A connectable dildo suffers from numerous vulnerabilities that make it trivial for attackers to steal users’… well, “private” data.
The “Siime Eye,” which comes to us from Svakom, is aptly named in that it’s a $250-vibrator that for some reason comes with… a camera.
All a user needs to do is turn on the device, connect to its AP (SSID: “Siime Eye”) using the default password (“888888”), open the Android or iOS app, and “install” it. From there, they can view the livestream or take pictures and video.
Tantalizing, I know.
Turned on by other researchers’ work involving smart sex toys, Pen Test Partners decided to examine Siime Eye. They quickly found a hard-coded IP address that accepted blank admin credentials. An attacker can therefore easily access the device’s Wi-Fi AP, which is configured as an access point. The AP name is also static, meaning someone could technically geolocate other users via a wardriving site like wigle.net.
But that doesn’t come close to the worst of it.
With the help of some eBay clips, a BusPirate, flashrom, and a Stanley knife, Pen Test Partners dumped the dildo’s root Linux filesystem, exposed the contents of /etc/passwd, and wrote themselves in as a root user. They then grepped for “root” after poking around on /bin/camera, one of the filesystem’s binaries. This process revealed reecam4debug, the sex toy’s telnet password.
The researchers explain in a blog post what attackers could do with their exploit:
“In this case, overexposure of system services means we could write a rogue application, compel a user to connect our app to the device using the default credentials, and then use the already-inbuilt functionality to perform unsolicited actions on the device. If we could get a user to connect their device to their home Wi-Fi, we (or any website loaded within the user’s home network, in a JavaScript drive-by) could siphon all video data, Wi-Fi passwords, and a list of local networks off it and send it somewhere unsolicited.”
Bad actors could take it one step further. If they could gain physical access to a Siime Eye and access the AP, they could almost certainly establish a root shell and gain access to an unprotected version of the video stream.
It’s bad enough there are IoT products our there that threaten our kids’ privacy.
But this device rests on a whole other level of insecurity. Users should therefore think long and hard (pun intended) about whether they want to keep using Siime Eye.
If the device is indispensable, they should change the Wi-Fi password to something complex. They can also try to contact Svakom, but as Pen Test Partners didn’t receive a response after three separate messages, that might be an unfulfillable fantasy.
You can hear further discussion about this latest example of IoT security insanity in the “Smashing Security” podcast, hosted by Graham Cluley and Carole Theriault.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey, Graham. Hi, Crow.
Have you ever been to the darkweb?
Crow, what kind of question is that? If I've ever been to the darkweb, it's because I wanted to keep things on the QT, on the quiet, right?
I certainly wouldn't want to share that kind of information with you, would I? Let's be honest.
I certainly wouldn't want to share that kind of information with you, would I? Let's be honest.
Sheesh. Well, how does someone like me find out about the darkweb then?
Oh, well, if you want to know what's going on out there, you need a firm like Recorded Future.
They are scouring both the regular web and the darkweb using sophisticated technology, finding out all about emerging threats.
And you can sign up to their daily newsletter and get the latest insights at recordedfuture.com/intel.
They are scouring both the regular web and the darkweb using sophisticated technology, finding out all about emerging threats.
And you can sign up to their daily newsletter and get the latest insights at recordedfuture.com/intel.
Sounds great. Thanks.
Smashing Security, Episode 15: Bad Vibrations with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, episode 15 for the 6th of April 2017. And as always, I'm joined by my buddy Carole Theriault. Hello, Carole.
Hello, hello, and welcome to another episode of Smashing Security, episode 15 for the 6th of April 2017. And as always, I'm joined by my buddy Carole Theriault. Hello, Carole.
Hello, Graham.
And we're also joined this week by a special guest, John Hawes. Hello, John. Hello. Now, John, for those who don't know you, you used to be very high up in Virus Bulletin, didn't you?
And now I believe you represent the Anti-Malware Testing Standards Organization, AMTSO.
And now I believe you represent the Anti-Malware Testing Standards Organization, AMTSO.
That's right.
That's right. It's quite a mouthful. Anti-Malware Testing Standards Organization. What on earth does AMTSO do?
Well, we basically bring together the people who test anti-malware products and the people who make anti-malware products and other people that are interested in that kind of thing.
