Smashing Security podcast #365: Hacking hotels, Google’s AI goof, and cyberflashing

Oh my God. Oh my God.

Oh, for you it's uncomfortable? For you?

Y'all are fighting. I don't like it.

Smashing Security, episode 365. Hacking hotels, Google's AI goof, and cyber flashing with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 365. My name's Graham Cluley.

Wow, the same number as the number of days in a year. And I'm Carole Theriault.

Not this year, Carole, it's a leap year. Oh. Hate to nitpick this early on in the show. And as you can hear, we are joined this week by Maria Varmazis from the T-Minus podcast. Hello, Maria.

Hi.

Pedantry from the get-go. I'm in awe. That was just amazing. Oh my gosh.

It's 366 this year, is that right?

It is 366 this year.

366.

Okay.

Well, I'll do the same joke next week. How are you, Maria?

I'm very excellent today. How are you doing? Brilliant.

Okay, I think we're all in a great mood already. So let's just kick the show off, shall we? But first, let's thank this week's wonderful sponsors, Kalyde, KiteWorks, and Vanta. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be checking into poor security.

Okay, sounds interesting. And what about you, Maria?

The enshittification of search continues.

Oh, brilliant. I do love that word. And I'm going to be talking to cyber flashers and saying beware. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, I was lucky enough last week to visit Germany. I went to the city of Magdeburg where I was hosting a little awards ceremony, introducing the Blues Brothers. I don't know if they were the originals, giving a speech. So I showed up, right, the night before I showed up at my hotel and it was "Guten Tag, Graham Cluley. Here's your room. Let's take you up to the 7th floor." Thank you very much. Here we are.

I can tell we're going to go down a, you're going to complain about something. So before you do, my husband was at this event and he said you were excellent on stage. And if anyone, any listeners are out there thinking, "God, we need some talent for our stage performance, for our gig, for our corporate gig," Graham's the man. And I'm doing this for free. Graham didn't even ask me.

But I, I think we can finish the podcast right there. I think the important things have been said. Thank you very much, Carole. Sorry, Maria, that you showed up.

No, no, I'm wiping away a tear. That was just so gorgeous. My goodness.

Well, it's true.

Very— that's very kind of you, Carole, and of your hubby.

Well, you're very welcome. Anyway, so I was taking a crack on this.

So I was taken up to the 7th floor. Your husband, by the way, was checked into the 5th floor. He checked in the same time as me. Gave him the 5th floor. I was given the 7th floor. So I get up to my room.

He's a very important man, you know.

Well, I, I actually said the 7th floor was where the VIP club was. So I thought, as I was a bit of a minor celebrity arriving in Magdeburg, I'm hosting the awards ceremony. I thought, okay, they've given me the best floor. Fair enough, I'm J.Lo. I'm P. Diddy. I thought, this is—

Are you sure you wanna be P. Diddy?

Do you really wanna be him?

Oh, actually, yeah.

You wanna back that up? Back it up, back it up.

Don't be like P. Diddy.

Don't be like P. Diddy.

Wow, what a name to drop today.

Yeah.

Choices. There I was. I got to my hotel room and I thought, oh, I've got this work to do.

Oh. You—

Yep, because last week, I was travelling and you said, Graham, let me edit the podcast. You said, I will do all of it.

Didn't you?

Which is very kind of you. Very excellent job, as everyone can hear, last episode. All I had to do was publish it and add a few show notes and things. Just a little bit of wrapping around the corners. And so I thought, I have to get on the internet. Got up to my room, couldn't get on the internet. Not unusual. You get to a hotel and you can't get on the internet. I thought, never mind.

Annoying though. Completely annoying.

It's annoying.

Especially a business hotel, because you kind of depend upon that stuff. But yeah.

You kind of do. You kind of do.

You kind of do.

But never mind, because the welcome drinks are happening at a local cinema. And in fact, your husband and I, we walked through Magdeburg to get to the local cinema where the welcome drinks were. Lovely evening and everything. And I thought, when I get back later, I'll get back on the internet and I'll do the work with that.

A little bit swishy.

