Smashing Security podcast #303: Secret Roomba snaps, Christmas cab scams, and the future of AI

And these photos, which have been shared, include pictures of people sat on the loo.

And people are sharing these pictures online. People are like, oh, hey, take a look at me.

No, no, no, no, no, no, no, no, no, no, they're not okay. Smashing Security, episode 303 secret Roomba snaps, Christmas cab scams and the future of AI with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 303. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, for our last episode of the year before Crimbo, look who we've got. We've got The Register's Iain Thomson. Hello, Iain.

Hello there. How are you this fine and lovely morning?

You mean afternoon? Oh, we're doing a transatlantic.

I'm actually a little bit like Rudolph the Red-Nosed Reindeer because I have an enormous pimple right on the end of my nose.

That's not like Rudolph because that's not— that's not a charming little cute deer with a—

Well, it's red, it glows. I'm scared of going out of the house in case people laugh at me.

Do you want a trick? Do you want a trick on air?

Oh, go on then, Tonya, tell me, tell me.

Just tonight when you go to sleep, just dab on a little bit of baking soda, which you probably won't have, so a little bit of toothpaste on your little—

Really?

Yeah, and it will dry it out by morning.

Oh, interesting.

Okay.

There you go. That's how we open the show.

Lots of tips.

Before we kick off, shall we thank this week's sponsor, Bitwarden? Award, and it's their support that helps us give you this show for free. Now, coming up in today's show, Graham, what do you got?

A hooga, a hooga, a rumba, a rumba.

Iain, what about you?

Well, I've got a security warning from the Suomis. The Finnish government has been looking into how AI is going to be used to crack your computers over the next 5 years.

Oh God. And thank God I'm here, everyone. I have a Christmasy tale of Irish woe. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, listen carefully. You might be able to hear the sleigh bells ringing in the distance. Snow is falling even in San Francisco. It's been a wee bit frosty. Santa is going ho ho ho ho ho ho ho. We're all relaxing and it's time for the Smashing Security Christmas party, of course. Oh, wonderful. Just imagine. I mean, there will be lots of people listening right now who've been to a Christmas party or looking forward to their Christmas party. Imagine the scene. Imagine your boss has invited you to the Christmas party, and he reckons he's a great cook. He claims he can make all the big dishes, all the popular ones, everything people expect at Christmas. Cheesecake filled with strawberries, ham and Coke.

Ham and Coke?

Yeah, yeah, I've seen people do that before.

Oh, good grief.

Sea urchin guacamole tacos, macaroni cheese, all of the delicacies, everything. So you're there, right? Maybe you've been invited to Christmas parties like this. We're around at the—

You know this is Smashing Security, right? Not Sticky Pickles.

I know it's not Sticky Pickles. I know, I know.

I was thinking we were going for the Bake Off market, but go on.

Yeah. Imagine you're there with all the rest of the crew and your boss is serving up some old slop and it's disgusting. It tastes like donkey vomit that's barely warmed up to room temperature.

It's vile.

It tastes of rotten fish. But you have to eat it anyway, don't you? Have you been in that situation? We've been round at someone's party and they've served up, oh, it's just disgusting. It's absolutely horrible. And you've got to eat it because you love your job. And you think, oh, well, the only way I'm going to get through this is by drinking. I've got to be drinking, right?

Well, you're talking to a journalist here, so that's default position.

Yeah, you have to be pushed into eating really, don't you? It's a liquid diet largely. And there you are after the party. You're driving home in the wee small hours of the morning through the city.

Piss drunk? Where are you living? You didn't figure that one out? And you crash and die. The end.

No, that's not the end of the story. But you feel you can— oh, crumbs. Just your stomach. Oh, blimey.

You're feeling a bit—

Oh no.

You're feeling a bit dicky. Right? You've got a bit of a fever. Your stomach's gurgling. Whatever your boss has fed you, it just isn't agreeing with you.

Plus you've got this big zit on your nose, you know.

Which is lighting up the road as you drive home.

Drunk.

You lurch into your bachelor pad. Carole, you're in a spinster's cave or a chick shack or whatever. What is the feminine version of a bachelor pad? About a toilet pad? A home. A home, okay. You live alone. You don't have a partner. It's just you, right? You race to the loo. You pull down your kecks and you let loose.

This is just too visual, honey.

This is what we're doing. We're painting a picture with words.

No one wants to see this picture.

Quite literally painting from the sounds of it.

Yes. We're decorating the porcelain.

We're pebbledashing it. Yes.

Thank God I don't have to edit this.

And then, and then you hear a noise, right?

Click.

Something or someone is in the hallway. It's the dead of the night. You're thinking, who could that be? Did you leave the front door open? Could there be a burglar?

A robotic burglar?

Ah.

