Kalashnikov unveils its “smart” shotgun, San Diego struggles with its street lights, and a researcher reveals how he found a way to hack every Tesla on the planet.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by David McClelland.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey everybody, it's that time again where we shout out to our favorite supporters, the Patreon supporters.
This week, special mention goes to Alex Amarth, John Morris, Phil, Timothy Prindle, Aisha Kenmori Bish, Azam Shad, Sriram Datar, Danielle Kromek, Simon Cook, and Christopher Bonney.
Now I think it is incredibly cool how diverse and international all our Patreon supporters sound. But I gotta say, I'm not seeing a lot of girl names.
God, I'd love to see a few girl names here. That said, I love you boys. I love you all. Thank you so much for supporting Smashing Security.
If you want to join this incredible club of people, check out our Patreon information and smashingsecurity.com/patreon. Okay, let's get this show on the road.
This week, special mention goes to Alex Amarth, John Morris, Phil, Timothy Prindle, Aisha Kenmori Bish, Azam Shad, Sriram Datar, Danielle Kromek, Simon Cook, and Christopher Bonney.
Now I think it is incredibly cool how diverse and international all our Patreon supporters sound. But I gotta say, I'm not seeing a lot of girl names.
God, I'd love to see a few girl names here. That said, I love you boys. I love you all. Thank you so much for supporting Smashing Security.
If you want to join this incredible club of people, check out our Patreon information and smashingsecurity.com/patreon. Okay, let's get this show on the road.
A couple of their reporters got hold of one of these guns, and they found that they could hack it remotely via Wi-Fi.
And what they were able to do was not only a denial of service attack against the rifle to prevent it from shooting, but they could even get it to deliberately miss its target.
So you'd have something in the aim, but the actual gun itself would fire slightly askew. They even managed to hit the target next to the one they were aiming for.
And what they were able to do was not only a denial of service attack against the rifle to prevent it from shooting, but they could even get it to deliberately miss its target.
So you'd have something in the aim, but the actual gun itself would fire slightly askew. They even managed to hit the target next to the one they were aiming for.
Maybe this existed in the time of JFK, and this is why we have no idea to this day of who actually shot him.
Maybe they were aiming for Jackie. Yeah. And they hit John instead.
No one would aim for Jackie.
Smashing Security, Episode 196: Smart Guns, Smart Cars, and Smart Streetlights. Oh my. With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 196. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 196. My name's Graham Cluley.
And I'm Carole Theriault.
And we're joined this week by tech journalist and gadget guru, David McClelland.
Hello, David. Hello, Graham. Hello, Carole. Good to speak to you both.
David, so glad you're back.
Yay.
It's a big day today, day of recording, isn't it?
It is for people in the consumer technology industry because it is the day where Apple announces its brand new toys for the holidays season.
Although kind of exactly what they're going to announce is a little bit up for debate and we'll find out in a few hours' time as of the time of recording.
Although kind of exactly what they're going to announce is a little bit up for debate and we'll find out in a few hours' time as of the time of recording.
Yeah, so the funny thing here is that we put out the podcast at like, well, late night Wednesday UK time.
And by the time anyone listens to this, it'll be all over the tech websites. So what would be nice is, can you give us your predictions?
Then we can judge you next episode on your success. What do you think Cupertino is going to announce?
And by the time anyone listens to this, it'll be all over the tech websites. So what would be nice is, can you give us your predictions?
Then we can judge you next episode on your success. What do you think Cupertino is going to announce?
Name 3 things you think is going to be announced.
Yeah. Oh, you're putting me on the spot there, aren't you? Thanks for that.
So there's definitely, definitely, there's a very high confidence rate that there's going to be at least one new watch type device, probably a Series 6 Apple Watch of some description, and possibly a lower-end one as well.
I say lower-end, something to compete with the likes of Fitbit, you know, in the kind of like £100-£200-odd category. So something like that.
We also think there's going to be some new iPad announcements as well, but probably what may steal the headlines— and again, I'm saying this with the event being 4 hours away, and by the time this comes out, everyone will know whether I'm right or wrong already— but probably I think the big news will be what isn't announced.
We don't think the next iPhone is going to be announced yet.
Now, every year at this time of year, beginning of September, for the last goodness knows how many years, this has been the point at which Apple shows off its brand new smartphone.
But it already said it's going to be a few weeks late with it for obvious reasons this year. So we think that it's not going to announce or fully reveal the iPhone.
I suspect that there will be a tease of it and there will be a follow-up event either later in September or beginning of October because it's a virtual event.
They're not having really anybody there. It's all being filmed in advance, we presume. So it doesn't really cost them loads more money in terms of flying journalists over.
It's just an extra bit of filming on their part. So, you know, the more anticipation they can build up, all the better it is for their PR machine.
So there's definitely, definitely, there's a very high confidence rate that there's going to be at least one new watch type device, probably a Series 6 Apple Watch of some description, and possibly a lower-end one as well.
I say lower-end, something to compete with the likes of Fitbit, you know, in the kind of like £100-£200-odd category. So something like that.
We also think there's going to be some new iPad announcements as well, but probably what may steal the headlines— and again, I'm saying this with the event being 4 hours away, and by the time this comes out, everyone will know whether I'm right or wrong already— but probably I think the big news will be what isn't announced.
We don't think the next iPhone is going to be announced yet.
Now, every year at this time of year, beginning of September, for the last goodness knows how many years, this has been the point at which Apple shows off its brand new smartphone.
But it already said it's going to be a few weeks late with it for obvious reasons this year. So we think that it's not going to announce or fully reveal the iPhone.
I suspect that there will be a tease of it and there will be a follow-up event either later in September or beginning of October because it's a virtual event.
They're not having really anybody there. It's all being filmed in advance, we presume. So it doesn't really cost them loads more money in terms of flying journalists over.
It's just an extra bit of filming on their part. So, you know, the more anticipation they can build up, all the better it is for their PR machine.
Mm-hmm. Okay.
They definitely want to get it out for the holidays, won't they?
Oh yeah, absolutely. Along with, you know, they're hurting for money.
Is that why?
Yeah, exactly. But along with all the rest of the devices, you know, they're talking about new in-ear kind of AirPod type things, but also it's their software services.
Apple's going big on trying to make more money from the ones and zeros that it sells, so it might bundle up some stuff this year in terms of games and movies and whatever.
So, yeah, watch this space, or if you're listening to this later on this week, you've already watched this space and you'll find out how inaccurate I am.
Apple's going big on trying to make more money from the ones and zeros that it sells, so it might bundle up some stuff this year in terms of games and movies and whatever.
So, yeah, watch this space, or if you're listening to this later on this week, you've already watched this space and you'll find out how inaccurate I am.
What do we got coming up in the show today, Carole?
First, let's thank this week's sponsors, LastPass and Immersive Labs. Their support helps us give you this show for free. Now coming up on today's show. Graham looks at smart guns.
Dave musks up and gives us a Tesla lesson. And I delve into the twisty turny smart streetlights snafu that happened in San Diego. This is crazy.
All this and much more coming up on this episode of Smashing Security.
Dave musks up and gives us a Tesla lesson. And I delve into the twisty turny smart streetlights snafu that happened in San Diego. This is crazy.
All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, you can probably already hear the jingle jangle of sleigh bells because it is under 100 days until Christmas.
Most kids will be getting coal this year, and be grateful.
Why do sleighs have bells on them? Because surely the whole point of Santa is to be kind of fairly silent.
Yes, furtive.
You know, trying to kind of sneak around a little bit so kids don't see them.
The last thing really he's gonna have is dirty great big jingle bells on his sleigh waking all the kids up. So I've always wondered that.
The last thing really he's gonna have is dirty great big jingle bells on his sleigh waking all the kids up. So I've always wondered that.
As he can fly and do everything that basically almost, you know, a god can do, I'm sure he can just go, "Bells, make no noise." Well, he must also be breaking the sound barrier as well.
Right. I mean, it is impressive what he does.
You know, I once did something for Computing magazine when I did stuff with them. I had to pretend to be— and this was a 15-minute film— Santa's CIO.
So I was being interviewed by the lovely Stuart Sumner, who was the editor of Computing magazine at the time.
I had all of the facts and figures that we painstakingly researched about how fast Santa would have to be to go around the world, about the big data operation and analytics to make sure that, you know, it was all just-in-time delivered by the elves.
It was a fascinating story.
So I was being interviewed by the lovely Stuart Sumner, who was the editor of Computing magazine at the time.