And we talk about testing and we try to come up with better, more reliable, more accurate ways of testing things.
And we're currently in the process of putting together the first set of official standards for anti-malware testing.
And we talk about testing and we try to come up with better, more reliable, more accurate ways of testing things.
And we're currently in the process of putting together the first set of official standards for anti-malware testing.
You mean there's no standards yet in antivirus and anti-malware?
As of 2016, there are no standards.
Wow.
It's 2017, John.
I know.
Oh, that was my bad.
That was my bad.
2017.
Oh my God.
Don't worry, it's only been 4 months.
Well, John, if you're working there, maybe you can sort this out because we need some standards for testing. Anti-malware products, I think.
How long have anti-malware products been around? Almost 30 years or so, isn't it?
How long have anti-malware products been around? Almost 30 years or so, isn't it?
Oh, I expect so, at least, yes.
There have been plenty of bad reviews during that time, haven't there, which have been sort of incompetently done, and people have got poor results and not pointed in the right direction as a result.
Exactly.
That's the problem, is that if a test isn't done well and the results from it are not useful to anybody, you know, they're misleading the consumers and they're also misleading the people that are making products.
They're not going to be able to fix problems that they don't have any information about.
That's the problem, is that if a test isn't done well and the results from it are not useful to anybody, you know, they're misleading the consumers and they're also misleading the people that are making products.
They're not going to be able to fix problems that they don't have any information about.
Of course.
Right.
Well, what we try to do is we look back over the last week in computer security and some of the stories which have tickled us, some of the ones which have caught our interest, we have a little chat about those.
So I've got a rather interesting one to begin with. Oh God.
Well, what we try to do is we look back over the last week in computer security and some of the stories which have tickled us, some of the ones which have caught our interest, we have a little chat about those.
So I've got a rather interesting one to begin with. Oh God.
Oh God. I know that voice.
What?
Oh God.
Do you? Yeah, or should I say dill-do-you? Because is that how you pronounce it?
Are you talking about dildos?
Wait, you were the first one to mention them. I wasn't going to discuss teledildonics quite so brazenly, but now, okay, let's talk about the elephant in the room.
We are talking about — is that a trunk? John, John, John, Carole, please, both of you behave because this is a serious topic.
And for some years, some of the world's leading boffins and scientists have been working on the area of teledildonics.
And what they are interested in doing is connecting sex toys to each other via the internet or to their, I don't know, to participate in parties, I imagine.
And you can probably tell where this is heading because the danger is, of course, that people will be connecting sex toys to the internet which are vulnerable and have flaws and exploits which hackers could exploit.
And there is a group of penetration testers called Pentest Partners, a guy called Ken Monroe—
We are talking about — is that a trunk? John, John, John, Carole, please, both of you behave because this is a serious topic.
And for some years, some of the world's leading boffins and scientists have been working on the area of teledildonics.
And what they are interested in doing is connecting sex toys to each other via the internet or to their, I don't know, to participate in parties, I imagine.
And you can probably tell where this is heading because the danger is, of course, that people will be connecting sex toys to the internet which are vulnerable and have flaws and exploits which hackers could exploit.
And there is a group of penetration testers called Pentest Partners, a guy called Ken Monroe—
You see, everything sounds like a euphemism now.
Oh, what, pentest? Well, they have looked at a device from, can you believe it, Scandinavia? It must be those cold winters. A device called the Siime. I think it's from Finland.
The Siime Eye. S-I-I-M-E Eye, as in eye in your head. You sure it's not See Me? Oh, See Me.
The Siime Eye. S-I-I-M-E Eye, as in eye in your head. You sure it's not See Me? Oh, See Me.
It does look a lot like slime.
It does look like slime, doesn't it, in some fonts? I think you're right, John. It's probably the See Me. So it's See, rather like the Nintendo Wii. And then me. Oh yeah. So see me.
The name makes a bit more sense, doesn't it?
And it does from what I was saying. And it comes from a company called SVAKOM and SVAKOM are selling a — this device is a $250. How can I put this discreetly? Yes, quite exactly.
That brings tears to your eyes, doesn't it? $250 vibrator that for some reason or another comes with a camera.
That brings tears to your eyes, doesn't it? $250 vibrator that for some reason or another comes with a camera.
That's just weird.