What about an electric toothbrush?

It's not your electric toothbrush. No, no.

Coming to attack you, Chucky style.

The cat's become a cyborg.

Exactly.

You try and stay as quiet as you can, right? You're gripped with fear.

It's the tuna fish you should have thrown out weeks ago.

It's difficult to stay quiet in your current state. You try to clench your buttocks, but— And then it comes around the corner. Oh, thank goodness for that. It's the iRobot Roomba J7 series robot vacuum.

Which miraculously appears in your house without you purchasing it?

No, you did. You do own one of these.

You just forgot.

Yeah.

It becomes sentient at 2 o'clock in the morning, because that's when people set them to go round the house.

No.

Who does that?

Lots of people do, because you're asleep upstairs. And so you say, do a quick, you know, trawl round the house.

At 2 in the morning?

Yeah.

Not if you live in a bedsit. You put us in a— what was that? A chick shack you offered me.

It's a bedsit. It's a bachelor pad.

You mean a mansion. You mean a mansion.

It might be a duplex. You might normally live upstairs. Anyway, it's your pride and joy. It's your little friend. It's vacuuming your house tirelessly in the middle of the night when normally you'd be asleep. And you think, well, that's all right, isn't it? Doesn't matter. That's safe, isn't it? No, wrong, wrong. Not safe at all. Because as MIT Technology Review has reported, pictures are being taken inside people's homes by Roomba robot vacuum cleaners and are then being shared on social media.

Okay.

Whoa, whoa, whoa, whoa, whoa, whoa.

Yeah.

What kind of— okay. Are they pictures of the floor?

Pictures on the loo?

Yeah. Are they pictures of the floor in front of them? So if I was on the loo, they would see my big toe?

I am talking about pictures where the camera is angled upwards. And these photos, which have been shared, include pictures of people sat on the loo.

That's. No one wants to see that with me involved.

And people are sharing these pictures online. People are like, oh, hey, take a look at me.

No, no, no, no, no, no, no, no, no, no, they're not. It's not the owners. No. Because as Technology Review describes, pictures of, for instance, a young woman in a lavender T-shirt sitting on pulled down to mid-thigh are being posted on social media, not by young woman in question.

But by?

Well, this is the question, isn't it? So there's two big questions as I see it. Number one, who on earth wears a lavender T-shirt? Okay, three big questions.

Loads of people wear lavender T-shirts.

No, they don't. No, they don't.

Yes, they do.

No, they don't. I don't know. I don't know. Let's do a test right now. Let's do a survey.

I'm just raising my hand here at the moment. I do have a lavender T-shirt.

You have a lavender T-shirt?

Yes, but it—

Admittedly, it does have a picture of Cerebus the Aardvark printed on the front of it, but it is lavender.

My hair is currently lavender.

Well, I'm outnumbered. Okay, so 3 big questions. Who wears a lavender T-shirt? I think we've answered that one. Next question: why are robot vacuum cleaners taking photographs of people on the loo? And finally, why are these photographs being posted on social media sites? And I hope to explain why this is happening. To you. So, first thing is, these are not regular Roomba vacuum cleaners. These are pimped-up Roomba vacuum cleaners. If you are lucky enough to work for iRobot, the company that makes Roombas, they were recently acquired by Amazon.

Yes, everything will be at some point. Yes.

Yeah.

You might be lucky enough to be gifted a development version of their robot vacuum cleaner, which includes additional software and hardware designed to learn more about life in the outside world.

So instead of pimp up my car, pimp up my Roomba.

Let's not use the word pimp too much at the moment. It would stick to my nose, if you mind. That'd be good. But yes. So maybe it's Mrs. Geoff Bezos sat on the loo. I don't know.

Well, they're not living in the same—

Yeah, they're not living in the same house anymore, yeah.

Exactly. I'm pretty sure she has a mansion somewhere else.

You've not done a lot of research in this story. There is a lot of money.

He's got a girlfriend. Hasn't he married his new girlfriend?

No, no, they're still just dating and trying. He's just wandering around.

Discussing the prenup.

Going through his midlife crisis. Oh God, discussing the prenup. That's going to be a long one.

So there are people who work for the company who get these vacuum cleaners, these special versions of the vacuum cleaner. But there are also apparently people who are actually paid by Roomba to collect data.

Oh, get paid guinea pigs.

Like beta testers kind of thing.

Yes. I think what's happening is that they basically say, look, if you pay me a little bit of money, I will run your special Roomba around my house and allow you to collect data about me and about my house.

Oh, so the fine print. It always comes down to the fine print.

So maybe this is their way of getting the robot vacuum on the cheap. And all they have to do is pay with their privacy.