You're on. Yeah, a little sway. I'll sway my way back to the 7th floor. So after the drinks, very nice, thank you very much. Got back to the hotel, need to do some work, publish the podcast, blah, blah, blah, get ready for my speech first thing in the morning, right? Maybe actually look at my slides, something like that. Oh dear, still no internet. So I traipse down to reception and I say, internet problem? I'm finding it a bit difficult. I'm sure it's me. I'm thinking, I'm sure it's me. And they go, oh, oh, they say, are you on floor 7? Yes, I am. Oh, the internet doesn't work there.

It's a quiet floor for VIPs, so no one knows what they're doing.

It's for people who are allergic to radio signals, Graham. Radio-sensitive folks.

Perhaps, perhaps. And so I say, well, maybe you can move me to a room where there is internet. Oh no, we can't. There aren't any other rooms available. You can hang out in the piano bar if you like. Well, I didn't want to hang out with the piano bar for the 2.5 hours or whatever I need to do and the work I had to do and listen to podcasts and do all things like that. So I said, well, it might be nice if you told me when I arrived, you checked me into the 7th floor, that there wasn't any internet. If you'd told me that—

So you didn't ask? 'Cause I do ask about internet every time.

Oh, it said there was free internet. It said the room came with free internet. Doesn't mean it's gonna work. I mean, listen, they said it's free. So I had the hump. I had the hump. And I thought, well, I need the internet because I've got this presentation. I've got this very important podcast to publish. What am I going to do? So I said to him, "Tell you what," I said, "I'm going to check out. You'll give me the money back." And there was a bit of a hassle about that. Anyway, that eventually got resolved. And then I will check into another hotel. I'll find another hotel. I will use your internet and the piano bar to find another hotel. Okay? So I checked out of the hotel, and then I went to look for another hotel room. Unfortunately, no hotel rooms.

Yeah, it's not the biggest place in the world, is it?

Well, Carole, I always thought that about Magdeburg.

Magdeburg is bloody — oh, maybe it doesn't have a lot of tourists.

What is Magdeburg known for?

Yeah, I asked that for my husband as well. He didn't know because they're all known for something in Germany.

It's famous for its Gothic-style cathedral, the burial place of Otto the Great, the Holy Roman Emperor. I'm just coming at this randomly. It's got about 250,000 residents. Okay, that's a decent size.

That's a decent size.

Size of Oxford, yeah.

Yeah, how many people are there in Oxford?

I don't know, but I would say about that with students. I seem to think it was 300,000 when, you know, student full capacity, which is —

2017, Oxford was 152,000. So I would say —

Without students, you know.

Well, you know, do students really exist anywhere? Yes, I mean, it's just —

They do. I live here, they do.

They're everywhere. You certainly feel them when they're there.

I'm not going to take back my compliment that I gave earlier.

Oh, okay. Oh yes, I forgot about that. Anyway, back to the story. So I was searching for a hotel and my, I don't know if you know about my phone, my mobile phone doesn't, its battery isn't very good. It runs out.

Oh, what do you have? Do you have the SE?

Yes, I do. So my battery isn't very good, right? It's dying. And I'm thinking, and I can't find a taxi because although there are plenty of cyclists in Magdeburg, there aren't very many taxis. There are trams, but no trams were — and my hotel, I eventually found one hotel, but it's an hour and a quarter walk away in the rain from where I am at 11 o'clock at night, rolling along my little bag.

Why didn't you ask my dear Yeti to

Your Yeti was still at the cinema at this point. He's not contactable. I don't know what he's doing. Anyway, I don't want to bore you with the whole story.

Oh, really?

Okay.

Do you really need to?

It was okay.

Because we're going step by step here.

Right, I've just looked it up, okay. In 2021, there were 162,000 residents of Oxford, and there were 34,945 students. Okay, so I put it to you that there are more people in Magdeburg.

What did you have for breakfast that day, Graham?

It was quite stressful.

Okay.

It was quite stressful. And I thought, where on earth am I going to — you know, I'm very important. I'm hosting the awards.

use his room?

I thought I was a celebrity. I've nowhere for me to sleep. Anyway, eventually everything was fine, but how I wished that I would have had a key to someone else's hotel room. And this is the link to what I'm talking about today, because if I'd had the key to someone else's room where the internet had been working, I could have gone in there. Or maybe I should have just sat outside someone else's door. Maybe your husband on the 5th floor. I should have sat outside his door until he came back from the bloody cinema. You should ask him questions as to how late he was out.