I had all of the facts and figures that we painstakingly researched about how fast Santa would have to be to go around the world, about the big data operation and analytics to make sure that, you know, it was all just-in-time delivered by the elves.
It was a fascinating story.
Did anyone ask you, as a CIO, how are you feeling about the security of an unknown person coming into everyone's house around the world?
What about GDPR and his list? Exactly!
Oh, I know. I think as close to that as we got was the fear of competition from the Easter Bunny.
Well, you might be wondering what to buy your loved ones for Christmas this year, and I think I've got the solution for you.
For the man or woman who's had everything in the past, you will soon be able to grab a Kalashnikov smart shotgun, MP155 Ultima.
For the man or woman who's had everything in the past, you will soon be able to grab a Kalashnikov smart shotgun, MP155 Ultima.
Is this what you want, Graham?
It's not necessarily what I want, but I think there will be some people who will watch this video of this gun and think, "Ooh, that's cool," because it is, of course, part of the Internet of Things.
An IoT smart gun.
Yes. And a Kalashnikov. You may have heard of those before, Carole.
Yes, yes.
Yes, right. So this is quite a serious bit of hardware. And as well as being all the general nasty things which guns do, it also will synchronize with your personal gadgets. So you—
With the new Apple iWatch.
Well, maybe, who knows? So maybe you'll be able to text people via Bluetooth in the vicinity. Before you shoot them, I don't know.
Anyway, this Russian-made gun offers synchronization, as I said, with all your gadgets and gizmos.
Anyway, this Russian-made gun offers synchronization, as I said, with all your gadgets and gizmos.
Okay.
Has a built-in computer, a Raspberry Pi. It has a video camera, so it will actually store on board on the camera.
Oops, I just shot someone. Delete, delete, delete.
Well, videos of, you know, what gets shot, of you in action. And it doesn't have to be you shooting a person. Because some people are quite keen on going hunting as well.
Okay, so I guess it makes it easier though, because you don't have to hold your iPhone and your gun at the same time when you're out shooting the cans in the back garden.
Yes, I found that quite complicated. Yes, yes.
Yes, cumbersome, cumbersome.
Yes, when I've been staking out the prairies in the wilds of Africa, when I've been out there in my pith helmet, it's been always difficult.
Yes, it's actually quite difficult to get a Wi-Fi signal as well, but this thing will connect via Wi-Fi and Bluetooth. It's got a USB Type-C port. How cool is that?
Yes, it's actually quite difficult to get a Wi-Fi signal as well, but this thing will connect via Wi-Fi and Bluetooth. It's got a USB Type-C port. How cool is that?
Oh yeah, USB-C. I mean, that's good. It could have been a micro USB, which would be really, really bad news.
Wouldn't you have hated that? Having to find a connector for a micro. Just think, for goodness sake, I've spent thousands and thousands on this gun.
And that will be for connecting to a full high definition camera. So FHD, you must know about that kind of thing.
And that will be for connecting to a full high definition camera. So FHD, you must know about that kind of thing.
I just need to know if it's 1080p. That's what my dad told me was really important.
I think the FHD is at least 1080p.
Okay.
Yes. I don't think it's ultra high definition.
No, that would be 4K, but no.
Right.
Okay. Okay. So it's certainly a well-connected shotgun. Crikey.
Are you guys thinking this sounds fun? Because I'm not sure it's for me.
Yeah, I don't think it's for me.
Right.
But it of course raises some interesting questions. I mean, it's no surprise that it comes out of Russia, of course.
With all these cameras attached to it, because Russians do love their dashcams, don't they? They love to film as they're driving around.
And more and more people around the world actually are doing that, aren't they? Whether it be on bicycles while they're cycling around or from their cars as well.
With all these cameras attached to it, because Russians do love their dashcams, don't they? They love to film as they're driving around.
And more and more people around the world actually are doing that, aren't they? Whether it be on bicycles while they're cycling around or from their cars as well.
Yeah, you get a huge incentive to do so through insurance.
Oh, do you?
Oh yeah, because say you have an accident and it's a he said, he said, or she said, she said, you can go, well, show me the dashcams, dude. This person's at fault.
So would that also apply to my smart gun as well? So if I had film of the accidental shooting, would I be able to take that?
Dick Cheney. Didn't Dick Cheney accidentally shoot somebody?
He was on a duck hunt, wasn't he?
That's right. And he obviously quacked. And yeah.
But if he'd had one of these, then maybe he'd be able to take that to the insurance company and said, look—
He looked like a duck. He sounded like a duck.
You have to be careful, of course, with anything which has a camera on it. You don't necessarily want to take selfies with this. I think that could be a problem.
But you would be shooting yourself in the foot if that was the case.
Well, kaboom.
Well, and now this actually, although it claims to be one of the very first smart guns, I've done a little bit of digging around and I found this isn't the first smart gun because there are other guns which have been Wi-Fi enabled.
And in some cases, there are companies who've even been developing smart bullets, which use guidance systems and computers to hit their targets.
There is a company in the States called TrackingPoint, and TrackingPoint say that all you have to do is pull the trigger and their guns will automatically acquire the target.
They will track the target. And it quotes what it calls its TTK value, which is its total time to kill of approximately 2.5 seconds.
Now, I think these are primarily being used by hunters. Just to prove how easy it is to do this, they have a video of a guy who's obviously an army veteran who was blinded.
And he uses a TrackingPoint gun to shoot a deer, but he doesn't know what he's pointing at, obviously.
Well, and now this actually, although it claims to be one of the very first smart guns, I've done a little bit of digging around and I found this isn't the first smart gun because there are other guns which have been Wi-Fi enabled.
And in some cases, there are companies who've even been developing smart bullets, which use guidance systems and computers to hit their targets.
There is a company in the States called TrackingPoint, and TrackingPoint say that all you have to do is pull the trigger and their guns will automatically acquire the target.
They will track the target. And it quotes what it calls its TTK value, which is its total time to kill of approximately 2.5 seconds.
Now, I think these are primarily being used by hunters. Just to prove how easy it is to do this, they have a video of a guy who's obviously an army veteran who was blinded.
And he uses a TrackingPoint gun to shoot a deer, but he doesn't know what he's pointing at, obviously.
Over the years, I've learned to do a few things, and one of the things that I've really gotten into is hunting.
This thing called TrackingPoint, it's an entire weapons system with a set of optics. For me, it enables me to hunt.
This thing called TrackingPoint, it's an entire weapons system with a set of optics. For me, it enables me to hunt.
You know, it enables me to do something that I essentially wouldn't be able to do on my own.
Down goes Brady!
Yeah, nice work, brother!
One shot, one kill. Very, very nice. Degree of difficulty off the scale.
Not bad for a guy with no eyesight. So there's a blind guy running around with a gun, shooting animals? Yes. In woods?
Yes.
Okay, great. This is so great.
Now I was reading about this company, I thought, this rings a bell, this sort of smart gun which they have here.
And I remembered that back in 2015, because I wrote a story about it at the time, in 2015, Wired, a couple of their reporters got hold of one of these TrackingPoint guns, and they found that they could hack it remotely via Wi-Fi.
And what they were able to do was not only a denial of service attack against the rifle to prevent it from shooting, but they could even get it to deliberately miss its target.
So you'd have something in the aims, but the actual gun itself would fire slightly askew. They even managed to hit the target next to the one they were aiming for.
And I remembered that back in 2015, because I wrote a story about it at the time, in 2015, Wired, a couple of their reporters got hold of one of these TrackingPoint guns, and they found that they could hack it remotely via Wi-Fi.
And what they were able to do was not only a denial of service attack against the rifle to prevent it from shooting, but they could even get it to deliberately miss its target.
So you'd have something in the aims, but the actual gun itself would fire slightly askew. They even managed to hit the target next to the one they were aiming for.
Maybe this existed in the time of JFK, and this is why we have no idea to this day of who actually shot him.
Maybe they were aiming for Jackie.
Yeah.
And they hit John instead.
No one would aim for Jackie.
So back then, there were these huge concerns about vulnerabilities in smart guns, because what if one of these manufacturers comes out with a gun and it's not easy to patch?
It certainly wouldn't be easy to patch if you're out on the field, would it?
It certainly wouldn't be easy to patch if you're out on the field, would it?
Tell you what, this would be a story for CSI. Remember the days? Magnify.
And imagine if you're in a tight situation, if you're chasing a ferret or an otter or whatever it is that you're hunting and— A ferret? Well, I don't know.
I mean, so they run wild through Oxfordshire.