Yeah, I mean, I'm sure we both remember InfoSec. There was one PR company that did a questionnaire on would you give over your password for a chocolate bar? And it was typically about 80%. So yeah, Roomba, no surprise there.

Yeah, and anyone will say anything for a chocolate bar, won't they? It's the most pointless press release ever, wasn't it?

Well, yeah. I mean, 1, 2, 3, 4. Now give me the chocolate bar.

Yeah, give me the Cadbury's. So these people apparently sign written agreements acknowledging that they know they are sending data streams, including video, back to the company for training purposes. Now, when I heard about these streams, I was thinking again of the woman on the loo, but it's not data streams. Data streams, please, please, Iain, raise the tone. According to iRobot, these Roombas are labeled with a bright green sticker that reads video recording in progress.

And it doesn't have a little thing saying lawsuit averted.

And they also say, so Roomba also said, look, you have to remove anything that you deem sensitive from any place the robot operates in, including children. So you have to remove children.

Oh my God. You're like, the Roomba's in there. Get out now.

Throw the kids in the garden. Little Charlie! Lock them in the airing cupboard. Tell them to hide upstairs. Pretend there's a Dalek in the kitchen. Go upstairs, stay up there until we've dealt with it.

Graham, are you suggesting that the reason they say hide your private stuff is because they automatically put it on social? Is that what they're doing?

Well, I don't think it is automatic. I don't think it's designed to promote— remember, we're going to get on to—

Okay, I'm sorry, I'm just—

in a moment. No, but it's an interesting theory.

I mean, I have to say, I was just thinking, it's just like, well, hang on, security on IoT devices is pathetically bad, usually. So maybe, is someone hijacking the signal?

Right. We've seen this recently, haven't we? We have Eufy webcam doorbell things.

Yep.

Where they've been uploading, and you can get a livestream from people's doorbells, even though they claimed they weren't sharing anything with the internet.

Indeed, also transmitting passwords in plain text over Bluetooth.

Right.

Very, very popular.

So iRobot, when this Technology Review report came out, they're not very happy about it. And they say, look, as far as we're concerned, anyone who appears in these photos or videos, they're perfectly fine with being recorded. Whatever they're doing, they're comfortable with it. And our employee who you caught on the loo or our Roomba caught on the loo, I'm sure they're fine with that because they signed off on it, you know, and they wouldn't have allowed the vacuum cleaner in if they— but the problem is, of course, these things are collecting our personal information. There's so much IoT which is doing this and other services as well.

I'm just wondering why you didn't start this story with a couple trying to do a bit of Netflix and chilling, you know, as opposed to the extremely colorful—

Because that's the example that was actually shared by MIT Technology Review, was of this woman on the loo.

I'm looking at it now and the picture is, yeah. She's sitting there showing—

Yeah, she is.

Yeah.

So why are Roombas collecting this information? To get smarter. That's why they're doing it. They're learning more about the outside world. And the reason why they're not just looking ahead but are angled upwards is because they want to learn more about their environment. And so they're thinking, well, you know, we need to know what's around. And for instance, you might be able to map a room more easily, the dimensions of a room, if you look upwards towards the corner of the ceiling rather than trying to work it out from what you can see at floor level. It kind of makes sense.

Is she doing her business in the dark or does it have just a really shit camera?

It looks like there's a light on outside, but not in the room itself. God, I feel like a pervert just looking at this.

Yeah.

I haven't analysed the photo this closely, I must admit. So I can't help with this.

Hey, don't blame me. You brought this one up.

Hey, you definitely used your imagination, yeah.

So, what happens to these pictures and video streams? Well, of course they're uploaded to the internet, right? I mean, you know, surprise, surprise. Where a massively sophisticated AI, artificial intelligence system, analyses every image securely, then securely destru— Oh no, it doesn't do anything like that.

I was gonna say, has Graham lost his mind?

Yes, a while ago.

What happens is— low-paid gig workers. They've got the job of labelling items in each picture and they say, that's a dog poop, that's a chair, that's a stool, that's a frying pan. It sounds like a monotonous job.

Oh, to educate the AI.

Right.

Yeah.

With words and images. So try and do that cross. Yep. Yep.

And iRobot's founder, his name is Colin Angle. He says that this enables them to build intelligence into their products, object recognition and avoidance, blah, blah, blah, customised cleaning suggestions. That's his angle on all of this.

And it's all down to some sod who's got to sit there and click on, this is an image of this, this is an image of that.

Right. And I cannot wait for a fucking smart vacuum cleaner. I mean, I just can't wait. You've got your husband, haven't you?

I do, actually. He does do all the vacuuming.

There you go. There you are. It's the ideal. But of course, these people have now got pictures of your face. And we know that there are services, online services like PimEyes, where you can put in a picture of someone's face and it will tell you who they are and find all their social media accounts and other photographs of them.