Like camera on the vibrator or like connected to?
Oh, Carole, how innocent you are. The camera is on, let's put it as the business end of the vibrator.
No way.
Yeah.
Does it have a torch? Does it have some kind of lighting?
You know, I was wondering the same.
I was thinking you want to check for teeth or something, right?
Is it infrared or something? You know, I mean, it does seem — I mean, what would you be able to see? I have no idea. You wouldn't be able to see anything, would you?
I don't think so. If you were able to see something, that would suggest some kind of medical emergency, I would imagine. If there was light in there, I don't know.
I don't think so. If you were able to see something, that would suggest some kind of medical emergency, I would imagine. If there was light in there, I don't know.
Luminous interior.
Now, it doesn't just stop there because it doesn't just have a camera. And by the way, this is a video camera. It's not just for taking snaps. It's also a Wi-Fi access point.
It sounds like a medical device right now to me.
It sounds like an endoscopy. Is that what they — endoscope, is that right? Which you use to investigate places.
Well, they definitely have a light on.
Yeah.
Right. John, I'm so glad you're here. You've clearly got expertise in this.
Now, these devices come with a standard access point SSID, which is SeeMeEye, and they have a default password, of course, all the 8s.
Just type in lots of 8s, and you can access it via the associated Android or iOS app. And once you've done that, you can view the live stream.
I don't know if you can actually send it straight to Facebook or whatever. I know it sounds quite tantalizing, doesn't it?
But you have to ask yourself, you know, why would you want one of these?
And what's more, as well as the camera itself, as well as it being a Wi-Fi access point, why would you also want that vibrator to contain hidden functionality to connect itself to Skype?
Now, these devices come with a standard access point SSID, which is SeeMeEye, and they have a default password, of course, all the 8s.
Just type in lots of 8s, and you can access it via the associated Android or iOS app. And once you've done that, you can view the live stream.
I don't know if you can actually send it straight to Facebook or whatever. I know it sounds quite tantalizing, doesn't it?
But you have to ask yourself, you know, why would you want one of these?
And what's more, as well as the camera itself, as well as it being a Wi-Fi access point, why would you also want that vibrator to contain hidden functionality to connect itself to Skype?
Oh my gosh.
Or to automate sending videos.
You know what, okay, no, no, no, I know, okay, I have definitely heard of people who, you know, are couples or whatever, they live far away from each other and they want to get their rocks off while they're in different places.
So I just don't understand— I still don't understand why there's a camera at the end of the device.
And maybe I don't understand this properly, though that just sounds like a medical—
So I just don't understand— I still don't understand why there's a camera at the end of the device.
And maybe I don't understand this properly, though that just sounds like a medical—
Yeah, you might want to get your rocks off. But I mean, there are rocks and there are rocks, aren't there? I mean, it's—
What, do you think phone sex is safer? What are you advising? What are you advising for people?
I don't, I don't know. I don't know what your partner's like, right? But would they be able to tell the difference really between the— oh no, I don't know.
Why are we even discussing this?
Anyway, look, the point is that the Internet of Things has had yet another massive fail where people are putting devices on the internet which are insecure, which can be remotely hacked.
In fact, Pentest Partners, who looked at this particular device, by the way, they must have the most fun job in the world.
They're looking up the perviest gear which is internet-enabled and working out how they can— Fun job?
Why are we even discussing this?
Anyway, look, the point is that the Internet of Things has had yet another massive fail where people are putting devices on the internet which are insecure, which can be remotely hacked.
In fact, Pentest Partners, who looked at this particular device, by the way, they must have the most fun job in the world.
They're looking up the perviest gear which is internet-enabled and working out how they can— Fun job?
That's like the worst job.
Can you imagine? They are loving it.
Believe me, they are loving it because they were even working out that because the access point name is static, you know, basically if you look on your phone and you see SeeMeEye in your vicinity, you know somebody's up to— Right?
You know that that's going on. And if you via a war driving site, you may even be able to work out where they actually are and technically geolocate other users of this device.
But, you know, what's happening is this: plenty of devices are being made, they're internet-enabled, the security is a joke, and privacy is being put at risk.
People can spy upon you. Now, whether this is something which would alarm you if you're using such a device or not, I don't know. But frankly, what is happening to the world?
