'Your c**k is mine now' - Hacker hacks 'smart' chastity cage and demands $750 of BTC as ransom

[starry]

Just now, Radium_Angel said:

That's been my experience, obviously not the be-all-end-all answer.

 

If I were to give a reason, I would say its the trendy new thing.

Or something.

But your answer makes sense too. People want  to be lazy, they want automation, but that doesn't necessarily mean the automation the get is actually useful.

 

I will say that my significant other has a mental disability, and keeps expressing that having a voice assistant would help with poor short term memory, so maybe there is a use there. I am currently looking into getting them an open-source privacy focused one that doesnt have a subscription fee, but i might be looking for too much.

[Radium_Angel]

1 minute ago, starry said:

privacy focused one that doesnt have a subscription fee

Quite the trick as the very difinition of IoT seems to include "cloud!" which means passing data through....who knows where...

[starry]

6 minutes ago, Radium_Angel said:

Quite the trick as the very difinition of IoT seems to include "cloud!" which means passing data through....who knows where...

I was thinking that if someone wanted to, they could use the duckduckgo api to answer queries. And it would use a built-in clock for calendar stuff, and you could set it up with a server on the local network for music playback. It might make a cool project, to design such a thing for a raspberry pi. And you could set it up with any speakers you want so you dont need to use junky built-in ones. So far I cant find the kind of thing im looking for, but im looking nontheless. Might make it into a project if it truely doesnt exist.

[CarlBar]

4 hours ago, wkdpaul said:

To be fair, door locks still have physical ways to be opened in case something like this happens.

 

Plus, the issue isn't really the IoT 'trend', but rather the companies behind it not thinking about security first, having unsecured APIs like this really shows those companies don't care about security.

 

With everything slowly moving to cloud services, people need to get educated on this, and companies need to start paying attention to the security.

 

Unrelated but I just followed this thread, the memes are hilarious.

 

To be fair you only have to watch a few LockpickingLawyer videos on master-lock products to realise even some security companies don't care about actual security.

 

For the curious a General Channel Link.

 

And an example of him opening 11 different masterlock products with the same security flaw in less than 4 minutes.

 

 

[Blade of Grass]

34 minutes ago, starry said:

Is that really ithe only reason? I cant really imagine how an IoT device helps facilitate laziness. They all tend to have pretty useless features.

Obviously not the only reasons, there are definitely IoT devices that provide extreme convenience and benefits. For example, smart door locks are super convenient/can help improve some security issues:

1. Can give people "copies" of your keys without having to actually make a copy of the key, distribute, retrieve them, etc
   1. Much more secure too, since you can revoke it whenever you want, track it's usage, etc. Can't do that with a physical key
2. You can do stuff like unlock your door from your car, to help you from having to struggle with keys if you have full hands
3. Can't lock yourself out of your place, or at least its hard, since most people keep their phone on them all the time

Just to name a few benefits of one. 

[Sauron]

46 minutes ago, starry said:

Is that really ithe only reason? I cant really imagine how an IoT device helps facilitate laziness. They all tend to have pretty useless features.

It's also startup investment bait, just like "machine learning" or "blockchain". Your product may not need it but you'll sure get more money if you mention it.

 

Compare the sound of:

Quote

 

I want to sell an electronic chastity cage.

 

to

Quote

I want to develop an IOT chastity cage that uses the power of machine learning to stimulate your genitals in complete privacy thanks to groundbreaking blockchain technology!

 

As with these other examples there are some legitimate uses for these technologies but often it's just slapped on for marketing.

14 minutes ago, Blade of Grass said:

Much more secure too, since you can revoke it whenever you want, track it's usage, etc. Can't do that with a physical key

Bear in mind that if you can revoke or change it someone else might, too, with the right tools. Making a lock IOT just opens up more avenues of attack, even aside from cases of gross incompetence like this one. Convenient? Sure. Safer? Not really.

 

Most break-ins just use brute force though so it may not be a huge issue.

[Blade of Grass]

9 minutes ago, Sauron said:

Bear in mind that if you can revoke or change it someone else might, too, with the right tools. Making a lock IOT just opens up more avenues of attack, even aside from cases of gross incompetence like this one. Convenient? Sure. Safer? Not really.

 

Most break-ins just use brute force though so it may not be a huge issue.

Well it depends entirely on how they implement it, you can quite conceivably make that not possible if you do some smart cryptography. 

My point is more so that a well designed system does give benefits, not that all smart locks are necessarily that. The reason why people want IoT devices is for these benefits, they just happen to get caught up because of the incompetence in designs. 

 

And yeah, ultimately for stuff like this I think the security is fairly similar (besides some edge cases with stuff revolving around key re-use/copying which is harder, technically, to do with the smart lock), and just busting open the door is a much greater threat then some hi-tech targeted attack. 

[Mling]

I hope my wife doesn't discover this thing exists. I dont know how I would explain it to my other wife!

[Kisai]

3 minutes ago, Blade of Grass said:

Well it depends entirely on how they implement it, you can quite conceivably make that not possible if you do some smart cryptography. 

My point is more so that a well designed system does give benefits, not that all smart locks are necessarily that. The reason why people want IoT devices is for these benefits, they just happen to get caught up because of the incompetence in designs. 

 

And yeah, ultimately for stuff like this I think the security is fairly similar (besides some edge cases with stuff revolving around key re-use/copying which is harder, technically, to do with the smart lock), and just busting open the door is a much greater threat then some hi-tech targeted attack. 