Clearview AI would love this data.

Yeah, well, that's another company.

Absolutely. Yeah.

So the second question, was it the third question? Why do these images get uploaded to social media? Well, it turns out some of these guys who are the gig workers, the low-paid guys who are trying to label the items, some of them can't tell the difference between a poop and a stool. They can't tell the difference between different items. And so, because it's sometimes unclear, they upload it. You know, on Who Wants to Be a Millionaire, you can use a lifeline or phone a friend or ask the audience. These guys are posting these images onto an online forum with their coworkers saying, what do you think of this then?

Oh yeah, but there's obviously a hee hee hee, here's a funny one, guys. Which is why they loaded up the toilet ones.

This was on a private forum or on a public one?

It sounds like it was a closed group and the images were then later shared with the journalist.

As happens, yeah.

So that they knew what was going on, as of course, because nothing's really private. But it was being uploaded to social media, closed groups, and of course the social media companies, who knows what they're up to and might be doing with these images as well. So Roomba has, well, first of all, it was a bit annoyed with MIT Technology Review. It said, we asked you not to publish those sensitive images.

Yeah, okay, thanks.

Yeah, yeah, right, okay. Let's write a story and say.

Has that ever worked, Iain? Has that ever worked? I'm sure I begged you once or twice not to write something.

I know, well, in fact, I did. There was a long and hard debate, which actually relates to the toilet issue. Do you remember Norse Security? Oh yes, who went spectacularly bust. We broke the story of the bust, but when I— the person who leaked it to, or one of the people who I was speaking to, obviously you've got to ask, can you prove that you're a member of Norse Security? And I said— he said, well, yeah, here's this and here's this. Oh, and here's a picture of the Christmas card they sent us last year. And he sent the company Christmas card with the CEO and his family. And he'd laid one out over it to be polite and sent us the picture.

What?

He'd literally taken a dump on his boss's photo.

And sent it to you? 'Cause you want to see that?

No, sent it to me for confirmation he wasn't a pissed-off ex-Norse employee. And there was a huge debate about whether or not to run it. I mean, seriously, it was just well, we could pixelate out their faces. But then we also would have to pixel out the device. And then we've just basically got a thing of pixels. It's not a good picture. We can't do it. Use it, but still got a copy somewhere. Anyway, back to the point.

So Technology Review, they actually pixelated out people's faces, the woman on the loo. Yeah. And they sort of said, well, it's more than Roomba did. So iRobot, they say that they are terminating their relationship with the service provider who leaked the images and are investigating and taking measures to stop it from happening again in future, though quite how they're going to do that, I don't know.

Sorry, sorry. Where was the sorry there?

Yeah, it is.

Just a little word. It's not hard, guys. Not hard.

Iain, what have you got for us this week?

Well, usually government reports are really, really boring. And, you know, it's— they are second only to financial statements when it comes to we've got to cover this story. I'm going to be spending the next 2 hours reading, you know, bland stuff. But amazingly enough, Finland, a nation which punches above its weight in software, hardware for Nokia, drivers for Formula 1 and rallying, and in getting spastically drunk and jumping over fires, which is actually a leading cause of death during the summer solstice.

You're kidding.

No, they lose a couple of people every year because you go out to the country, you build a big bonfire, you get drunk, and then you jump over it and people trip and fall.

What could go wrong?

Basically, they've laid out a 5-year plan of where we're going in terms of AI systems being used to hack your computers. Now, this is obviously speculative, but it is taken from, you know, an analysis of what data is out there and what code is there. But it's also— we're going back to probably the early 1990s in terms of security and script kiddies. Because these people, once they get AI enabled, are— you can farm this stuff out to anyone who'll pay. So, I mean, the main problem is they're going to use AI for finding holes in your system. Automatic vulnerability scanning is going to get improved, and then you've got generating data to do proper spear phishing. And finally, it's the speed of reaction. You know, you can't beat a computer when it comes to speed and automation. And this is a point where I disagree with the report. They say there is no evidence of AI attacks. And well, first off, you know, GAN generation of faces could be considered an AI attack. So we're at that stage already. But the main thing at the moment is for phishing. Well, what they're predicting will happen is that you'll go for a vulnerability, you'll find a vulnerability, get in there, and the AI system will automatically look for key data and key individuals who can be targeted in future. So basically, yeah, next couple of years phishing is going to be the major issue. But the big question is, can you get full end-to-end? Malware gets into your system, defeats your security software, reacts to its attempts to cut you out. They're putting that at 5 years. And they're saying it's only gonna come from nation states. So yeah, it's going to come, but I think we're all pretty much divided on when it's going to come.

I wonder if, I wonder if this might mean the end of something like apps, right? Because apps won't be able to survive in a world like that. 'Cause they'll all be full of vulnerabilities, right? Like, they come so— now.