And imagine you can't shoot because you have to do a system update. What's going to happen then? What if you have to reboot and you're in a tight situation?
It just seems a bit crazy for me how much IoT and technology is integrating itself into everything.
And if you have guns which are so computerised and able to guide and able to self-select and basically so good at shooting that a blind person can use them with 100% success, where is the pleasure, if there indeed is any pleasure, from hunting?
And where is the skill?
It just seems a bit crazy for me how much IoT and technology is integrating itself into everything.
And if you have guns which are so computerised and able to guide and able to self-select and basically so good at shooting that a blind person can use them with 100% success, where is the pleasure, if there indeed is any pleasure, from hunting?
And where is the skill?
Can I present a slightly opposing view, Graham?
Yes, well, you do live out in the wild these days, don't you?
We had a squirrel running outside my office window the other day, but I wanted to stroke it, not shoot it.
That's one of the biggest animals in the UK, isn't it?
Yes. So smart guns, you do a bit of searching around for smart guns and you find a different view for this.
And this is particularly with regards to guns that employ some kind of authentication built into them so that only an approved, authorized person is able to use that gun.
So, for example, a gun that is stolen cannot be used by a criminal.
A gun that is stolen from a law enforcement officer can only be used were it to be repatriated with that law enforcement officer, or accidental shootings can't take place as well.
And I was reading around, there are some states where laws had actually been proposed that gun shops would have to sell a selection of smart guns with, whether it's a fingerprint reader or something.
And some German firms came up with these, but they've reached kind of a bit of an impasse, really, and not been able to get any traction in the United States due to some pretty severe lobbying from the NRA.
Now, I'm not going to get too much into the politics of guns and stuff, at risk of alienating too much of your listenership.
But it does seem as though some of these ways to make guns safer, if that is even a thing, do seem to be being shot down before they're given a chance to be proved successful.
And this is particularly with regards to guns that employ some kind of authentication built into them so that only an approved, authorized person is able to use that gun.
So, for example, a gun that is stolen cannot be used by a criminal.
A gun that is stolen from a law enforcement officer can only be used were it to be repatriated with that law enforcement officer, or accidental shootings can't take place as well.
And I was reading around, there are some states where laws had actually been proposed that gun shops would have to sell a selection of smart guns with, whether it's a fingerprint reader or something.
And some German firms came up with these, but they've reached kind of a bit of an impasse, really, and not been able to get any traction in the United States due to some pretty severe lobbying from the NRA.
Now, I'm not going to get too much into the politics of guns and stuff, at risk of alienating too much of your listenership.
But it does seem as though some of these ways to make guns safer, if that is even a thing, do seem to be being shot down before they're given a chance to be proved successful.
Yeah look, I've never dealt with guns. I've never owned guns. I don't know anyone with guns. I'm just out of my depth here. So I'm just staying quiet and—
You're staying quiet. Okay, so you won't be updating your Instagram from your clash, Nicole.
What's Instagram?
What is Instagram? You know, that is the right answer. Whenever someone mentions Instagram. Yeah. And leave it at that. David, what's your topic for us this week?
Right then, so fasten your seatbelts, folks, and set your cyber satnavs for the oh-so-popular destination at the moment: Elon Musk's Tesla.
So I've been listening to the show over the last few weeks because I'm genuinely a fan as well as a guest, and listening to John and Jess, I've been listening to them speaking with interest about how connected cars continue to creep into the conversation around cybersecurity.
Now, I'm not what you would call a petrolhead, but I have become a bit of an EV nut, if I'm honest.
So I've been listening to the show over the last few weeks because I'm genuinely a fan as well as a guest, and listening to John and Jess, I've been listening to them speaking with interest about how connected cars continue to creep into the conversation around cybersecurity.
Now, I'm not what you would call a petrolhead, but I have become a bit of an EV nut, if I'm honest.
Oh yeah, I seem to remember you bought an electric car, didn't you? And you had trouble getting it up your drive, I think.
I'm sorry? No, but it wasn't it—
Steady. Wasn't it sort of a bit low on the ground or something? And you had to get it over a curb and—
You're absolutely right. I had some pretty nasty problems getting my car onto my drive.
I have found a sneaky angle, whereas if I come in at about 45 degrees and ride the curb next door to the dipped curb outside my drive, I can get my car on there.
I have trouble getting it off again. But anyway, that's another story. So I have developed an affinity with and a bit of a passion for electric vehicles.
And it's also become a bit more of my day job as well, talking and writing about this stuff and this convergence of consumer tech, connected cars, and electric vehicles, and what the potential ramifications of that may be.
So my interest was piqued when I came across this story last week.
And it's not about hacking a single car, but instead about how a hacker, a tinkerer really, was able to compromise Tesla's mothership servers and gain remote access to, and be able to control Tesla's entire fleet of cars.
I have found a sneaky angle, whereas if I come in at about 45 degrees and ride the curb next door to the dipped curb outside my drive, I can get my car on there.
I have trouble getting it off again. But anyway, that's another story. So I have developed an affinity with and a bit of a passion for electric vehicles.
And it's also become a bit more of my day job as well, talking and writing about this stuff and this convergence of consumer tech, connected cars, and electric vehicles, and what the potential ramifications of that may be.
So my interest was piqued when I came across this story last week.
And it's not about hacking a single car, but instead about how a hacker, a tinkerer really, was able to compromise Tesla's mothership servers and gain remote access to, and be able to control Tesla's entire fleet of cars.
All of them?
It's like the Borg.
Yes.
The Borg of Teslas.
It is.
It is a little bit, and it's a little bit scary, but—and that's probably why this one occurred to me as being quite interesting. So what happened?
Well, okay, so this actually happened, for full disclosure, about 3 years ago, but the story's only just gone public after the hacker, one Jason Hughes, or WK057 as he goes by.
He shared online a vulnerability report that he sent to Tesla engineers. And I've shared a Google Doc of that report with some excellent explanatory notes that are very revealing.
And there's also a good write-up of this in a popular EV site called Electrek, both interesting reads.
In a nutshell though, this Jason was already somebody who likes to tinker with cars and tinker with Teslas.
And he made a few bobs here and there with some simple bug bounties that Tesla was offering.
So for example, many electric chargers are online so that drivers can see either in their car or using an app which chargers are available, which ones are offline.
I speak from experience, very handy when running low on juice or electrons, I guess, because unlike filling up a combustion engine car, charging an EV isn't a 5-minute job, takes some planning.
Now, Tesla EV charging points are online, but information about them is a little bit sketchy, or at least it was at the time.
So what this Jason fella does, he had to poke around to see if he could make charger information easier to access. And guess what?
He found some holes in the public-facing Tesla Supercharger Central server and was able to scrape data for every charger in the world every few minutes. So what do you do?
You post your findings on your nearest Tesla forum. And as proof that staff do lurk in these places, yeah, somebody from Tesla got in touch.
In fact, within 20 minutes of posting, he was on a conference call with the head of software security at Tesla.
Well, okay, so this actually happened, for full disclosure, about 3 years ago, but the story's only just gone public after the hacker, one Jason Hughes, or WK057 as he goes by.
He shared online a vulnerability report that he sent to Tesla engineers. And I've shared a Google Doc of that report with some excellent explanatory notes that are very revealing.
And there's also a good write-up of this in a popular EV site called Electrek, both interesting reads.
In a nutshell though, this Jason was already somebody who likes to tinker with cars and tinker with Teslas.
And he made a few bobs here and there with some simple bug bounties that Tesla was offering.
So for example, many electric chargers are online so that drivers can see either in their car or using an app which chargers are available, which ones are offline.
I speak from experience, very handy when running low on juice or electrons, I guess, because unlike filling up a combustion engine car, charging an EV isn't a 5-minute job, takes some planning.
Now, Tesla EV charging points are online, but information about them is a little bit sketchy, or at least it was at the time.
So what this Jason fella does, he had to poke around to see if he could make charger information easier to access. And guess what?
He found some holes in the public-facing Tesla Supercharger Central server and was able to scrape data for every charger in the world every few minutes. So what do you do?
You post your findings on your nearest Tesla forum. And as proof that staff do lurk in these places, yeah, somebody from Tesla got in touch.
In fact, within 20 minutes of posting, he was on a conference call with the head of software security at Tesla.
Wow.
Quite a ride.
That's incredible.
I'm sure. And they asked him to please stop sharing this Supercharger data, and they paid him a $5,000 bug bounty. Not a bad little earner.
But hang on. So that's revealed where all the Tesla chargers are around the world and some information about them. That doesn't seize control of all the Teslas in the world, does it?