Surely — I feel we need a corroborating interview with him to get his side of the story.

I think my husband said that you were great on stage and I'm not going to have any go at him whatsoever.

Oh, come on. Yeah.

Oh, okay.

Come on. What is wrong with you? So a bunch of security researchers have recently revealed a vulnerability that they found in hotel key locks.

Mm-hmm.

They've called this UnSAFLOCK. Oh, memorable. Well, I think the reason is that there is a make of key locks, RFID locks, which are used in hotels by a company called Dormakaba, and they call them Safe Lock or Saf Lock. So this is Unsaf Lock.

Okay, that makes sense. Okay. Okay.

That's why they've called it that.

Yeah.

Smart. Now, what they found was they found a way to unlock all rooms in a hotel using a single pair of forged key cards. And they've discovered that over 3 million hotel locks in 131 countries are affected.

Okay, so I know, I think I know the answer to this. I think it's going to be one of those crazy questions. So when you say, it just means you bring this master key. It's a master key that lets you get into any hotel room.

No, no, no, no, no.

Okay.

No, it's not a— that would be great if that were the case. And I think there was something a bit like that before, perhaps. And maybe there are master keys inside hotels to sort of— because it's all computerised these days, isn't it? You can use the system to get in.

Yeah, say someone committed suicide or something. You need to get in there. There's going to be a master key.

Why is that?

Why? Bring the tone down, Kroll.

You jumped right to it. My God.

It's because he got me all annoyed about my husband being out too long.

I'm annoyed about him as well.

Oh my God.

Oh my God. I am. He's a very nice guy. Oh, for you?

It's uncomfortable for you?

Y'all are fighting. I don't like it.

So all you need to break into a hotel room, they discovered, was one key card from the hotel. Now, where'd you get a key card for a hotel room from?

Literally anywhere.

Yeah.

Yeah.

In the bin.

Yeah, you get it in the bin. You get it in that little drop-off box where people dump their cards when they check out.

On a table. Yeah.

Or you look through your old suit and you find it inside a pocket.

All the time.

All the time. It can be an expired key card. It can be one from your own room. It can be one taken from the express checkout box, and they can then forge other key cards from that. And there's a little bit of jiggery-pokery. They haven't gone into all the details because, well, the reason is because the problem hasn't been fixed, Kroll. So they found out about this problem in September 2022.

Oh.

So they get the key card, an old key card. They then do some jiggery-pokery, the science.

They read the card and create a faked card.

To get into a specific room or any room?

No, once they've got this ability, they can go into any room in the house.

Right, so then they basically have a master key.

Yes.

Right.

Well done, Carole.

Thank you.

Okay, that's a good summary. Good, good, good. Okay, now I understand what the heck's going on.

All right.

And you, by the way, you can also do this with a Flipper Zero, which is a favorite hacking gadget that loads of people are talking about at the moment, or you can use an NFC-capable Android phone as well.

Are they banned in Canada yet?

What, Android?

No, no, no, the Flipper Zero that Canada's trying to ban them.

Oh, are they trying to ban them? Yeah. Good luck with that.

Yeah.

Yeah. Great publicity for them, I suppose. Anyway, September 2022, these researchers, they found the problem. They thought, crikey, this is bad. And they contacted Dormakaba, who make these safe locks, SAF locks. That's smart.

Yeah.

Smart, smart, smart.

Yep.

And they had a meeting with Dormakaba the following month in October 2022.

Oh, they weren't ignored. Fantastic.

No. And over the following 18 months, they've had at least, they say, 13 meetings with Dormakaba to discuss the vulnerability.

Death by meetings. 13. 13.

At least. At least, they say.

Oh my God. Can you imagine the Zoom meetings? And there's probably 30 people on it.

Yeah. God.

In November 2023, the first hotels began to upgrade their locks to resolve the vulnerability. But as of today, so what is it, March 2024 now?

Yeah, that's correct.

They say that only around 36% of the impacted locks have been updated or replaced. Remember, there are millions around the world.

Right, so they got through a third so far, yeah. Yeah.

Imagine that's gonna be a process. Yeah.