Yeah. Yeah.

Yeah.

I think you're right.

Yeah. I wonder if we'll, and I'm just wondering if we'd go back to a kind of Google or internet-based method of working.

Oh, because those can't have vulnerabilities, you mean?

No, no, they can, but I wonder if, I don't know. Yeah, I don't know. It's just really, I think everyone's kind of overwhelmed with how many fucking things you gotta manage. Yeah. It's just too much.

And this is one of the things they're relying on. It's just, because you're right, we've got so many of these things. I probably shouldn't. I mean, I don't know about you guys, but corporate policy is I have to change my password every few months. And that's just a nightmare.

Obviously, there are automated systems already used by vulnerability researchers to find vulnerabilities.

Exactly.

To find security holes. And we've even seen recently things like ChatGPT where you can give it a lump of code.

Yeah.

And say to it, tell me where the problem is. And it'll say, oh, there's a vulnerability here. Yeah.

Now, admittedly, Stack Overflow banned them temporarily because they got it wrong so many times. But that technology is getting scarily smart now.

Yes. Yeah.

It's only still nascent.

Well, as you say, though, there are already tools to do this. One of the points they made in the report is that when it comes to an AI going around internally in a network and avoiding security software, there are no datasets for that as yet. There's not even that much academic research. There's only been— I think there's a research center in Israel from 2020 and one at Carnegie Mellon from 2019 looking at this stuff. So there's no AI training sets, but that day will come. I should imagine several governments are working on that at the moment. Isn't that a cheery thought to go into Christmas with?

Is there anything good that's coming from AI though? Is there a— I mean, if we were to balance the good and the bad, do you— it feels like we tell a lot of doom and gloom stories regarding artificial intelligence. Well, you do, Carole. Yes, all the time.

We tell doom and gloom stories about technology in general, Graham.

My story was very, very positive. If you were to fall down the lavatory, then maybe the robot would actually come to your rescue. Maybe it would send out a distress call. It's only going to require a new update, I'm sure, to the Roomba to do that.

Alright, so now definitely do poop with your Roomba with the door open.

Well, didn't you hear that? I don't know if you heard that story this week that happened with someone's Apple iPhone. This was a remarkable case down near Los Angeles. Just, it was local news. A couple were driving along, lost control of the vehicle, fell 300 feet into a gorge. Thanks to the miracle of airbags and proper seatbelts, they survived, but they were in the middle of nowhere. And that iPhone detected the crash and said, do you want to contact the satellite? And they're like, what? Okay. And they told it, the iPhone said, orientate to here. That got the message out and they were picked up and taken to hospital. But so yeah, sorry, small side note on local news here from the Bay Area. Happy story for Christmas.

That's what we need. Some cheer finally. Thank goodness. Carole, I'm sure you're going to cheer us up with your story as well.

I am. I have a Christmassy tale.

Okay.

But with a warning. All takes place in Ireland. And this year, according to local media, there are concerns that Ireland, the Emerald Jewel, may get slammed by the Beast from the East. Not a fanged mythical creature thing who will prowl the streets instead of Santa Claus.

Vladimir Putin?

Yeah, but more of a weather roller coaster. So it has something to do with the North Pole winds being driven down via the Atlantic, plus the barrage of low pressure. So wind, heavy rain, hail, frost, ice, wintry showers, the whole thing. And while this is music to the ears of probably Irish kids and snow lovers like me, right, who would kill for a white Christmas—

You can take the woman out of Canada, but you can't take the Canadian out of the woman. Exactly.

I love a white Christmas. Cabbies are likely to see a big bump in ride requests, right, when the weather— Yeah. So it's the perfect cabbie trifecta because you have bad weather, you have holiday festivities.

Yeah.

And that means you have many merry people who will need lifts to and from places. But the problem is, since the pandemic, it can be kind of hard to land a cab in Dublin. There are fewer drivers and it can be a nightmare for anybody to secure one. Right, this is all from the Irish Independent, which may be why the Gardaí are warning their Dublin residents of a targeted taxi scam that has managed to pilfer hundreds and hundreds of thousands of pounds from their victims. And so, okay, maybe you can have a go at guessing it. So it involves taxis, right? I'll give you a sentence from an article. I'll just give you the one sentence to see if you guys can backward work it. The criminals have worked out how to beat facial recognition software on mobile phones, which they use to empty their targets' bank accounts.

Are they hacking the taxi driving service?

No, but good one.

Are there cameras in the taxi cabs?

No.

Oh, that's a— okay.

It's a pretty low-tech approach, actually. It's kind of fun.

Is it a cutout of people's faces? Are they wearing reindeer ears?

Using their Facebook photos?