And can I get off? It's horrendous. And when do we need some kind of legislation? Do we need a testing standards organization to test internet? John, forget anti-malware.
Maybe you should be looking at IoT and particular devices.
Believe me, they are loving it because they were even working out that because the access point name is static, you know, basically if you look on your phone and you see SeeMeEye in your vicinity, you know somebody's up to— Right?
You know that that's going on. And if you via a war driving site, you may even be able to work out where they actually are and technically geolocate other users of this device.
But, you know, what's happening is this: plenty of devices are being made, they're internet-enabled, the security is a joke, and privacy is being put at risk.
People can spy upon you. Now, whether this is something which would alarm you if you're using such a device or not, I don't know. But frankly, what is happening to the world?
And can I get off? It's horrendous. And when do we need some kind of legislation? Do we need a testing standards organization to test internet? John, forget anti-malware.
Maybe you should be looking at IoT and particular devices.
I don't know. I think we might get there fairly soon. Definitely something that needs doing, isn't it?
Come again, John. Okay.
God, innuendo central.
Maybe we should move on. But anyway, I think to the listeners of Smashing Security, we would say beware, beware. Yeah.
Keep your legs crossed.
Yeah. John, what have you seen this week?
Well, I'm kind of very much in the same region in the internet of things. Maybe a slightly cleaner spin on it.
You mentioned actually in your bit there, you said you can connect using your iOS or Android app.
Everybody knows that those are the two options really when it comes to smartphones, at least. You're either Apple or you're Google.
You mentioned actually in your bit there, you said you can connect using your iOS or Android app.
Everybody knows that those are the two options really when it comes to smartphones, at least. You're either Apple or you're Google.
Yeah.
In terms of the operating system that they're running on, but in terms of the hardware, for most people it's either Apple or it's Samsung.
Yeah, right.
And there's a bit of a disconnect there. Samsung, they want to be like Apple. They want to be the world-straddling giant.
Yeah.
But they're reliant on Google for their operating system.
And that must gall them a lot, mustn't it?
I'm sure it does. And for quite a long time, they've been working on an alternative operating system called Tizen.
Which not a huge number of people know about, but it's been in development for five or six years at least.
Which not a huge number of people know about, but it's been in development for five or six years at least.
Mm-hmm.
And it's kind of evolved from some previous projects. It's kind of like Android.
It's based on Linux and it's part of this big long project that's part of the Linux Foundation, but it's backed by various companies that are involved in—
It's based on Linux and it's part of this big long project that's part of the Linux Foundation, but it's backed by various companies that are involved in—
So it's a big deal.
The mobile phone world, but especially Samsung.
It's a huge deal for Samsung because I think they're basically betting on it being their future and replacing their reliance on Android.
It's a huge deal for Samsung because I think they're basically betting on it being their future and replacing their reliance on Android.
So I'm guessing it's really, really good.
Well, that's the thing.
Oh no, I didn't mean to lead you in there.
There's an Israeli — this is why it was in the news this week, was that an Israeli researcher called Amihai Neiderman. He had a look at it and he found it was pretty terrible.
He called it a hacker's dream.
He called it a hacker's dream.
He said it was maybe the worst code I've ever seen.
Wow.
He found 40 separate zero-day vulnerabilities. A lot of them were buffer overflows.
One of them was in the Tizen Store app, which is their app store, which basically gives you complete control over the entire device.
One of them was in the Tizen Store app, which is their app store, which basically gives you complete control over the entire device.
And also found various incidents of sloppy encryption implementation.
So some of the data that was being sent from devices was not encrypted properly and some of it was, some of it wasn't. It was just a bit of a mess really.
So some of the data that was being sent from devices was not encrypted properly and some of it was, some of it wasn't. It was just a bit of a mess really.
What you're suggesting, John, is actually they could probably replace Android with this and hardly anybody would notice.
Well, yes, that's maybe true. But I think the part of the issue here is that, so the idea of this is not just that it's just going to be a smartphone device.
Right.
It's intended for all kinds of different devices. So they said on the project website, it's for wearables and consumer electronics, cars, appliances.
Hey, maybe dildos will get it as well.
Oh, please.
Potentially. Yeah. So it's already in use in, so Samsung uses it in most of their Gear watches, their TVs.