So it, well, it is, isn't it? Because you have to do a software update or you have to replace the actual lock. And they say all key cards have to be reissued, front desk software to be changed, card encoders need to be upgraded. All kinds of upgrades are required. Some physical, some a bit of a handful.

You know what's really upsetting? You have to tell people if you've got a flaw on your website that has leaked data, for example. Right?

Right.

You've got to announce that. But hotels apparently who claim to provide security with a locked door.

Yep.

It can be bypassed. They've known about it since when? 2022?

Yep.

And this is the first instance I've heard of it. What about you? Because you actually read tech news.

It's the first that this particular vulnerability has been spoken about. There have been vulnerabilities with key cards in the past.

Right.

As you said. Yeah.

Yeah.

Yep.

I think F-Secure did some research a few years ago. We may have even spoken about it on the podcast.

But the fact that they can stay quiet. I'm going to be staying in a hotel at some point. That's kind of annoying. Anyway.

And you don't know when you book into a hotel whether it has one of these locks. In fact, if you look at the lock, you can't tell—

That's great.

If it's been fiddled with or not.

What a nightmare for the hotels too. I bet they have to pay for all this, and I'm sure they don't have the money for it. I can't imagine safe locks coming in going, "Here, have a bunch of free upgraded locks." Oh.

So, if you are staying in a hotel, lucky you, by the way, if you're staying in a hotel, particularly if it has Wi-Fi.

That works. That works.

One that works. It has Wi-Fi.

Doesn't work, but it exists. Yeah.

Only on the 7th floor does it not work. But I don't understand that. I don't understand that.

How is that even physically possible?

I don't— I don't know, Maria. I don't know.

Someone explain the physics of this one to me, 'cause I don't get it. Alright.

So if you're in a hotel room, how do you protect yourself? Well, of course you could have a deadlock, couldn't you? Yeah, right, because you get these other things. Turns out these hacked keycards turn the deadlock. How? Right?

Wait, okay, I'm thinking old-school hotels with an actual deadlock.

Yeah, I was gonna say, usually there's a separate one that's completely just physical.

Yeah, if you've got something on a chain, then obviously it can't undo that, right? So if you've got a little chug-chug. But in these modern locks, these RFID locks, the actual deadbolt, the thing which you go chug-chug, you turn, apparently that actually gets unlocked, which is probably for the reason which Carole told us about earlier, the scenario she painted of when the hotel staff really kind of need to get into the room.

Yeah, I was thinking if a bathtub is overflowing or a toilet won't stop flushing, not someone unaliving themselves. Thanks, girl.

I had guys come into our room because we were having a big party, and the way they got in was by offering champagne. But actually, they had no champagne. They just had champagne glasses, and then they all came in and closed the whole party down. They tricked us.

Oh, that's a clever, clever trick.

Yeah, thank you, Vancouver.

So another good question is, has anyone actually exploited this yet?

Oh, it's not even in the wild.

You don't even know who knows.

No, no, no, it is in the wild. Millions of locks affected, but nobody knows if it's been exploited. So anytime you've been accused of taking the slippers or the towels or there've been some unexpected minibar charges.

You know what? Come on.

Or someone's been watching adult movies on the TV you can justifiably say, well, it could have been someone who got in.

No, no, no. We need a few detectives on this, right? There's someone that has to monitor the camera, right, on the hallway. And then you check the log in for when the keycard was in use and you go, oh yeah, that was Bob. There's Bob's wife. There's Bob's kids. Who's that guy?

Who's that guy wheeling off the contents of the minibar?

Who's that guy in the black hoodie looking all sketchy? He's a bit of a— stock photography of a hacker. He's doing something he shouldn't.

So one thing that these researchers say that you can do is you can look at the keycard. So if you've got a Mifare Classic keycard, apparently they are marked in that way. Those are vulnerable, but a Mifare Ultralight C keycard—

What? Oh, I'm definitely gonna remember this.

How do I know?

Yep.

'Cause it will say it. You should be looking at the keycard and be able to identify the make of keycard.

Okay, no, but you've said the same make, so they're both Mifare, but—

A different type. The Ultralight C card is the safe one, apparently, but the Mifare Classic, no good.

No good. Classic is not good. Right.

