uh probably whether or not a device is in use even if it's not actually active.
Uh so this is sent once per minute.
Uh and uh the mode intensity data uh which is the pattern that you're in and how strong it is is a real time event.
And so the manufacturer is currently collecting real time data on uh how all of their customers are using their devices.
Um so if you're using this specific device what are the things you can do to avoid this?
You can use it as a dumb vibe.
It has one control button on it.
You can use the remote control which isn't sending data.
You can use the app if you're not connected to the internet in any way.
Um even if you're if you're communicating using that device with a partner over the internet it's automatically sending data.
But even if you're not doing that if you are connected to the internet it is sending data.
Or you can block access using firewall.
Um or you can use this.
This tool that we've made uh using web Bluetooth we've made the Weevil Connect which has basic functionality to use the vibe directly from your Chrome browser on your phone.
And so you can either use a hosted version of Weevil Connect or you can uh also run it locally.
And all web Bluetooth connections have to be over an SSL connection.
Uh and so we can't promise you that we're not doing something nefarious but you can at least check out the code and see.
But this is uh that's approaching the solution from the tech side.
So in light of the technological end um we're also wanting to approach it from uh the wider uh societal end as well.
Uh and so in light of that we're announcing the Private Play Accord.
And so the goal with the Private Play Accord is to protect the privacy of people who are using devices like these.
Uh we want to promote transparency from the manufacturers about the data that they can collect so that people can make informed buying choices.
And that the manufacturers that do treat um the privacy and security of their devices.
Of people's intimate data seriously.
People can choose to uh to to make those uh purchase choices with that knowledge.
Uh so at the moment we've just recently contacted manufacturers and we have um some questions we're gonna ask there.
And we're gonna have that on the website that we're gonna host for that.
And uh along with that we've come up with a draft rating system for particular products.
Um where you can get an at a glance view of uh of their approach.
Whether they collect data or not.
Whether it's opt in or not.
And you can help by using some of the tools and techniques we're gonna use later by investigating other devices and um reporting your findings on on that data that they find.
Uh okay so that's the implications.
Now how did we get there?
What did we do to reverse engineer this?
So these are some of the things we did.
Tools we used that you can use too.
And of course the weevil tools that we made.
Uh go first.
What about people sitting in the audience who say I don't know anything about reverse engineering I could never do this.
Well that's fine cause I didn't know anything about reverse engineering.
Um there's a lot of basically there's just a lot of playing with things looking around seeing what you can find.
A lot of things we just stumbled onto by accident.
So yeah curiosity is is definitely your most useful uh tool when it comes to reverse engineering.
So we generally start with one with three questions.
Uh what does the device do?
How does it do it?
And then how can we control it once we know that information?
Um so again this is the weevil 4 plus.
We have the hardware for this.
But you don't actually need the hardware of a device to do internet of things reverse engineering.
You can do a whole lot from what's already on the internet.
Uh so this is the weconnect.
This is their mobile app that comes with it that you can control your device from.
So when you're uh connected with a partner.
Um there's a bluetooth link between the vibe and your phone.
Uh interestingly enough there's not uh a lot of reliability a lot of reliability in um bluetooth LE connections in these devices.
Because it turns out that humans make excellent faraday cages.
So you have uh connections from the phone going to the uh server from the manufacturer.
And then back out to the phone of your partner.
And the finding the statistics uh API information which was what's reporting back the temperature and other information.
We found using uh an MITM proxy uh tool.
Uh which performs and enables you to have a man in the middle uh view between the app and the uh the backend server.
Uh now if you're familiar with Pokemon Go.
Uh they had the same issue that this manufacturer has.
Which they didn't implement certificate patches.
And if they had then that would have made it uh more difficult to impersonate the backend server.
Alright so the first approach we can take is hardware.
The uh any device that's sold in the US that uh transmits uh radio frequency.
Uh is required to be registered with the FCC to be sold in other jurisdictions.
Other um certification boards are there.
And part of the process is you have to submit a bunch of documents.
Uh describing how your device works.
And it includes uh internal photographs.
Which sometimes are really terrible and sometimes uh actually quite useful.
So the one on the, the one on the right is the board from inside the Vive.
And the one on the left is from inside the remote.
And so from looking at this we discovered they use a Texas instrument chip.
Uh and it's a really old architecture 8051.
Which is often used in uh really cheap uh control situations.
And then they have a Bluetooth stack uh associated with that.
Um the uh compiler that you need to use uh is a mere $3,000.
Uh although there is some uh effort uh with SDCC to support the Bluetooth stack uh and the chip.
Uh there is some evidence that there is the potential for over the air firmware updates.
Because there's strings in the app about it.
Uh but there was no functionality that we identified in the app that could perform over the air updates at this stage.
Of course the FCC doesn't uh, uh, uh, uh, uh,
show and share every document they receive to the public.
It's possible for a manufacturer to say hey we'd like you to keep this uh confidential.
Um but sometimes the FCC makes mistakes.
Uh and so we discovered that in a later model uh the certification,
the request to keep this document confidential somehow slipped through.
So if you're looking at advice definitely check out the FCC site for the documents you're supposed to have.