No, exactly.
It did give him some insight into how Tesla's online services work, and having, you know, received a nice bit of pocket money, he decided to delve in a little bit further.
So he found some further Tesla servers lurking on the internet, and he discovered that they really weren't the most secure.
And he stumbled across—imagine you're just having a bit of a snoop around—he stumbled across an image of a server called Mothership.
Now, if you're poking around on a network and find a server called Mothership, chances are you've kind of struck gold as a hacker.
It did give him some insight into how Tesla's online services work, and having, you know, received a nice bit of pocket money, he decided to delve in a little bit further.
So he found some further Tesla servers lurking on the internet, and he discovered that they really weren't the most secure.
And he stumbled across—imagine you're just having a bit of a snoop around—he stumbled across an image of a server called Mothership.
Now, if you're poking around on a network and find a server called Mothership, chances are you've kind of struck gold as a hacker.
Yeah, everything.
Yeah, exactly. And it turns out this Mothership was Tesla's home server. Any remote commands or any diagnostic information for Tesla's customer fleet all go through this server.
So long story short, the vulnerability report goes into this in some really good detail. He was able to pretend to see any car in Tesla's fleet.
He could see information about any car, its location, its temperature, its range, whether it was locked or not. And he was able to send commands to it.
All he needed was the VIN, the vehicle identification number, a bit like a MAC address on a computer, I guess.
But he had access to all of those too, because also on the mothership was what Tesla called its Tesla Dex, its Rolodex. So entire fleet, entire inventory of vehicles was there.
So I mentioned he was able control the cars. So specifically, one of the functions he was able to trigger was the Summon feature.
Now this lets drivers remotely move their cars forwards or backwards a few meters so they can get into or out of tight parking spaces. Very handy.
Probably not that helpful for my drive though. Now, our tinkerer, again, he's good. He's a tinkerer. He's not a bad guy. He's a good guy.
He compiled all of this information, and because he's got the bat phone now to Tesla's security team, he drops them a line.
So long story short, the vulnerability report goes into this in some really good detail. He was able to pretend to see any car in Tesla's fleet.
He could see information about any car, its location, its temperature, its range, whether it was locked or not. And he was able to send commands to it.
All he needed was the VIN, the vehicle identification number, a bit like a MAC address on a computer, I guess.
But he had access to all of those too, because also on the mothership was what Tesla called its Tesla Dex, its Rolodex. So entire fleet, entire inventory of vehicles was there.
So I mentioned he was able control the cars. So specifically, one of the functions he was able to trigger was the Summon feature.
Now this lets drivers remotely move their cars forwards or backwards a few meters so they can get into or out of tight parking spaces. Very handy.
Probably not that helpful for my drive though. Now, our tinkerer, again, he's good. He's a tinkerer. He's not a bad guy. He's a good guy.
He compiled all of this information, and because he's got the bat phone now to Tesla's security team, he drops them a line.
Presses the button. Yeah, yeah, exactly.
Within minutes they had him on the phone.
And the story in Electric, it describes how our man Jason, he asked Tesla's head of security there and then, who's in California, to give him the VIN of any nearby Tesla.
So he just went out to the parking lot, picked a Tesla, got the VIN for it, and Jason immediately, from where he was somewhere in North Carolina, he was able to issue the summon command and move it forward by a few feet.
And the story in Electric, it describes how our man Jason, he asked Tesla's head of security there and then, who's in California, to give him the VIN of any nearby Tesla.
So he just went out to the parking lot, picked a Tesla, got the VIN for it, and Jason immediately, from where he was somewhere in North Carolina, he was able to issue the summon command and move it forward by a few feet.
Wow.
How scary is that?
I'm really surprised they only gave him 5K, actually.
Well, well, well, okay. So for this one, sadly for Jason, he didn't walk away with a free Tesla, but he did walk away with a 50K bug bounty.
And I understand that the Tesla team pulled a few late nights to fix the chain of bugs in their servers. And they've certainly upped their bug bounties since then.
And I understand that the Tesla team pulled a few late nights to fix the chain of bugs in their servers. And they've certainly upped their bug bounties since then.
Yeah.
You know what? They should have given him a Tesla because they want him to test the ruddy thing and get in touch with them.
Exactly.
It's worth giving him a free car.
So to wrap this up, I should add that this all took place in 2017. The vulnerability is long behind them.
But Tesla does appear to have improved its cybersecurity stance since then and actively engages with white hat hackers like this Jason fella. It's big at conferences.
It does bring its cars along to hacking competitions and encourages people to go ahead and hack them. And it offers some really substantial bug bounties as well.
I think I saw something like £900,000 for someone who could hack a Tesla Model 3. So all in all, I think this is actually a really good story because nothing is ever—
But Tesla does appear to have improved its cybersecurity stance since then and actively engages with white hat hackers like this Jason fella. It's big at conferences.
It does bring its cars along to hacking competitions and encourages people to go ahead and hack them. And it offers some really substantial bug bounties as well.
I think I saw something like £900,000 for someone who could hack a Tesla Model 3. So all in all, I think this is actually a really good story because nothing is ever—
You'd be annoyed if you were Jason if they're now offering 90 grand.
Well, yeah, okay.
You know, and you're like, yeah, no worries, I got my 5K here, I'm happy.
I don't know what he's done since, but it does seem to me that Tesla is kind of being open, accessible, going about security in a relatively healthy manner, and certainly engaging with the community and rewarding them for helping with its work.
So I think that's a good story. Certainly a cautionary tale about what can happen when you're lashing your cars together at such rate.
Remember, Tesla only put its first tires on tarmac back in 2014, 2015. So by 2016 or '17, I'm sure there's a lot of code that's relatively immature still kicking around.
Fingers crossed for any Tesla owners out there, which I'm not one, that they do keep on top of this security.
So I think that's a good story. Certainly a cautionary tale about what can happen when you're lashing your cars together at such rate.
Remember, Tesla only put its first tires on tarmac back in 2014, 2015. So by 2016 or '17, I'm sure there's a lot of code that's relatively immature still kicking around.
Fingers crossed for any Tesla owners out there, which I'm not one, that they do keep on top of this security.
Graham, how are you feeling right now? Talking about your, you have a little bromance with Elon, don't you?
What are you talking about?
Well, we know. You like Elon.
No, not really. Where's the schoolyard?
You know how people in the schoolyard, you know, if someone kind of had a crush on you, they kind of hit you occasionally.
I remember a lot of people hitting me, yes, at school. I don't think they all had a bromance with me. Kroll, what have you got for us this week?
This week, well, I've got a title for us actually before I start. Smart guns, smart cars, and smart streetlights. Oh my, seems we're all talking IoT today.
So hang on, let me make a note of that so I don't forget. Smart guns.
Well, okay, I'll be able to remember when we edit, dude.
Oh, okay. All right, all right.
So back in the before times, 2017, San Diego announced a revolutionary smart streetlight project.
The idea was to replace all the power-hungry streetlights with more efficient LED streetlights.
The idea was to replace all the power-hungry streetlights with more efficient LED streetlights.
I hate LED streetlights.
It's interesting because, you know, they replaced the yellow glow of the city's old sodium vapour street lamps with these efficient new LED lights.
Well, you know, you may not like the light, but they use 60% less energy.
Well, you know, you may not like the light, but they use 60% less energy.
We have a problem with a streetlight outside our bedroom.
And the council won't— they've orientated it in such a way that it lights up our entire house and our bedrooms rather than the road.
And we are constantly in communication with them saying, "No, don't do that."
And the council won't— they've orientated it in such a way that it lights up our entire house and our bedrooms rather than the road.
And we are constantly in communication with them saying, "No, don't do that."
I have that too. I just have a blackout blind.
Yeah.
So this was a big deal for San Diego because the city was reportedly broke at the time. So this saving of, you know, using 60% less energy looked huge.
According to GE, GE were the original San Diego partner in this project. The city ended up replacing more than 35,000 lights, yielding an estimated $2.2 million savings per year.
So big bucks for a poor city.
According to GE, GE were the original San Diego partner in this project. The city ended up replacing more than 35,000 lights, yielding an estimated $2.2 million savings per year.
So big bucks for a poor city.
Yeah.
However, there were some hurdles. When a traditional light bulb stops working, it just burns out, right? A LED light bulb doesn't burn out, it just degrades over time.
Hence, there's this argument for smart streetlight systems, right? This way, the city could monitor the LEDs and then replace them before they got dangerously dim. Makes sense.