There you go. There you go. So I hope that's useful to everyone.

Thank you very much.

We'll put some links in the show notes where you can read more about this research, but not too much. 'Cause they haven't released too much because they are terrified people will exploit it.

I mean, it could— this could get very serious and very dark very quickly. I mean, I'm sure everyone's heard stories of people following you back to your hotel room. You're a celebrity, Graham. I'm sure you've experienced fans who just stalk you in the elevator and then in the hallway trying to be like, "Is that Graham? Hmm, let's see what room he's in." I'm sure it's happened many times, right?

It's happened. And that sometimes is why I want to go to a floor where there's no internet so they can't— They can't livestream what happens next. Oh no, I didn't mean that. Oh no. Moving on. Maria, what have you got for us this week? Oh my God.

I need a second. That's so dark.

I don't know what you're thinking.

I went a little American Psycho in my head. I was like, that's where my brain went.

What is going on with you two tonight?

Anyway. Okay. Whew.

Okay.

Collecting myself. All right. So I teased this at the top of the show about the enshittification of search. It's truly enshittification all the way down. I'm sure I can go out on a limb here and say we've all noticed that search has gotten really crap lately, has it not?

How do you mean?

When you search for something, I don't know, on Google, which is the one that a lot of us use, do you have an easy time of finding what the hell you're trying to find?

Or are you finding yourself having to comb through reams of garbage? I find that I always will go down to about the 10th entry and start looking there because there's so many sponsored ads. I think I use Startpage.

That's what I use.

Wasn't that a pick of the week forever ago?

Yeah, yeah, yeah. Startpage was. But the thing I find is if I use Google quite often, it will be links to Reddit. There'll be lots and lots of links to Reddit before anything else. Reddit must be getting a hell of a lot of traffic.

Yeah, well, that's because a lot of people— that is the remedy to the enshittification of search. That's hilarious. Because if you can't find what you're looking for, usually people— I do this now too. I enter the term I'm looking for and then add Reddit to the end. And now Google's indexing that. That's hilarious. Oh my God.

It's all you, Maria.

Oh, no, no, no, no, no, not me. I mean, everybody's doing this, obviously. That's so funny. Okay, so I'm looking for a review on this product. And if you just Google that, everything you find is suspect. It's all fake blogs, fake AI-generated, all nonsense. So one of the only places you think, and I don't even know if this is even true, but one of the few places that seems to have the whiff of reality is Reddit, because in theory it's real people commenting. If that's actually true, who knows.

Anyway, yeah, there's no bots there, don't worry.

Yeah, there's definitely no bots on Reddit and nothing, no shenanigans going on there. So Google has decided to improve search because it knows that people are complaining. So I don't know if you've heard of this thing that's very popular right now. It's called artificial intelligence.

No, tell me about it.

Sometimes it's shortened to AI.

Yeah. Okay.

So Google last year introduced this AI chatbot. They called it the Google Search Generative Experience, or SGE, and it was opt-in. And the idea was for a search query, where Google deemed a chatbot might be especially helpful, it would generate an AI-based response to your query. Somewhere in there, there might be actual links to websites, but for the most part, it would be like, this is the information we think you're looking for. Here's a summary. And then here's a whole bunch of other information that might be good. Like if you search for a product, it'll tell you most of the time this product will cost between this and this. In theory, sounds like it might be maybe helpful. Maybe. Yeah, maybe.

Yeah, maybe. Maybe my experience with AI is not always correct. Yeah, but yeah, maybe.

Maybe. Because I'm sure you also know the acronym GIGO.

GIGO.

Oh yeah.

Garbage in, garbage out. Yeah. So your AI is really only as good as your dataset. And if you have an SEO-ified search situation, what is AI really going through and aggregating to offer as a suggestion? You've got SEO-ified AI search. It's a mess anyway. So not a big surprise. People who have been poking around this, what was up until recently experimental AI-augmented search, have found that attackers and bad dudes have been taking advantage of AI, just sort of trawling the internet and finding all sorts of search results. And they've been figuring out how to SEO poison AI chatbot results. So—

Of course they have.