Okay, no, no, I have to— So this is the game plan for the attacker according to the paper. So you hit up a busy pub.

Mm-hmm.

Yeah.

It'll be full of festive cheers and work parties and family gatherings. And you eyeball the target. You might choose your target because you see them pay with their phone, for example.

Right.

Yeah. So then you might scooch up close to them, but in a non-invasive sort of way, and watch them really closely. Shoulder surfing. Shoulder surf them. That's a hard word for me to say.

Shoulder surfing. Yeah.

Shoulder surf. Okay. In a busy pub, it might be pretty easy, right? We have all been in that situation. Yeah. Not since the pando, but I bet this year that's all happening, right?

Yeah.

And you do this because you're waiting to get their phone's passcode.

Oh, you're right, old-fashioned.

Yeah, old-fashioned.

Okay, I mean, that's the ATM attack that's very analog.

Yeah.

Okay, then the scammer then has to wait, right? You got to wait for your target to want to head out. Perhaps, no, tries his trusty taxi app, but guess what? No cars available for the next hour or whatever. So what do you do if you're in Dublin? You'll go outside and maybe try and hail a cab, right? You never know.

Yeah.

Meanwhile, around the corner, a bogus taxi with a fake number plate and a little fake light on the top, maybe even a green smelly Christmas tree dangler on the mirror. It is traditional, a way instruction from his scammy cohorts to tell him, Paddy, you know, get your skates on.

Oh, Jesus, you can say that?

No, I'll be— I can't believe you said Paddy, Carole. That was outrageous.

Blatant racial slur. It's helping. I feel abused.

Okay, and the fake cabbie's job is to do a drive-by, to be a beacon in the snowstorm, blinking on its little legit-looking light to attract the target, right? In one case, the victim says the fake cab actually honked the horn sort of a yoo-hoo way and then waved him over.

Interesting.

Of course, the target is going, oh God, how amazing am I?

Great, I've got a cab.

Yeah, I'm so lucky, this is amazing. And they hop in, and what do they do next?

I don't know, how do they steal the money? What's this?

We'll just give them a taxi ride.

Wait, wait, wait, what are you going to do when you get in a cab?

You say, follow that cab quick and don't spare on the horses.

You give them your address.

You give them your address.

Probably heading home, don't you?

Yes.

Okay.

All right.

Yeah.

Right.

Ooh, is this the long con?

Right. Okay. So wait, just wait. Okay. But that doesn't seem to be their claim because during the drive, the criminal cabbie has to somehow get his mitts on your phone. Right? So how do you go about doing that? So in one instance, the scammer brought the target close to the destination but then asked to double-check a route. Could he borrow the phone so he could double-check a route on Google Maps? Ah, guy hands over the phone. Cabbie then drops it into the passenger side footwell and claims he can't get it because of his bad back.

I'm sorry. I'm really sorry.

So he says to the target, can you come get it? Can you come out to the front and come get it in the footwell? And the target's like, fuck yeah, that's my phone. So he jumps out of the backseat. Car zooms off. So the phone is now in the cabbie's hands. They, in this instance actually, if they asked for Google Maps, you know, the target would have opened it for them. But the cab, they don't want to just get on the phone. They also want to get access to the bank accounts. So the first step is to reset facial ID to your own face, to the scammer's face. And then once in, they head to the banking apps and try and reset that facial ID. Because lots of the banking apps have facial ID required. And you're almost there because then banks will often ask for a PIN if you try and reset the facial ID for an extra layer of protection. And the key here is that people seem to use the same fucking ID.

Yeah, of course.

That they were shoulder surfing when they first saw how to get into the phone.

Yeah.

That's a really complex effort to—

It's quite elaborate.

Effort to reward, I've got to say. But part of me is just like, well, respect.

It's a great story.

Oh yeah, it is a great story. It's just like, also I've got to say as an American, the idea that your bank is taking that level of security, I mean, and it's just over here, it's a joke. But yeah.

Oh, really, eh?

I mean, don't even get me started. When I first moved over here, Chase weren't allowing symbols in passwords. Just numbers and letters, uppercase and lowercase. Anyway, but I mean, it's a really interesting contrast of social engineering and, you know, just—

And low level. Like, you know, you don't have to be a genius here. Like, you know, this is not tech genius. This is just good old-fashioned fake cabbie, you know? Hey, you need a cab? You need a cab? Jump in.

Well, this is it. The shoulder surfing job's got to be great though, because you've just got to hang around a pub looking over people's shoulders. It's just like, oh great, I can drink on the job.

I tell you what, the best place to shoulder surf is on places like buses, trains, and planes. People are unbelievable. Like, they really feel like they're alone in their seat, and it's unbelievable, especially if you sit on the aisle. Be careful.