But you know, you guys know function creep. Function creep is exciting. And San Diego smart streetlights ended up not just reporting a request for a bulb replacement.
And while they look like any of your typical streetlights from down far away, they sport a number of tiny data-hoovering sensors called nodes.
So let me just share with you all the stuff that is found in some of these super smart light bulbs.
Hence, there's this argument for smart streetlight systems, right? This way, the city could monitor the LEDs and then replace them before they got dangerously dim. Makes sense.
But you know, you guys know function creep. Function creep is exciting. And San Diego smart streetlights ended up not just reporting a request for a bulb replacement.
And while they look like any of your typical streetlights from down far away, they sport a number of tiny data-hoovering sensors called nodes.
So let me just share with you all the stuff that is found in some of these super smart light bulbs.
That very word, node, it covers so many sins.
So I'll read this out and you guys, I wanna, I would like to ask you guys, okay, imagine you're the God of San Diego, right? What would you do with this functionality?
What kind of stuff do you imagine people doing just from this information?
So inside these streetlights, you will reportedly find an Intel Atom processor, half a terabyte of storage, Bluetooth and Wi-Fi radios, two 1080p video cameras, two acoustical sensors, and environmental sensors that monitor temperature, pressure, humidity, vibration, magnetic fields, and much of the data is processed on the node.
So this is what they call edge processing.
What kind of stuff do you imagine people doing just from this information?
So inside these streetlights, you will reportedly find an Intel Atom processor, half a terabyte of storage, Bluetooth and Wi-Fi radios, two 1080p video cameras, two acoustical sensors, and environmental sensors that monitor temperature, pressure, humidity, vibration, magnetic fields, and much of the data is processed on the node.
So this is what they call edge processing.
There's quite a lot of information you've dumped on us there, Carole. So we've got connectivity, we've got lots and lots of storage, we've got cameras.
Yeah.
We've also got microphones from the sound of things, acoustical sensors.
Sounds like a mic to me.
Environmental sensors as well. So it can— weather, magnetic fields, if there's an earthquake going on, some vibration.
I think the primary way I would use something like this is, of course, to stop dog fouling when people are taking their dogs for a walk. And they go—
I think the primary way I would use something like this is, of course, to stop dog fouling when people are taking their dogs for a walk. And they go—
Would you tie your Kalashnikov to the actual smart light?
I think the streetlight can sense—
And threaten the owner.
Sense if it's— yes, well, let's see.
Threaten the owner that doesn't poop and scoop.
Right, exactly. And then they could be eliminated.
I don't want to live in your country.
Maybe just tranquilized or something, you know, just— or given a little— doesn't have to be lethal. But wow.
Yeah, right now you see I put a picture in there of what it actually looks like. And you know, it just has all these little nodes.
You see all these little— these antennae sticking out everywhere.
You see all these little— these antennae sticking out everywhere.
And it looks quite menacing.
Yeah. Well, it's not going to be that close, right? They're going to be pretty high up. Now, these data-collecting nodes connect to a GE operating system, right?
And this was to process all the metadata collected by the sensors.
And according to GE, these smart streetlights were there to help San Diego become the largest municipal Internet of Things network in the US.
I mean, literally, you can get real-time data on anything, vehicles, pedestrians, bicycle traffic, everything.
And this was to process all the metadata collected by the sensors.
And according to GE, these smart streetlights were there to help San Diego become the largest municipal Internet of Things network in the US.
I mean, literally, you can get real-time data on anything, vehicles, pedestrians, bicycle traffic, everything.
Oh, you know what I'd want?
You know what I would like this to somehow tie in with a UPS or DHL delivery service, because at the moment, what happens is, when you get one of those emails saying, oh, we're going to deliver, you know, sometime by the end of the day, and you're not really sure, you know, can I pop out or not?
Can I pop out? I actually now have to make a great big palaver about leaving the house and pretending to leave the house. Like, oh, I'm just putting my coat on. I'm going to go out.
Together in order to hide behind the dustbins, because I know as soon as I leave the house they're going to deliver the item.
So I'll basically be in a, you know, I'll be hidden away in the garden ready to pounce.
But if something like this was operating, I could find out in advance they're in my street, they're coming close, do not leave the premises, right?
Because this sort of thing would be able to look at vehicles, it'd be able to look up license plates, and, you know, with it—
You know what I would like this to somehow tie in with a UPS or DHL delivery service, because at the moment, what happens is, when you get one of those emails saying, oh, we're going to deliver, you know, sometime by the end of the day, and you're not really sure, you know, can I pop out or not?
Can I pop out? I actually now have to make a great big palaver about leaving the house and pretending to leave the house. Like, oh, I'm just putting my coat on. I'm going to go out.
Together in order to hide behind the dustbins, because I know as soon as I leave the house they're going to deliver the item.
So I'll basically be in a, you know, I'll be hidden away in the garden ready to pounce.
But if something like this was operating, I could find out in advance they're in my street, they're coming close, do not leave the premises, right?
Because this sort of thing would be able to look at vehicles, it'd be able to look up license plates, and, you know, with it—
Oh yeah, totally.
There's a lot of smartness here, which, you know, potentially all that big data could be used in interesting, cool ways as well as naughty ways.
Well, yeah, and the city was hoping for that.
They anonymized all the information and then hoped that app developers would kind of say, "Hey, this is cool, we can jump on board with this and develop a cool app." And, you know, and contribute to the bright connected future that San Diego aspired to.
Unfortunately, it turns out that very few independent app developers took them up on this offer. So there's that.
Back in 2017, the San Diego Deputy CEO said, "I see streetlights as the platform to transform our communities.
They help connect us to our citizens, provide a future where we are better able to understand our neighborhoods and give them services they want." And this is how they basically marketed it across the city.
So we're now 3 years on from this 2017, you know, yeah, how's it all going? Yeah, it must be great. Must be utopia.
They anonymized all the information and then hoped that app developers would kind of say, "Hey, this is cool, we can jump on board with this and develop a cool app." And, you know, and contribute to the bright connected future that San Diego aspired to.
Unfortunately, it turns out that very few independent app developers took them up on this offer. So there's that.
Back in 2017, the San Diego Deputy CEO said, "I see streetlights as the platform to transform our communities.
They help connect us to our citizens, provide a future where we are better able to understand our neighborhoods and give them services they want." And this is how they basically marketed it across the city.
So we're now 3 years on from this 2017, you know, yeah, how's it all going? Yeah, it must be great. Must be utopia.
Must be wonderful, right?
I mean, it's one of the smartest cities in the USA. What could possibly have gone wrong? Well, two fascinating things that I was able to kind of put my finger on.
So, okay, this is a little complicated, so if it's too much, just stop me and I'll clarify, but it is worth listening to. Okay?
So, okay, this is a little complicated, so if it's too much, just stop me and I'll clarify, but it is worth listening to. Okay?
Okay.
So GE Current, okay, that's a name of a subsidiary of GE, and they were the original San Diego City partner, right?
So GE Current is who supplied the smart streetlights and used and managed it under this thing called CityIQ. Okay, so you have GE Current, they're the partner of the city.
And as part of the deal with GE Current, they ran the cloud-based analytics of all the sensor data on the platform, the CityIQ platform.
But get this, the cloud operator rather than the city owned any algorithms derived from the data.
So GE Current is who supplied the smart streetlights and used and managed it under this thing called CityIQ. Okay, so you have GE Current, they're the partner of the city.
And as part of the deal with GE Current, they ran the cloud-based analytics of all the sensor data on the platform, the CityIQ platform.
But get this, the cloud operator rather than the city owned any algorithms derived from the data.
What do you mean by that, owned algorithms to run?
They kind of run the show.
Oh, I see. Right. Okay, so they're basically, they're tied in with GE Current.
Yes.
Rather awkward getting away from them if they wanted to. Right.
Okay, good. Twist number 1: GE Current was then acquired last year by private equity firm called American Industrial Partners. So at this point—
Which I see, I thought you were going to say someone like the People's Liberation Army of China, so at least it's—
Oh, at least the name is palatable. Okay, well, good, good. So at this point, all this cloud-based algorithms and the operator, this was run by American Industrial Partners.
Twist number 2, American Industrial Partners sells off the CityIQ platform in May to Ubiquiti, a Florida manufacturer of streetlight sensors and software.
The American Industrial Partners kept the LED lighting side of the operation. So they kind of divided up the kind of surveillance and the lighting.
Twist number 2, American Industrial Partners sells off the CityIQ platform in May to Ubiquiti, a Florida manufacturer of streetlight sensors and software.