Of course they have. Of course they have. So one SEO consultant, her name is Lily Ray, found that for many queries that Google found to be helpful to have a chatbot, the top results and the information that AI was serving up was directly from not just spammy but also malicious websites. Yeah. So none of us are surprised. It's not just a cynical thing. It's like, of course someone has figured out how to do this. So one of the common— the ways that these websites are compromised is essentially there's SEO poisoning going on. So these bad dudes are creating tons and tons of websites with information that might sound plausible around a search-related term. And then if you click on that website that again looks like it might be a real helpful website, you're gonna get redirected a gajillion times and eventually you'll end up on a website that prompts you to enable notifications. And those of us who are savvy, we know now, no, don't enable notifications. But many people go, all right, well, this website says it's gonna help me, so maybe I will enable desktop notifications. And then that's when you start getting the popups and all sorts of— that's just a very common way that people get in and start just harassing people on their computers and getting them to try and click something.

Yeah. And call marketing.

Yeah. Yes. Some might call it that too. Sometimes there's even unwanted browser extensions. This feels very '90s sometimes when I'm reading about this, unwanted browser extensions. It's going to hijack search. What is going on? What's the name of that gorilla? We're in a loop. Bondi gorilla or whatever. What's the name of that? Anyway, sorry. Don't know if anyone remembers that but me.

What are you talking about? A Bondi gorilla?

Wasn't there a gorilla in the '90s that was a search hijacked thing? Someone's gonna know what I'm talking about.

Okay.

Okay. Email the show.

Ignore that. Ignore that. Anyway, so yeah, it's a lot of fake results and the SEO poisoning the well for AI. And Google says that they have fixed this issue, that they will no longer surface SEO-poisoned websites through the AI chatbot. And they're continuously updating their systems to make sure this won't continue to happen. But ultimately, the weight is on the user that you have to— don't click spammy links because obviously you'll be able to tell which ones are legit and which ones aren't, right?

So, Maria, are you suggesting that sellotaping AI onto every single technology on the internet may not necessarily be a great idea?

Gee, it might. It might be. That is the angle here. It's just amazing that search has gotten so bad and then we put AI on top of it and it's wow, and it's even worse now. Fantastic. And I should also mention that this experimental feature is no longer experimental or opt-in. It is now being rolled out to all users. I don't have it yet. I tried. I wanted to see if I could replicate this, but it is not available for me right now. I've heard also if you use Firefox that it won't work for you yet. I guess Chrome browsers are getting prioritized. But yeah, really interesting. I imagine people who put dodgy things on the internet are really enjoying the fact that AI can make their jobs easier.

Of course they are. And I think this is probably just the tip of the iceberg.

Yeah.

Yeah, it's great.

It's great.

And shitification all the way down. Yuck.

Carole, what have you got for us this week?

So when I was a kid, imagine all the family piled up in the car for a regular trip to the big city of Montreal. And you know, you're on the highway bored, right? Because it's about an hour long. You didn't have devices as a kid. So you're kind of just sitting there lazily watching traffic go past, you know, some cars passing you, you passing cars, la la la. And this car goes past. And I noticed because the driver, this young guy, this man was laughing hysterically. And then, you know, the car moves beyond us. And then there were in the back window, there were two hairy sacks beneath two hairy cracks, smushed against the backside window. And my brothers and I died of laughter because, you know. But later, when I was in university, I met this guy and he told me that he and his mates would get all drunk and then would run around flashing their bits as they shouted, "Last chicken in Sainsbury's." to people, and he thought this was so funny. Can you imagine, Maria, we're walking home at night and a bunch of guys ensnare us with their junk in hand shouting about chickens? We'd be scarred for life.

I'm scarred for life just hearing about this, let alone seeing it.

I don't want to tell you I dated him, but I dated him.

Let's go, Carole!

Before I knew this, before.

Yeah, but here you are years later happily married to him.

No!

Oh God, how dare you.

These situations were all in real life. But what about cyber flashing? Has that ever happened to you? Have you ever got a dick pic or?

Oh yes.

Oh my goodness. Even more than in real life. Yes. My goodness. Yes.

I've got a story about that. I was giving a talk at the Excel Center in London for Microsoft. Thousands of people in the audience, right? It was, it's probably the biggest gig I've ever done. It was huge. And I was doing this talk in this amazing area and blah, blah, blah, blah, blah. And while I was on stage, so you get off the stage and you think, I wonder how that went. I'll see if anyone tweeted me.