Apparently there's 30 million TVs are running it. It's got some use on phones. So there's mainly in India and Asia, Africa countries.
There's a few kind of budget smartphones that are running it, but we can expect to see it on a lot more. And yeah, it's basically not very good.
Lots of consumers are already using Tizen and are probably completely unaware that they're using this operating system, aren't they?
Yeah, well, that's a big part of the problem. I think that a lot of these things that are connected to the Internet of Things, they don't really say how they've gone about doing it.
I think there's obviously a lot of — I mean, it's a, to me, it seems like a good idea to have a dedicated operating system like this that all lots of different people can use.
Cause you know, it's good to have a bit of convergence, but you need a bit of diversity too.
I think at the moment, the situation is that somebody who makes dishwashers or microwaves suddenly decides, oh, we need to be part of the Internet of Things.
So we'll just slap some stuff in there and make it online. And that's not really their area of expertise.
So it would be good to have somebody that was making something that these people could use.
I think there's obviously a lot of — I mean, it's a, to me, it seems like a good idea to have a dedicated operating system like this that all lots of different people can use.
Cause you know, it's good to have a bit of convergence, but you need a bit of diversity too.
I think at the moment, the situation is that somebody who makes dishwashers or microwaves suddenly decides, oh, we need to be part of the Internet of Things.
So we'll just slap some stuff in there and make it online. And that's not really their area of expertise.
So it would be good to have somebody that was making something that these people could use.
Absolutely. I mean, that would be terrific, wouldn't it? Because lots of people are trying to write their own with no experience of security whatsoever.
So if they get something off the shelf from, for instance, Samsung, then that sounds sensible.
But of course, if you converge to all use the same code, it better be bloody good code, which is secure.
So if they get something off the shelf from, for instance, Samsung, then that sounds sensible.
But of course, if you converge to all use the same code, it better be bloody good code, which is secure.
Yes.
Yeah.
And this isn't—
Yeah.
And it's shocking though, because if they've been building this, if they've been building it during the era that cybersecurity has been a pretty big deal when it comes to, you know, online stuff.
So how they've missed, you know.
So how they've missed, you know.
Yeah.
Well, that's another part of it actually, that I think a lot of people when this story came out that he'd found this huge long list of issues, I think people were assuming that a lot of it was the older stuff that had been inherited from these earlier projects.
Well, that's another part of it actually, that I think a lot of people when this story came out that he'd found this huge long list of issues, I think people were assuming that a lot of it was the older stuff that had been inherited from these earlier projects.
Yeah.
But apparently most of it is in stuff that's been written in the last two years.
Geez, that's so embarrassing.
Probably people at Samsung.
So one last question is, is it all Samsung branded equipment or are they kind of selling the code? They selling the operating system?
Well, it's Samsung. Samsung is kind of the main driver behind the project, but there's lots of other companies that are involved in it. So presumably they're using it too.
Yeah.
But again, as Graham was saying, there's very little information on, you know, when you go and buy a device, it doesn't say on it, this runs Tizen or this runs embedded Android or whatever.
And maybe it would be nice if devices did have— do you remember you used to get those? I mean, we still do. We get those stickers which said Intel inside.
It's like, woohoo, you know, that's—
It's like, woohoo, you know, that's—
There's also things called readmes though, that you might be able to get a bit more information.
Yes. But I mean, but that's after you've bought it, isn't it? I mean, it might be nice when it's on the shelf to say, oh, that's an Android, that's Tizen, that's iOS.
So I guess that's the advice to our listeners is you could ask if it's Tizen. You can ask if it's running Tizen. Not that you'd necessarily trust the sales guy, but— oh yeah.
Oh, he's going to think you're talking about Tizen or something, isn't he? He's not going to know what you're talking about.
Oh, yeah, because they're all idiots, right, Graham?
No, they're not that they're all idiots. I'm not saying they're all idiots. All I'm saying is that, I mean, I'd never heard about Tizen until a couple of weeks ago, you know.
Have you?
Have you?
No, I hadn't heard about it till two days ago. So I'm—
Well, I'd heard about it a few years ago, but very much in the same kind of context, in the kind of, oh, there's some big security holes here that they need to fix before they start using it.
But obviously that's not really been picked up yet.
But obviously that's not really been picked up yet.
Cool story though.