The American Industrial Partners kept the LED lighting side of the operation. So they kind of divided up the kind of surveillance and the lighting.
Yeah.
So the problem now is who the frick owns the data? So that's one big pickle they're dealing with. Problem number two, okay, who has access to the data is the next question.
So if we fast forward a year on to 2018, right, from when it was first introduced in San Diego.
So if we fast forward a year on to 2018, right, from when it was first introduced in San Diego.
This is the data that's stored in the cloud. Yes. That we're debating again.
Well, now we're who's access, yeah, who accesses all the data? All these nodes are hoovering up all this data and it's going into a centralized place.
Realize somewhere who has access to that data.
So a year after the installation, in August, a cop investigating a murder in San Diego's Gaslamp Quarter looks up and sees the smart streetlight, and he realizes the streetlight's video cameras have a perfect view of the crime scene, one unavailable from the variety of security cameras that were around the area, right?
Realize somewhere who has access to that data.
So a year after the installation, in August, a cop investigating a murder in San Diego's Gaslamp Quarter looks up and sees the smart streetlight, and he realizes the streetlight's video cameras have a perfect view of the crime scene, one unavailable from the variety of security cameras that were around the area, right?
Yeah.
So according to IEEE Spectrum, it turns out that the video was still stored on the street lamp. It's deleted after 5 days, but for 5 days it sits there live.
And GE Current were able to pull it up from its cloud servers and then forward it over to the police department.
And it was clear from that point that some of the video could help solve crimes. And the city felt it had an obligation to turn over that information when there was a major crime.
So this is the view from the city of San Diego at the time.
And GE Current were able to pull it up from its cloud servers and then forward it over to the police department.
And it was clear from that point that some of the video could help solve crimes. And the city felt it had an obligation to turn over that information when there was a major crime.
So this is the view from the city of San Diego at the time.
What a shame the crime wasn't committed with one of these smart guns I was telling you about, because that might have captured some video.
They would have captured each other.
And it might also have taken the fingerprint of the assailant, who was— see, I'm just— oh my God, I'm a genius.
Okay.
The next, the following year, 2019, the police department adopt a formal policy around the use of streetlight data and stated that video and audio may be accessed exclusively for law enforcement purposes.
With the police department as the custodian of the records.
The city sustainability department, this is the home of the whole streetlight program, did not have access to the crime-related data.
The next, the following year, 2019, the police department adopt a formal policy around the use of streetlight data and stated that video and audio may be accessed exclusively for law enforcement purposes.
With the police department as the custodian of the records.
The city sustainability department, this is the home of the whole streetlight program, did not have access to the crime-related data.
So the police are policing their access to the data.
Yeah.
Is that right? They're saying, we have access to this information, no one else can see it. And that's how we're gonna roll with these.
Thank you very much, City of San Diego, for putting this up.
Thank you very much, City of San Diego, for putting this up.
Yeah.
Now, early this year, 2020, data from the police department indicated that video from streetlights was up to 175 cases in the first 18 months of the police department's use.
So this was just announced. No one really knew this was happening, right? So this all came out earlier this year, and people were like, what?
And in the list, it included murderers, sexual assault, kidnapping, things, but it also included vandalism and illegal dumping. I feel weird saying that word in English.
How do I say—
So this was just announced. No one really knew this was happening, right? So this all came out earlier this year, and people were like, what?
And in the list, it included murderers, sexual assault, kidnapping, things, but it also included vandalism and illegal dumping. I feel weird saying that word in English.
How do I say—
Yeah, when you— it's tipping, isn't it?
Tipping. Yeah. Or dumping. Fly tipping.
Yeah.
Yeah. So it also includes vandalism and illegal fly tipping, or what they call dumping. Okay.
Which caused— in the dumping bit, in the vandalism bit— caused activists to go, is that actually what you would call a serious crime? Now you have two sides.
One side saying control and surveillance creep is bound to happen, so they have unfettered access, and why would they call illegal dumping a serious crime?
Which caused— in the dumping bit, in the vandalism bit— caused activists to go, is that actually what you would call a serious crime? Now you have two sides.
One side saying control and surveillance creep is bound to happen, so they have unfettered access, and why would they call illegal dumping a serious crime?
There are all kinds of different crimes though, aren't there? I mean, it is very difficult to work out which ones are the serious ones, which ones aren't.
I heard today about a guy who regularly has to force his electric vehicle to go up on the curb in order to get onto his drive properly in possibly a dangerous way.
Is that the kind of thing which a streetlight could spot?
I heard today about a guy who regularly has to force his electric vehicle to go up on the curb in order to get onto his drive properly in possibly a dangerous way.
Is that the kind of thing which a streetlight could spot?
I hope so.
What do you think about all this, David? Do you think there should be legislation in place before they put these lights into action?
Yeah, and I think that's exactly it, because you spoke earlier in this story about the number of times that the data or the control of the data or the stuff that collects that data, that the number of times that changed hands or was allowed to change hands.
So if there were a contract or if there were something in place at the beginning that would maintain the sanctity of that data for its original purpose in some way, notwithstanding mergers and acquisitions and sales, then I think that would protect everyone's interests and the original intent of that installation a lot better.
But I mean, who knows who this stuff could have been sold to? It's ended up with law enforcement.
There are some other pretty rotten places that that data could have ended up, could still end up as well.
So if there were a contract or if there were something in place at the beginning that would maintain the sanctity of that data for its original purpose in some way, notwithstanding mergers and acquisitions and sales, then I think that would protect everyone's interests and the original intent of that installation a lot better.
But I mean, who knows who this stuff could have been sold to? It's ended up with law enforcement.
There are some other pretty rotten places that that data could have ended up, could still end up as well.
Yep, totally. Cops' retort, you know, this whole thing about the illegal dumping, right? But the retort from the cops was they don't monitor their feeds.
The dumping incident involved a truckload of concrete that blocked vehicles from entering and exiting a parking garage used by the FBI employees, and therefore, in their view, qualified as a serious situation.
The dumping incident involved a truckload of concrete that blocked vehicles from entering and exiting a parking garage used by the FBI employees, and therefore, in their view, qualified as a serious situation.
That does sound like a serious dump. Yeah, please, David, come on. Always lower in the town.
The city has now decided to take the videos offline, right? So the street cameras currently have been turned off until they can figure out something that works.
But this also fits in with their whole contract fiasco that's going on under the waters.
They're now dealing with a company called Ubiquia, and they now own and manage the technology and manage the algorithms and the data. So they need to hammer out a new contract.
But this also fits in with their whole contract fiasco that's going on under the waters.
They're now dealing with a company called Ubiquia, and they now own and manage the technology and manage the algorithms and the data. So they need to hammer out a new contract.
I wonder if there are any limitations on that company deciding to sell to someone overseas, for instance.
I can't believe a city would not think of, in any contract, to have a clause that prevents a business supplier from throwing you through the hoops through an unforeseen sale.
It's sorry, I know I agreed to do this, but oh yeah, no, we had to sell, so you're now dealing with Joe Blow here. You didn't have a— you didn't know?
He didn't— I just think it's crazy.
It's sorry, I know I agreed to do this, but oh yeah, no, we had to sell, so you're now dealing with Joe Blow here. You didn't have a— you didn't know?
He didn't— I just think it's crazy.
I don't know.
Well, what if you come on next week and it's Dave here instead of me? I just said, oh sorry, I sold my part to Dave. Five figures.
I'm so sorry, David.
I'll pay you forward.
So many of us now working from home for the first time, IT administrators as well as employees. So you want to make everyone's life a little bit safer? Look into LastPass.
For admins, you get a centralized dashboard to administer all the integrations and the policies in the reporting. Plus, you get a vault for every single user.
And users, you have these cool functions autosave and autofill, or organizing notes and documents, or helping you manage your work and personal life separately.
Check it out at smashingsecurity.com/lastpass. And remember, home users, you can use it at home for free. More info at smashingsecurity.com/lastpass. LastPass.
For admins, you get a centralized dashboard to administer all the integrations and the policies in the reporting. Plus, you get a vault for every single user.
And users, you have these cool functions autosave and autofill, or organizing notes and documents, or helping you manage your work and personal life separately.
Check it out at smashingsecurity.com/lastpass. And remember, home users, you can use it at home for free. More info at smashingsecurity.com/lastpass. LastPass.
Attacks and breaches are sadly a fact of life. They happen. What's most important is how well your organization responds, and technology isn't really enough.