Of course, that would be the first thing you'd do.

That's—

Yeah.

Yeah. Yes. You know, to see if it had gone all right. And, you know, and someone had sent me a picture and said, you know, row J, seat 234 or whatever it was. And it sent me a picture of his knob.

Was it standing to attention?

I didn't look at it that closely, Carole, but you know, oh, it was— I didn't save it or bookmark it or anything like that. But yeah, so, so it has happened to me as well.

When was this? Like a long time ago?

Oh, about, probably about 2015 would be my guess.

So, so this is cyber flashing. That's a perfect example of what cyber flashing is, and it's a form of sexual harassment where someone sends unsolicited sexual or nude images on social media, dating sites or directly through tools such as Bluetooth or AirDrop. And instances of cyberflashing are on the up. In 2020, data revealed that reports of cyberflashing to the British Transport Police had almost doubled in 12 months. And other sobering stats include 48% of women aged 18 to 24 say they've received a sexual photo without consent. And the issue is worse for teens, with one study saying that 76, so 3/4 of girls aged 12 to 18, had been sent unwanted nudes of boys and men.

Yeah, that does not surprise me. I mean, that's the age also at which many people that age are receiving their first smartphones.

They're curious. Yeah, they're curious. They're also enjoying a new freedom that they were not allowed to have. Yeah.

Not that— I mean, again, doesn't— that's not their fault. But it's one of those things, if you leave AirDrop wide open and you're sitting— oh, I don't know— in a subway car, you're going to get stuff AirDropped to you that you do not want to see.

So it does seem to happen on public transport. It does.

Yeah. Because you're anonymous and it's— and you can just leave immediately. It's— and people think it's funny.

And you can also watch the reaction. And no one knows where you are.

Yeah.

Oh, I see.

But do you know when you send the picture? So if you AirDrop it to someone on a tube, do you know who you're sending it to?

No, it's just broadcast.

Mm-hmm.

You just see a bunch of names, and those names may not be real. And, you know, there's a user icon. It doesn't always say your actual real name. It depends on what the person has set up.

So if I were to send my dick pic to everybody in the train carriage or something.

Please don't.

No, obviously I won't. No. But not that I have that in my photo reel or anything like that.

They're trapped, Graham. They can't even get away.

I imagine if I were a perpetrator, maybe the thing to do is look equally shocked and disgustedly at my phone to rule myself out. Go, oh, God, who's the to do that? Because if you're the one person who's sat there sniggering or looking around at everybody else. That would look more suspicious, wouldn't it?

It's pretty manipulative, you know.

I don't know, that's my department, you know.

There's this UK personality known as Jess Davies. She told the BBC in 2021 that she'd had enough. She had received hundreds of unsolicited images, explicit images and videos of men since she started being active on social media, and she was now campaigning for it to stop. Her Instagram at the time was in the six figures. She said she'd become almost numb to the images she received. She's quoted as saying, "If it's illegal offline, it should be illegal online." As of January 31st, 2024, cyber flashing is a jailable offense in the UK with a maximum sentence of 2 years.

Wow.

So people who send or provide unwanted images or films of genitals may also be fined and added to the Sex Offenders Register. Plus, victims of the offense and other image-based abuses receive lifelong anonymity under the Sexual Offense Act from the point they report it. So just this week, the UK has sentenced its very first offender under this new cyber flashing law.

Oh, marvelous.

Nicholas Hawkes, he was 39, from Basildon, UK, was arrested by Essex Police. Now, this guy already had a rap sheet, having interfered with a 15-year-old girl the previous year. So at the time of his arrest, he was already on the sex offenders list. So Hawkes gets nabbed by the police, and he ends up telling the Southend Crown Court that he had sent images from his father's phone. So basically, he was living with his dad at the time and apparently borrowed the phone to call the probation officer, but then decided to sneak the phone into a private area so that he could send a pic of his taut ding dong to a teenager via iMessage and one to a 60-year-old woman via WhatsApp.

So he wasn't sending this via AirDrop. He actually sending it from his dad's phone, so it would have had his number or his user ID on it.

Oh my God.