Well, well done to that researcher for revealing these problems.
I hope Samsung will fix these problems quickly, and I hope that they'll get some decent penetration testing done and vulnerability researchers looking at the code to make sure that it's— if they're really going to push forward with it, that they make it much more secure in the future.
I hope Samsung will fix these problems quickly, and I hope that they'll get some decent penetration testing done and vulnerability researchers looking at the code to make sure that it's— if they're really going to push forward with it, that they make it much more secure in the future.
Do you know that if he— does he put any limits on like, has he disclosed how he's done it or has he kind of put a deadline as to how long Samsung has to fix these before he releases them?
I seem— I read somewhere that he had tried to get in touch with Samsung and they'd pretty much blanked him.
And so that's the worst.
But then eventually kind of when they realized that he was going public with all this stuff, they turned around and did the standard, you know, we treat security very seriously kind of thing.
You know, I would suggest to researchers, if you're not getting any joy from the security department, and I think most security departments and most companies are pretty good at responding to these things, but if you're not getting any success, contact their public relations department, contact their PR team and say, "Hello, I'm going to be writing about this soon, and I'm going to be telling security bloggers about this soon, so could you perhaps maybe ask your security team to get back to me?" And maybe just apply a little bit of pressure like that.
And wouldn't it be nice if websites and companies actually had a place on their website where people could report security concerns to them directly?
You know, like you'd have a specialized, you know, just an address, just a form, but we know it's going to the right place and going under the right eyes.
Because I assume that's what's happening, right? The person who's actually opening that email doesn't really understand it and just lets it drop.
You know, like you'd have a specialized, you know, just an address, just a form, but we know it's going to the right place and going under the right eyes.
Because I assume that's what's happening, right? The person who's actually opening that email doesn't really understand it and just lets it drop.
Maybe.
Well, this is another argument for having this kind of centralized ubiquitous platforms that people can use is that if you are, if you're a maker of toasters, you probably don't have a bug bounty program.
Well, this is another argument for having this kind of centralized ubiquitous platforms that people can use is that if you are, if you're a maker of toasters, you probably don't have a bug bounty program.
Yeah. Yeah, good point.
Thank you, John.
You're welcome.
Oh, Carole, what have you got for us this week?
More rise of the machine stuff here. So, okay, let's cast our minds back.
We all worked together at a time, long time ago, and you guys will remember that we had cards that we had to swipe to get in and out of the building, to buy lunches, to attend events, that sort of stuff.
And do you remember when you'd forget your card or you'd put it through the laundry or you dropped it in your car and you couldn't find it?
And then it was a big deal because you'd have to try and get a temporary card, but there was never enough temporary cards, so then HR would have to run around and make you a new card, or you wouldn't have a card at all and wear this big kind of thing around your neck to say you're an idiot.
And I know what, I've— some companies even charge you now for losing your card, so that's also a big pain. Thank God I'm not having to wear those.
Anyway, so this is all big pain in the butt, but was it painful enough, gents?
We all worked together at a time, long time ago, and you guys will remember that we had cards that we had to swipe to get in and out of the building, to buy lunches, to attend events, that sort of stuff.
And do you remember when you'd forget your card or you'd put it through the laundry or you dropped it in your car and you couldn't find it?
And then it was a big deal because you'd have to try and get a temporary card, but there was never enough temporary cards, so then HR would have to run around and make you a new card, or you wouldn't have a card at all and wear this big kind of thing around your neck to say you're an idiot.
And I know what, I've— some companies even charge you now for losing your card, so that's also a big pain. Thank God I'm not having to wear those.
Anyway, so this is all big pain in the butt, but was it painful enough, gents?
Yes.
For you to consider implanting a corporate microchip into your body?
What?
Yes, yes.
Into what part of my body?
Well, right now it's in your hand. Let me tell you, there's a company in Sweden called Epicenter.
Now they offer to implant its stuff with NFC, so that's near-field communication microchips, right? It's the same kind of things you have in your credit card.
And it basically is there to transfer small amounts of data between it and other chips, okay?
So this is gonna be sharing information you wanna purchase your lunch or you wanna get in and out of the building or into a certain area of the building.
Now, the chips are about the size of a ping pong— no, I'm kidding. I'm kidding, I'm kidding.