This is why the plane flight from DEF CON in Las Vegas back here is fantastic, because you've got a bunch of people on your laptops. It's just like, oh no, I have a weak bladder. I need to go and walk up and down the aisles and just see what everyone's doing for a while.

That's why you never work on a plane.

Oh God, no.

So, okay, moral of the story, use long PINs. Harder for a scammer to remember if you have to type it in.

Maybe fingerprint ID or facial ID on your banking apps rather than just a number.

They did have that and they changed it, right? They were able to change it. So—

Oh, I see.

Yeah.

Well, definitely, definitely have different PINs then for your apps.

Definitely different PINs.

Yes, you do have a PIN there.

Always good advice.

Use a password manager to manage all that stuff.

And then just make sure the password manager isn't cracked.

Yeah.

Because then the game's over. But yeah.

Maybe take a picture of the cabbie before you get in as a precaution, you know? Just 'cause then it just goes to the cloud.

Oh, they're gonna be fine with that. They're not gonna find that aggressive, are they?

They might drive off and say, "I don't want this guy in my cab." You know, he's a waster, and you might think, "Oh, you damn cabbie!" But you might have just saved yourself. And what about shoulder surfing? If you ever think someone's shoulder surfing you, why not just accidentally toss your drink over your shoulder and say, "Oh, sorry, it's just for luck." What kind of bar fight are you gonna kick off, Carole, in Dublin?

What do you mean?

They're lovely people. You just say sorry.

Is this how you operated?

Wow.

No, you can't do that, particularly in an Irish— Only in England, only in Britain and Ireland is glass both a noun and a verb. You don't want to get in trouble to that kind of fight.

That's true.

So whenever you go to a pub in the UK, it's just a little club in the UK. It's just like, here's your plastic glass. It's just white wine. Oh yeah. Okay.

Fair enough.

It's like being in an airport with your little baby knife.

Listeners know that a password manager is an important tool for generating and saving secure credentials for each of your online accounts. And podcast sponsor Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments. Now, what's nice is that it's open source with published third-party security audits. Bitwarden is transparent and secure. It utilizes end-to-end and zero-knowledge encryption with source code that can be scrutinized by all. And the team at Bitwarden are always introducing new features to make your life easier as well as more secure. They've just introduced passwordless login for the Web Vault, meaning you can authenticate into the Web Vault using your Bitwarden mobile app instead of entering your master password. Learn how Bitwarden can help you do business faster and more securely at bitwarden.com/smashing and start a free business plan trial today. That's bitwarden.com/smashing. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Yeah.

Oh, Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.

Better not be.

Well, my pick of the week this week and my last pick of the week of the year is a movie, a short movie which comes from Spain. It came out 50 years ago this month, I learnt. So I thought I'd try and be on trend.

Okay.

Because people might want to enjoy it. Yes, it first aired on 13th of December, 1972 on Televisión Española, 35 minutes long. It is La Cabina. La Cabina, if you weren't aware, is Spanish for a telephone box. And in this movie, it's a little bit of a scary movie, a little bit frightening. It's all about a man who gets in a telephone box and gets trapped, and he can't get out of the telephone box.

And he really needs to poop. And— No? Okay. I'm just trying to precede and get my mind ready.

I thought Colin Farrell was involved in that, but—

Despite the attempts of passersby to help him, he cannot be freed from this telephone box. Now, in the chance that some people may actually choose to watch this, I'm not going to reveal what happens next.

He's still in there.

Well, I'm not saying anything. But I do believe that there is now a statue of the actual— So in Spain, this is apparently a famous movie. When I say famous, famous amongst people of my sort of age who are interested in old movies. So there's now a statue of the telephone box in the place where it was filmed, which seems rather scary to me. And my advice, do not go in it. So my pick of the week is La Cabina, and you can watch it on the tube of you. And I will put a link in the show notes.

God, that's actually more frightening, isn't it? Being said like that. The tube of you is exactly what it is.

The tube of you. That doesn't sound good, no.

Iain, what's your pick of the week?

Well, something that's not going to get me put on a police register, certainly, but— No, I mean, for me, it's the new year, and we've got another trip around the sun to do, and I was thinking of the future.

Hang on a moment, hang on a minute, Iain. Surely that can't be your pick of the week. That's your pick of next week.

Well, okay, fair enough.

Sorry to pull you up on a technicality at this point.

Okay, well, I would say it's a time to think about the passing of time then. How does that—

Ignore him. Ignore him. Yeah, just ignore him.