Your staff must be ready too. Immersive Labs delivers hands-on, challenge-based training and exercises to make your team ready to fight real-world threats.
Check out their free ebook all about the MITRE ATT&CK framework and how you can use it as a part of your cyber skills strategy.
Phishing, and improve your security posture by identifying weaknesses. Go to immersive-labs.com/smashing right now to download your free ebook. That's immersive-labs.com/smashing.
And welcome back, and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
Your staff must be ready too. Immersive Labs delivers hands-on, challenge-based training and exercises to make your team ready to fight real-world threats.
Check out their free ebook all about the MITRE ATT&CK framework and how you can use it as a part of your cyber skills strategy.
Phishing, and improve your security posture by identifying weaknesses. Go to immersive-labs.com/smashing right now to download your free ebook. That's immersive-labs.com/smashing.
And welcome back, and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be.
Well, this week scientists believe that they have found evidence of life on Venus.
I know, it's crazy. It's crazy.
Amazing news. But forget about that because Paris Hilton has got a new video out on the internet. And it's— what?
Who is Paris Hilton?
Hmm? Who's Paris Hilton? Is that like who— what's Instagram?
Exactly.
Paris Hilton is— I've always had a sneaking regard for Paris Hilton. This is what I'm going to share with you now.
I don't know quite when it happened, but I remember seeing Paris Hilton doing her airhead bit on some TV show once.
I don't know quite when it happened, but I remember seeing Paris Hilton doing her airhead bit on some TV show once.
The Hilton heiress.
That's right. Yes. I think she's the granddaughter of Baron Hilton.
One of the first world socialites.
Well, she's a real influencer. And she was, I believe Kim Kardashian was her personal assistant for a while or something like that.
Anyway, but yes, Paris Hilton had a reality TV show in, I guess, the '90s or something like that. There is now a documentary on YouTube called This Is Paris, all about Paris Hilton.
Which she sponsors.
Anyway, but yes, Paris Hilton had a reality TV show in, I guess, the '90s or something like that. There is now a documentary on YouTube called This Is Paris, all about Paris Hilton.
Which she sponsors.
How many people are destroyed and so depressed? They go in thinking, I'll hear about the Arc de Triomphe. I'll hear about the Eiffel Tower. Champs-Élysées. Oh no.
Hi everybody. Well, interesting that you say, hi everybody, because one of the revelations, of course, is that Paris Hilton doesn't actually talk like that.
Oh, right.
And Paris Hilton has, as I suspected for some years, been pretending to be an airhead bimbo with a squeaky voice.
And of course, she's actually an incredibly successful entrepreneur who's dashing around and has her finger in many pies and is making herself quite a mint from perpetuating this image.
And of course, she's actually an incredibly successful entrepreneur who's dashing around and has her finger in many pies and is making herself quite a mint from perpetuating this image.
So she's a bit like you then?
No, she's not. Well, I don't have a squeaky voice, do I? I've been watching this. I must admit, I haven't finished watching it yet.
I'm about halfway through because it only just came out yesterday at the time of recording.
I'm about halfway through because it only just came out yesterday at the time of recording.
I think it's a YouTube original, isn't it?
It is, yes.
What does that mean?
I think YouTube probably have paid for it.
And then what, we watch it for free on YouTube?
You go to YouTube, then you see YouTube ads, I guess. But I think YouTube is trying to set it up. So you may know more about this, David, than me.
I think it's trying to set itself up as another, one of these subscription services. Because I think you can pay YouTube, can't you, for content.
I think it's trying to set itself up as another, one of these subscription services. Because I think you can pay YouTube, can't you, for content.
Yes, you can, and you can skip adverts. It's got a music service as well.
But given that every tech firm out there is trying to turn into a media outlet and a content creator, from obviously Apple and Netflix and so on, yeah, Google's trying to get in on the act, or Alphabet's trying to get on the act with YouTube as well.
And I watched the first 5 or 10 minutes of this when you shared the link earlier on, Graham. And yeah, I was pleasantly surprised.
And that first point that you make about, you know, what is her voice?
I think they very cleverly play on that in the intro sequence to it where she goes into a recording studio and goes, hi everybody!
And she starts speaking in half a dozen different voices saying, what is my voice? What is my voice? What is my voice?
You know, I thought it was very knowing and very self-referential, but it was quite intriguing nonetheless.
So I suspect I will watch a bit more of it, but I know my wife will watch all of it.
But given that every tech firm out there is trying to turn into a media outlet and a content creator, from obviously Apple and Netflix and so on, yeah, Google's trying to get in on the act, or Alphabet's trying to get on the act with YouTube as well.
And I watched the first 5 or 10 minutes of this when you shared the link earlier on, Graham. And yeah, I was pleasantly surprised.
And that first point that you make about, you know, what is her voice?
I think they very cleverly play on that in the intro sequence to it where she goes into a recording studio and goes, hi everybody!
And she starts speaking in half a dozen different voices saying, what is my voice? What is my voice? What is my voice?
You know, I thought it was very knowing and very self-referential, but it was quite intriguing nonetheless.
So I suspect I will watch a bit more of it, but I know my wife will watch all of it.
I think it's— what I've seen, I think it's actually surprisingly good and deep. You do get the impression that— I mean, we've all had bad things happen to us in our past, right?
Everyone's had some kind of trauma, I think. But she does seem to have had some particularly traumatic events happen to her, which are touched upon in the—
Everyone's had some kind of trauma, I think. But she does seem to have had some particularly traumatic events happen to her, which are touched upon in the—
Like no hotel towels?
No, you see—
Serious stuff. So you've fallen for her?
No, I haven't fallen for her. No, no. I just think she is a person. I think that's important to remember about these people who are often pilloried online.
Just like Elon. Yeah.
Yeah.
Yeah. Totally.
You get the impression life is not all roses being Paris Hilton, and you do end up with a different impression of her. And so for that, I think this is worth watching. So the—
Maybe I'll try and see if my impression changes.
It's called This Is Paris. Yeah.
Not the city.
No.
But she feels she's as big as the city, so she could just say that.
David, I'm just ignoring you now.
Okay.
Because you're—
What's new?
Clearly you feel threatened by Paris Hilton.
Yeah, that's it.
I'm probably your— What was her name of her friend? Something Richie. Lionel Richie's daughter. I can't remember.
I'm—
Anyway.
Nicole?
There was— Or was it Nikki? Nikki Richie?
I can't remember. That way he'll always remember.
Oh, wouldn't it be great if Lionel Richie was your Hello!
Every morning.
David, quickly, quickly, what's your pick of the week?
Right, Carole, brace yourself. Okay, braced. This one is security related. Trust me, please, it is in the very best possible way.
So you may have noticed over the last few years that escape rooms have been very popular, as have quizzes that mix real-world exploration with fantasy. So not just Pokémon Go.
I've done some of these in the past where you and a team of buddies become detectives and you have to solve a crime against the clock by following clues planted in real places across the city centre.
We did one on the South Bank of London fairly recently. Good fun. Yeah, really good fun until COVID hit and kind of put the kibosh on all of that.
But one of the firms behind these experiences Hidden City has just released an immersive game, they call it, that still creates this buzz of physical exploration and collaborative gaming with your buddies, but it works absolutely perfectly in lockdown.
So it's called Moriarty's Game: A Killer in the Hive, and you are a detective in a security operation, and you are guiding a frontline on-the-ground investigator as she tracks down a crime network following leads that you're giving her.
It's ingenious, and it really feels genuinely immersive because you're using CCTV, you're making calls to contacts on your mobile, you're leaving voicemails to people, and there's some really clever speech recognition stuff that makes that bit work.
You're even hacking into home security systems using images on people's Twitter accounts and so on.
It creates a real drama, a real sense of achievement, and you do feel as though with a bit of willing suspension of disbelief, you're doing this for real.
So you may have noticed over the last few years that escape rooms have been very popular, as have quizzes that mix real-world exploration with fantasy. So not just Pokémon Go.
I've done some of these in the past where you and a team of buddies become detectives and you have to solve a crime against the clock by following clues planted in real places across the city centre.
We did one on the South Bank of London fairly recently. Good fun. Yeah, really good fun until COVID hit and kind of put the kibosh on all of that.
But one of the firms behind these experiences Hidden City has just released an immersive game, they call it, that still creates this buzz of physical exploration and collaborative gaming with your buddies, but it works absolutely perfectly in lockdown.
So it's called Moriarty's Game: A Killer in the Hive, and you are a detective in a security operation, and you are guiding a frontline on-the-ground investigator as she tracks down a crime network following leads that you're giving her.