They're the size of a grain of rice, and they are injected with a syringe into the fleshy part of your hand right next to your thumb. I bet you it does feel like a ping pong.
Seriously, it's a grain of rice.
Now they offer to implant its stuff with NFC, so that's near-field communication microchips, right? It's the same kind of things you have in your credit card.
And it basically is there to transfer small amounts of data between it and other chips, okay?
So this is gonna be sharing information you wanna purchase your lunch or you wanna get in and out of the building or into a certain area of the building.
Now, the chips are about the size of a ping pong— no, I'm kidding. I'm kidding, I'm kidding.
They're the size of a grain of rice, and they are injected with a syringe into the fleshy part of your hand right next to your thumb. I bet you it does feel like a ping pong.
Seriously, it's a grain of rice.
This is a bit tagging your dog or your cat or something.
Exactly, exactly.
Right.
Same thing, yeah.
They never complain about it, do they, actually? Let's be honest.
I think they're put asleep to do that.
Are they?
So they wouldn't, yeah, I don't think these staff are. Now, okay, there's 2,000 people roughly that work at Epicenter, and 7.5%, 150 workers have said yes to this.
Okay, and Epicenter hold monthly events where attendees can receive the implant.
Okay, and Epicenter hold monthly events where attendees can receive the implant.
So what's the alternative, that they just keep carrying a card?
Yes.
Now I can, I imagine just, okay, let's just think about this for a second, right? Let's just think about this. Let's just think about the privacy aspect of this.
So what is the chip collecting? My location, what I buy, where I go, when does it turn off? How big is the field of monitoring? Think of, you know, what about after hours?
What about security? You know, it's of course it's gonna be completely unhackable and no one will ever hack NFC and that's never happened before. And what about unfair dismissal?
All the information is on this, and all of us have it, you know, some kind of grayer bits, you know, where we may have left work early one day and not got clearance or one of these things.
And now this could be used by companies to kind of go, oh, look, you left early on Wednesday and we have no record of you getting—
So what is the chip collecting? My location, what I buy, where I go, when does it turn off? How big is the field of monitoring? Think of, you know, what about after hours?
What about security? You know, it's of course it's gonna be completely unhackable and no one will ever hack NFC and that's never happened before. And what about unfair dismissal?
All the information is on this, and all of us have it, you know, some kind of grayer bits, you know, where we may have left work early one day and not got clearance or one of these things.
And now this could be used by companies to kind of go, oh, look, you left early on Wednesday and we have no record of you getting—
But you could do that with a card as well. They could tell with a card if you left early. That doesn't make any difference from that.
Or if you had 3 lunches.
And if you did leave the organization, presumably what they do is they simply mark on their database that Chip number 23 is no longer an employee. Yeah, but it's not—
Yeah, but you remember I used to take your card when I didn't want to actually pay for coffee?
Yes, I do remember. You regularly stole from me. Yes, you stole. You stole money. Thank you for now admitting that.
Yes, you did. So now I'd have to grab your hand and put it past the checkpoint.
That's right.
That's much more secure.
But what would happen if— I mean, what would happen if you had one, so you worked at Epicenter and then you went to go and work for, I don't know, OppiCenter or some other company, which all said, oh, well, we've got a chip as well.
Do you end up with lots of chips in your hand? Yeah, do they reprogram the chip?
I just think it's, why don't they just put barcodes on our foreheads with our number, our citizen number, and just scan us on the way in?
Why don't they just do that rather than putting chips in us?
Do you end up with lots of chips in your hand? Yeah, do they reprogram the chip?
I just think it's, why don't they just put barcodes on our foreheads with our number, our citizen number, and just scan us on the way in?
Why don't they just do that rather than putting chips in us?
I know, it's really, I find it, and apparently what's interesting is this was from the LA Times and they asked a few employees why they had agreed to do this and the response seems to be because I want to be part of the future.
Well, hello, you are part of the future. As long as you don't die right now, you're going to be there. You don't need to do this. I just think this is a bit insane.
Well, hello, you are part of the future. As long as you don't die right now, you're going to be there. You don't need to do this. I just think this is a bit insane.
People are dingbats, aren't they? Yeah.
And who's creating this? Like, think about John's story. We don't even know who's the actual creator of this little grain of rice microchip. And how do we know how safe it is anyway?