Obligatory

https://xkcd.com/538/

 

 

In a perfect scenario, no device will be secured with just a physical key, nor just a digital key. You want both present to remove the lock, but only one to unlock/lock it.

 

Like the item in question, along with a plethora of other "interactive-via-the-internet" type of bedroom toys likely have no viable security on them because they're basically just a SoC with single-session web server running on them. No HTTP 2.0, No SSL. How the heck are you going to update a SSL certificate on one anyway. Or maybe it's even less complicated than that and just an open serial port, eg telnet. The batteries in these things likely don't even last more than a few hours.

 

It doesn't even need to be that kind of toy. Childrens toys typically have these problems as well, and because of the need to protect children more than adults, there's usually more scrutiny applied to childrens toys than adults toys. But it's ultimately the same problem. Mass manufactured toys that hopped on a marketing angle rather than a practical purpose.

 

I tried to buy a air purifier one day, half of them had IoT apps to go with them and the other half were the exact same unit, and in the back of my mind "yeah, I don't trust this to not set my apartment on fire."

 

[CarlBar]

20 minutes ago, Blade of Grass said:

Well it depends entirely on how they implement it, you can quite conceivably make that not possible if you do some smart cryptography. 

My point is more so that a well designed system does give benefits, not that all smart locks are necessarily that. The reason why people want IoT devices is for these benefits, they just happen to get caught up because of the incompetence in designs. 

 

And yeah, ultimately for stuff like this I think the security is fairly similar (besides some edge cases with stuff revolving around key re-use/copying which is harder, technically, to do with the smart lock), and just busting open the door is a much greater threat then some hi-tech targeted attack. 

 

Sadly as LPL, (and another channel i watch, BosnianBill), show the general rule of thumb is that the better the electronic portion of a smart lock, the worse the physical security, and vice versa. From memory i don't think I've seen either review one that wasn't complete usless junk in one way or another.the issue tends to be lack of institutional experiance in one of the fields, so they make very basic security error's, (for example smart locked items that can be disassembled whilst locked), that even Masterlock manages to avoid, (and thats a really low bar, they routinely make mistakes the Lockmakers knew to avoid over a 100 years ago and some actual 100+ year old locks are better than their offerings), but equally smart locks made by lock companies tend to have woefully bad electronics side components that are spoof-able in some way.

[Blade of Grass]

56 minutes ago, CarlBar said:

 

Sadly as LPL, (and another channel i watch, BosnianBill), show the general rule of thumb is that the better the electronic portion of a smart lock, the worse the physical security, and vice versa. From memory i don't think I've seen either review one that wasn't complete usless junk in one way or another.the issue tends to be lack of institutional experiance in one of the fields, so they make very basic security error's, (for example smart locked items that can be disassembled whilst locked), that even Masterlock manages to avoid, (and thats a really low bar, they routinely make mistakes the Lockmakers knew to avoid over a 100 years ago and some actual 100+ year old locks are better than their offerings), but equally smart locks made by lock companies tend to have woefully bad electronics side components that are spoof-able in some way.

He hasn't touched a lot of smart door locks, and the ones he's done have been random/cheap lower end models (none of them being IoT). The popular high end smart locks (like the Google Home/Apple HomeKit compatible ones) don't even have physical lock tumblers (keypad locks instead).

Some examples:

• Yale Assure
• August Smart Lock (replaces the back of your existing deadbolt)
• Nest X Yale 
• Schlage Camelot (has a keyhole)
• Kwikset Premise (has a keyhole)

I'd love for him to take a look at those locks, but I suspect they're outside of his range of expertise. 

[Heliian]

1 hour ago, CarlBar said:

 

To be fair you only have to watch a few LockpickingLawyer videos on master-lock products to realise even some security companies don't care about actual security.

 

For the curious a General Channel Link.

 

And an example of him opening 11 different masterlock products with the same security flaw in less than 4 minutes.

 

 

Enough with the lockpicking.  That guy is good and has the necessary tools so he can pick locks quickly with relative ease.  

 

You need to understand first that locks and security systems are impediments, not be all end all stops. 

[Dr_Whom]

2 minutes ago, Heliian said:

Enough with the lockpicking.  That guy is good and has the necessary tools so he can pick locks quickly with relative ease.  

 

You need to understand first that locks and security systems are impediments, not be all end all stops. 

Or as my dad always says "A lock is only there to keep an honest man honest".

[JZStudios]

6 hours ago, Windows7ge said:

So ye old maiden doesn't steal our precious seed.

Uhh... I guess I don't have that problem.

[Windows7ge]

1 hour ago, JZStudios said:

Uhh... I guess I don't have that problem.

Neither do I...

[soldier_ph]

Next up: Smart Butt Plug 

[Lii]

3 hours ago, soldier_ph said:

Next up: Smart Butt Plug 

they already exist

edit: I think I've misunderstood I'm sorry

[IkeaGnome]

5 hours ago, soldier_ph said:

Next up: Smart Butt Plug 

 

2 hours ago, Lii said:

they already exist

edit: I think I've misunderstood I'm sorry

They do exist.

https://gizmodo.com/buttplug-hacker-talks-security-consent-and-why-he-hac-1837252628

Saved that link for a year and a half just knowing it'd be relevant one day.