And sometimes you might get a bonus too.
Oh yeah and don't do drugs because if you have a drug conviction uh FCC certification is considered a federal benefit
and so you can't get a certification.
Okay what else can you do without actually having the device?
You can look on the internet at other people who have taken apart your very expensive device so you don't have to.
Uh this is a Reddit account associated with another manufacturer who do really interesting teardowns of adult toys.
Um and you can see the two motors and the board and the battery in there.
Uh and this is our remote.
It was more digital.
It was disposable.
So we took that apart and had a look inside.
Uh so we know now from the chip and from the specifications that this device is controlled with bluetooth low energy or bluetooth smart.
Uh so how can we communicate with that?
Uh the great thing about bluetooth low energy is that it's a set of standard profiles.
So we can and that means that we can interact with the device through in in standard ways by interacting with the standard profiles.
So we have each uh peripheral device.
So the um central is your mobile device and the remote.
Each peripheral device.
Each device has a series of services.
Um some are standard like battery level but some uh specified by the person making it.
And within those you have characteristics which you can use to read or write to the device.
Um so we used an app called Nordic Connect.
So we this is just on our mobile device.
We didn't have any extra hardware or anything.
We can open it up connect.
And this is the WeBike 4 Plus which for some inexplicable reason is named Cougar.
Yes all of them.
Um but none of the other devices just the 4 Plus for some reason.
Um so we find here at the bottom some generic services and then at the bottom an unknown service which then you can see has two unknown characteristics.
Um we find out later that one of them is the control and one of them is the status characteristic.
Hey Goldfish we should like try sending some data to that uh device now that we know the service and characteristics.
But how will we know what data to send?
I don't know.
That's really weird.
We could I mean we could just send random data.
But that would take a very long time.
Um so what we can do we can take uh well either you can use man in the middle to find out what that your device is sending.
Or you can use Android logs to um find out what's being sent over the oh no sorry Bluetooth sniffing.
To find out what's being sent between either the remote in the device or your mobile thing in the device.
Um or there's some Android logging functionality seeing what's being sent.
But the approach that we took was getting the APK which is the format that Android apps are distributed in.
We're just looking at Android.
Um so you can get that and decompile that and have a look at what's inside.
Uh so this is what we found.
Sync pulse command has an integer array.
That looks suspiciously like something we could send over Bluetooth.
And if we send it over Bluetooth what happens?
It probably vibrates three times.
So this is awesome because we know we've communicated with the device in a functional way.
We've actually talked to it and told it to do what we want.
Now we just have to figure out how to do how can we do that better and how can we do interesting things with that.
So it turned out that.
Uh the data that's transmitted is always eight bytes long.
Uh and the first uh byte determines what the command is.
And so there's a variety of different commands uh that the vibe obeys.
Now obviously we could stick with using a generic app.
And the Nordic app is pretty cool.
It allows you to save values to send and stuff like that.
But we also wanted to create uh some software that would run uh on on a desktop machine.
So we discovered that Node has the best uh Bluetooth LE support.
Um I guess it's the new hotness or something.
So we used uh a library called Noble for controlling the device.
Uh and there's another library called Bluna which you can impersonate the device.
So you can conduct simulate the device on your um on your laptop and connect to it with the mobile device.
Or for the remote it's slightly different.
There's some things going on there but you can connect to it and it thinks it's the device.
So that meant that we could uh have a connection with the app.
And then every time we pressed a button or used some functionality in the app.
It would send the data to what it thought was the device.
And then we could see uh what the device uh was expecting to receive.
So we could then send that ourselves.
Um so that was great.
And we got some great things.
We found out how to get the information like the temperature, the modes, the intensities.
Um but we were like how can we make this better?
How can we make this something you can have on your mobile device that has a user friendly interface?
Uh so we went with Bluetooth.
You don't need an app for it.
It's just a um it's in development for Chrome.
Um there's still.
We're not quite sure around everything at the moment.
Um but this is what we went for as a start for re-implementing the functionality ourselves.
Without needing any of standard innovations um software.
And so Weevil Connect is uh part of a suite of tools.
Uh the Weevil suite of tools.
Uh which allows you to interact with um WeVibe devices.
Um one.
There was a really interesting uh or useful website.
Uh which was a template generator for web uh Bluetooth uh software devices.
So you can basically say this is the service we want to interact with.
This is the characteristic we want to uh interact with.
And it'll genera- uh generate a um a class which has all the boilerplate stuff.
That you can then just say send this sequence of bytes to this characteristic.
Uh now we learned some other things along the way.
Which were uh the in- invitation.
Oh okay.
We learned about invitations.
Um.
They don't expire.
There's weird stuff going on.
They don't expire.
Um.
Other stuff.
We will release.
We're gonna release this.
Um.
For you to use.
Lots of different things in there.
Have a look.
There's other cool things.
Other cool things going on.
Privateplayaccord.com.
Find us at Ransom, Bacon and Goldfist with a zero and a k.
Um.
Yeah.
We'll put all that up.
That'll be up in the next day or so.
Uh.
Thank you so much for having us here.
.
.
.
.
.
.
.
.
.