It's ingenious, and it really feels genuinely immersive because you're using CCTV, you're making calls to contacts on your mobile, you're leaving voicemails to people, and there's some really clever speech recognition stuff that makes that bit work.
You're even hacking into home security systems using images on people's Twitter accounts and so on.
It creates a real drama, a real sense of achievement, and you do feel as though with a bit of willing suspension of disbelief, you're doing this for real.
I like it.
It's great. I've posted a link. Have a look at the video in there, because I think that does quite a good job of selling it.
We did it a couple of weeks ago with some friends, and it works very well if you and your team are in the same room.
But the genius is it also works if lockdown means you're in different places, because you will get the same messages on your mobile.
You all are told to go to the same CCTV addresses on the internet.
So real hats off to Hidden City for this, because it surprised genuinely surprised me no end that something like this could work so well, be so immersive, and so much fun.
And that is why Moriarty's Game: A Killer in the Hive is my pick of the week.
We did it a couple of weeks ago with some friends, and it works very well if you and your team are in the same room.
But the genius is it also works if lockdown means you're in different places, because you will get the same messages on your mobile.
You all are told to go to the same CCTV addresses on the internet.
So real hats off to Hidden City for this, because it surprised genuinely surprised me no end that something like this could work so well, be so immersive, and so much fun.
And that is why Moriarty's Game: A Killer in the Hive is my pick of the week.
Is it for adults or for kids or for all?
I would say I don't recall there being anything that would mean that children would be, yeah, I don't think there's anything in there that means it wouldn't be safe for children.
From what I recall, it all seems there's no profanity in there.
But certainly, you know, there was me and a bunch of similarly aged chaps and chabettes, and we had great fun, great time.
From what I recall, it all seems there's no profanity in there.
But certainly, you know, there was me and a bunch of similarly aged chaps and chabettes, and we had great fun, great time.
Cool.
Sounds a lot of fun. Carole, what's your pick of the week?
Well, my pick of the week. Now, as you all know, I am a pod addict, right? A podcast addict. But I always have problems finding new solid recommendations.
And I use Reddit, and I look around, and I find lists from people. But it can be hard, right? Because I tend to shy away from social media pool parties, right?
So I don't get that drip, drip, drip of new news. Anyway, so I found this just by chance. I happened to be just zooming around, looking around for a new podcast to just check out.
And I found this one called Castology.
And this is where 3 hosts, Liz, Nick, and Zane, and I think they're all based in Australia, they discuss podcasts and give us their takes on it. So the format's really cool.
They each find a podcast to recommend to the others. They may think the others might like it or not like it, but they think it's worthy of a listen.
And then everyone listens, and then the following week everyone kind of reports back.
So every week you have a new recommendation from one of them, and then you have 3 kind of reviews from everybody and what they thought about it.
And I use Reddit, and I look around, and I find lists from people. But it can be hard, right? Because I tend to shy away from social media pool parties, right?
So I don't get that drip, drip, drip of new news. Anyway, so I found this just by chance. I happened to be just zooming around, looking around for a new podcast to just check out.
And I found this one called Castology.
And this is where 3 hosts, Liz, Nick, and Zane, and I think they're all based in Australia, they discuss podcasts and give us their takes on it. So the format's really cool.
They each find a podcast to recommend to the others. They may think the others might like it or not like it, but they think it's worthy of a listen.
And then everyone listens, and then the following week everyone kind of reports back.
So every week you have a new recommendation from one of them, and then you have 3 kind of reviews from everybody and what they thought about it.
Okay.
And there's— I've gone through their list. I've probably listened about 3 or 4 shows so far.
I've gone through their list and I've listened to probably 50, 60% of what they talk about.
So that's really exciting because I can kind of get a little taste of a new pod without diving in.
I've gone through their list and I've listened to probably 50, 60% of what they talk about.
So that's really exciting because I can kind of get a little taste of a new pod without diving in.
And how do they find out about new podcasts? Do listeners suggest them to them?
Well, yes. And you know what? Do you know what? I actually submitted ours to be reviewed by them. I don't know if they'll— I don't know if they'll do it.
No pressure.
I don't know if they'll do it. Well, right, who knows.
What I like about them is they don't just sit there and wax lyrical about every single podcast, because that would be boring, right?
Sometimes one of them likes it and the other just— the other two just do not dig it at all, or two of them like it and the other one doesn't, right?
So it's— I think that's kind of interesting and it's a bit edgy. So we'll see if they cover— we'll see who they like better.
What I like about them is they don't just sit there and wax lyrical about every single podcast, because that would be boring, right?
Sometimes one of them likes it and the other just— the other two just do not dig it at all, or two of them like it and the other one doesn't, right?
So it's— I think that's kind of interesting and it's a bit edgy. So we'll see if they cover— we'll see who they like better.
Graham, can I stress that I would like it if all three of them liked our podcast?
Well, they might.
Just giving them a plug.
I just want to know who they like better. We haven't given them a Graham.
We have a Graham Cluley. Oh, for goodness sake.
Yes. So I want to know who they like better.
What a meanie.
So the podcast is called Castology. Castology. Get it wherever you get your podcast. Check it out, it's worth it.
I've heard it's excellent. I don't think it's as worth it. I've heard it's really, really good.
You'll never quit.
And that just about wraps it up for this week. David, I'm sure lots of our listeners would love to follow you online, see what you're up to. What's the best way for folks to do that?
Probably hook up with me on Twitter @DavidMcClelland, all the C's, couple of vowels chucked in for good measure.
And you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G, and on Reddit, just look for the Smashing Security subreddit.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app, such as Overcast, Apple Podcasts, Spotify, Pocket Casts, and you'll never miss another.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app, such as Overcast, Apple Podcasts, Spotify, Pocket Casts, and you'll never miss another.
Socially responsible air kisses to you all for listening, supporting the show via Patreon, and sharing this podcast with your people.
Also, high five to this week's Smashing Security sponsors, Immersive Labs and LastPass. Their support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Also, high five to this week's Smashing Security sponsors, Immersive Labs and LastPass. Their support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio, bye-bye.
Bye.
Bye-bye.
David, can I ask you a question?
Yeah, far away.
So I grew up in the country and you live in the country now, but is it country enough that you play with your children cow patty bingo?
What's cow patty bingo?
You kind of divide up a field of cows, you divide it up in quadrants, right? And everyone owns a quadrant and owns some areas.
And then as a cow goes and it goes into one of your own quadrants, you get a point. Summer fun.
And then as a cow goes and it goes into one of your own quadrants, you get a point. Summer fun.
I don't think I have played that. Cow tipping, perhaps, but that's an entire podcast in itself.
That doesn't exist. I think that's an urban myth.
I don't know. I feel as though maybe I should have played it. It's one of those memories that I have that I don't really know if it's real or not.
Well, maybe it's a Canadian thing.
Who knows?
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
David McClelland – @DavidMcClelland
Show notes:
- Kalashnikov smart shotgun – MP-155 Ultima.
- Kalashnikov reveals first Russian-made smart shotgun MP-155 Ultima — YouTube.
- Mike Jernigan, blind veteran, uses a TrackingPoint system to land a 300+ yard shot — YouTube.
- See how a self-aiming sniper rifle can be remotely hacked — Hot for Security.
- Tesla Network Vulnerability Report – 2017-03-24 (Annotated) — Google Docs.
- The Big Tesla Hack: A hacker gained control over the entire fleet, but fortunately he's a good guy — Electrek.
- Smart Streetlights Program — City of San Diego.
- Cops Tap Smart Streetlights Sparking Controversy and Legislation — IEEE Spectrum.
- Mayor orders San Diego's Smart Streetlights turned off until surveillance ordinance in place — The San Diego Union-Tribune.
- Mayor was right to shut off Smart Streetlights — The San Diego Union-Tribune.
- Hints of life on Venus — University of Manchester.
- "This Is Paris – The Real Story of Paris Hilton" — YouTube.
- “This is Paris” is a quixotic redemption story about what it means to be a human and a brand at once — Salon.com.
- Moriarty's Game: A Killer in the Hive.
- Castolog – a podcast recommendation podcast — That’s Not Canon Productions.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: Immersive Labs
Immersive Labs delivers hands-on, challenge-based training and exercises to make your team ready to fight real-world threats.
Check out their free ebook all about the MITRE ATT&CK framework, and how you can use it as part of your cyber skills strategy and improve your security posture by identifying weaknesses. Visit immersivelabs.com/smashing now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