Well, hopefully it's been tested on animals.
Well, good. You know what, it's real. I'm really glad that we're starting to try that and the precedent's being set so that soon it will be mandatory for all office workers.
It's a real nice Pandora's box.
It's a real nice Pandora's box.
Well, the thing is, it's not just for offices, is it?
You know, we have cards that we use to get in and out of offices and to buy things in office canteens, but we also have cards that we get money out of machines with or pay for things in shops with.
So I would imagine in future these people probably want us to have a little grain of rice that identifies us whatever we were doing.
And we could use to do our shopping or to activate our phone or whatever, which is the future.
You know, we have cards that we use to get in and out of offices and to buy things in office canteens, but we also have cards that we get money out of machines with or pay for things in shops with.
So I would imagine in future these people probably want us to have a little grain of rice that identifies us whatever we were doing.
And we could use to do our shopping or to activate our phone or whatever, which is the future.
I'm thinking about the three topics which we've discussed so far on this podcast. We're real curmudgeons, aren't we? We sort of hate the future.
There we are saying, why do you need a vibrator with a camera on it, which is wireless as well?
Why does Samsung need to create this alternative operating system, which is full of vulnerabilities and why are they injecting chips into people?
Why can't we go back to the old days and all this?
There we are saying, why do you need a vibrator with a camera on it, which is wireless as well?
Why does Samsung need to create this alternative operating system, which is full of vulnerabilities and why are they injecting chips into people?
Why can't we go back to the old days and all this?
Do you know what? If we don't complain about these things, how do we expect people to make it better?
You know what, Carole? You are right. I completely agree. You convinced me. There's too much of this nonsense going on.
It seems that I would worry actually if I was working at Epicenter that there'd begin to be a little bit of peer pressure.
Oh yes, we have a monthly meeting where we try and convince more of our employees to have this. It's like, bugger off.
It seems that I would worry actually if I was working at Epicenter that there'd begin to be a little bit of peer pressure.
Oh yes, we have a monthly meeting where we try and convince more of our employees to have this. It's like, bugger off.
That sounds a bit weird.
Yep. And the other thing you guys, someone brought up earlier, the card idea that's the same as a card.
Well, you can leave your card at home and if you're trying to do something where you don't want to be monitored by your business, you can actually just leave the card behind.
Well, you can leave your card at home and if you're trying to do something where you don't want to be monitored by your business, you can actually just leave the card behind.
But that's the problem with using it as your identity is that it's detached from you. So someone can steal your card and pretend to be you or buy coffee and pretend to be you.
Whereas if it's embedded in you, it's part of your identity and no one can steal that from you.
Whereas if it's embedded in you, it's part of your identity and no one can steal that from you.
Well, let us know when you get yours implanted, John, and let us know how it feels.
Hey, if it stops Carole buying coffee on my card, then I think that for people, or indeed herself, then that's definitely a positive thing.
She would just gouge it out of your hand, you know.
I think you're right. Well, look guys, I think that just about wraps it up for today. Just a reminder to everybody, we're on iTunes.
Please subscribe to the podcast there, and then you won't miss any future episodes which come out.
And you can also subscribe on Google Play Music and Overcast and Stitcher and TuneIn and iHeartRadio, all kinds of other places too.
Please subscribe to the podcast there, and then you won't miss any future episodes which come out.
And you can also subscribe on Google Play Music and Overcast and Stitcher and TuneIn and iHeartRadio, all kinds of other places too.
And big thank you to Recorded Future. Remember, you can sign up to their cyber daily newsletter at recordedfuture.com/intel.
And that just about wraps it up. Thank you very much, John Hawes, for joining us. We appreciate it.
Thanks for having me.
Thank you, Carole Theriault, and thanks to you at home for listening in. If you like the show, tell your friends, maybe follow us on Twitter.
We're @SmashingSecurity, that's smashing without a G security. And until next time, bye-bye. Oh, you're just not going to say bye-bye.
We're @SmashingSecurity, that's smashing without a G security. And until next time, bye-bye. Oh, you're just not going to say bye-bye.
Bye! Cheerio then.
I don't think— I hate that on, you know, on University Challenge and everyone's like, bye-bye.
Bye-bye.
Bye-bye. See ya.
Do we really need Smart Dildoes?