And I've just been revisiting one of my favourite books, The Last and First Men by Olaf Stapledon. Okay, it's written in 1930 and it covers basically the evolution of humanity from current day in 1930 to around a few billion years later when, oh well, I won't spoil the ending, but some things get interesting. But this is a book which inspired Arthur C. Clarke. It's been, it's one of the more popular ones on Desert Island Discs as the book that they pick. And it's available on Project Gutenberg free of charge because it's so old. I would say it's, if you do read it, ignore the first 50 pages. Future prediction is terribly hard. And he kind of gets that wrong, particularly the Second World War thing.

Okay.

But once you get into the second generation of man and then the third of humanity and then the third and fourth and fifth and sixth and all the way up to 18th, it becomes very interesting. And it's a good joyful book to read at the new year because you know that we're going somewhere one way or the other.

I can see there's also a movie of it. I don't know. I've never crossed paths with this book.

It's one of those books which a lot of people who work in the tech industry or who work in science have read and love. It's just, but very few people have heard of it. As I say, the first 50 pages are against it, but once you get past that, then yeah, he's a very interesting character, a British bloke, conscientious objector during the war, but then joined up. And Rhodes was the science fiction sort of bestseller of his day, but his day was, you know, the 1920s and '30s, so no one remembers now.

Well, you've changed all of that today. Thank you very much. Carole, what is the final pick of the week for the entire year?

Yes, the last pick of the week for 2022 is a book that I just finished called The Other Side of Night by Adam Hamdy. It is a thriller, and I should say it's a book I experienced rather than read because I just don't seem to read anymore since I got into podcasts and art. It's I have to save my eyes for looking at audio waves and art stuff. So I've been delving into audiobooks recently, and this one blew me away. So just basic premise because there's a lot of twists and turns and I don't want to ruin anything, but it's a disgraced police detective named Harriet. And she's now suddenly with a lot of time on her hands. And she hits the library. And she's looking at this book, she's reading this book, and there's this frightening little scribble in the book margin that leads her into this really windy investigation to find out what happened to the person who penned the scribble. Like, who are they? What happened to them, etc.? And basically, a simple investigation becomes something entirely different. And the story ends up somewhere utterly unguessable, and gloriously fitting. It's a really beautiful concept, and it's written with honesty and heart and grace. But it's kind of also a meta thriller with really big ideas. So I loved it and snarfed it up in a weekend. And I would say it's the perfect book to drown in if you're having a quiet Crimbo or holiday, or if perhaps you're visiting the in-laws and prefer to hide away than help make the bread sauce. For example.

I'm so with you on that.

Sales have just rocketed.

So my pick of the week, and it's actually also on the New York Times best thrillers of 2022. So that's where I actually heard of it initially. So The Other Side of Night by Adam Hamdy, and highly recommended.

Marvelous.

Can I say we've all done very, very well with our cultural picks of the week this week. We've had two books and obviously a Spanish— well, maybe my one wasn't— a Spanish movie about someone being trapped in a telephone box. But anyway, I feel like we've raised the tone and that's a good note to end on. And it just about wraps up the show. In fact, it wraps up the show for 2022. We will be back in the second week of January, January 2023. Now to make—

Because you would get proper Christmases over there, right?

We have proper breaks over here. Now to make sure you do get that episode as soon as it's released, follow Smashing Security in your favorite podcast app such as Apple Podcasts, Spotify, and Google Podcasts, and you'll never miss another episode. Iain, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

Well, it used to be Twitter, and I am still @IainThomson on Twitter, although I'm mainly restricting myself to posting very little other than marking the burning of Rome, as it were. But you can get me at Mastodon social using the same name. And I apologize in advance for the spelling of Iain and Thomson, but I have Scottish heritage and my parents and I have had words about this. But yeah, if I ever have a kid, they're going to be called Dave or something like that so that no one misspells my name.

So it's Iain with two I's and Thomson without a P, I think.

Without a P at Mastodon Social.

Fantastic. And you can follow us on Twitter at Smashing Security, no G, Twitter allows to have a G, although there's lots of changes happening on Twitter at the moment, who knows? But we've also got a Mastodon account.

Yay!

So you can find that easiest way is to go to smashingsecurity.com/mastodon and that'll take you right there. And you can also look up the Smashing Security subreddit.

Massive shout out to this episode sponsor, Bitwarden and to our wonderful Patreon community. It's thanks to them all that this show is free all year. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 302 episodes, check out smashingsecurity.com.

Until next year. Cheerio, bye-bye.

Bye. Happy New Year.

Happy New Year.

Graham Cluley. Thank you very much, Iain.

Yeah, that was fun.

No problems. That was a lot of fun.

Can you go back to bed now or do you have to go to work?

Oh God, no, no. My workday is 8 till 6. So yeah, I'm clocking on in a few minutes. But yeah, it's the American — it's not like Britain.

Listeners, despite us still living in a crazy, unpredictable world, we wish you and your loved ones a safe and happy holiday. See you in a few weeks.