Well, he's — look, I'd be so proud of that son.

The teenage girl was said to be left overwhelmed and crying by the image. Of course. The 60-year-old woman took screenshots of the photograph — very smart — and reported it to Essex Police the same day, which led to his arrest.

Wow.

Hawkes admitted to two counts of sending photographs of his junk to cause alarm, distress, or humiliation. And on 19th of March, he was sentenced to 62 weeks in prison for these two offenses.

I've just noticed my email has a junk folder, and I don't often go in there, and I'm wondering now what I might find. Don't do it. Never go into the junk folder.

Don't do it. Don't do it. Don't do it.

And in the UK, you now face jail time if you get caught doing that. So really big bravo to the UK for that. But of course, Maria, as you alluded to already, prevention is better than conviction. So one of the simplest ways is to protect yourself from cyber flashing from a stranger is to review your phone settings. So turn off Apple AirDrop features on iPhone by turning off Wi-Fi and Bluetooth, or you know, you can ping it on and off depending on where you are. And don't pair your Bluetooth with unidentified sources. Do you guys have anything else that might be a sage piece of advice here?

I think that Apple, I don't know about Android, but I think Apple have recently introduced a feature whereby it analyzes videos and photos that you are sent and it can display a sensitive content warning. This is a setting you can have and it blurs out the image so it warns you before you view it. So that's something that people might want to turn on. I think it's under privacy and security in your settings.

That's mad because as my sign-off for this piece, I was going to say, hey, maybe we should lobby phone providers to put a fig leaf on by default when they detect suspicious fleshy things on screen. A bit late on that one, Cluley.

Yeah. So I'm just reading about this now. They say it's on-device machine learning. So I guess they taught it with thousands of images of people's penises.

Wonderful.

Oh my God.

How great it is to be an Apple employee. But apparently, yeah, so this is a feature which now exists in iOS, which you can turn on. And it sounds like it's— oh, and you can do it on your Apple Mac as well, I'm reading. So a good idea probably to turn on something like that if it's available to you.

And the thing to remember is if you receive an unwanted sexual image in the UK, screenshot the evidence and report it to your local coppers, citing the new cyber flashing law. And if it happens while you're traveling on public transport, please contact British Transport Police. Interestingly, seems that in the US there are only two states, Texas and California, that have cyber flashing laws. There is no federal law prohibiting cyber flashing. I read today that New York is looking at it, but I think the penalty will be 15 days in prison, which is a lot less than what we're seeing in the UK with two years.

That's if you can get a conviction, which would be hard as hell. Yeah, I live in one of the only two states in the country that still does not have a revenge porn law, if you can believe it. Massachusetts still doesn't have one. Yeah, it's been in the works for years and they still won't pass it. So I mean, if you can't get legislation to move on revenge porn, I'm just kind of like, I would be surprised if there's anything about this because it's super common, you know, to the point where in my mental model I think of it as a nuisance. But of course, you know, I'm much older. But, you know, I'm not happy about the state of things here about this topic area. So, yeah.

Well, there have been a lot of cyber laws that have been passed recently, so let's just hope we see some action in this space pretty damn pronto.

Legacy managed file transfer tools are dated. They lack the security that today's remote workforce demands. Companies that continue relying on outdated technology put their sensitive data at risk. Well, this podcast is sponsored by KiteWorks, who enable organizations to effectively manage risk in every send, share, receive, and save of sensitive content. To do that, they've created a platform that delivers content governance, compliance, and protection to customers, tracking, controlling, and securing sensitive content as it moves within, into, and out of organizations, all while ensuring regulatory compliance on all sensitive content communications. KiteWorks provides the industry's first private content network for protecting risky third-party communications with secure email, secure file sharing, secure mobile, secure web forms, managed file transfer, and governed SFTP servers. Visit kiteworks.com to get started today. That's kiteworks.com, and thanks to them for supporting the show.

Smashing Security is also sponsored by Vanta. Managing the requirements for modern security programs is increasingly challenging and time-consuming. Enter Vanta. Vanta gives you one place to centralize and scale your security program. Quickly access risk, streamline security reviews, and automate compliance for ISO 27001, SOC 2, and more. You can leverage Vanta's market-leading trust management platform to unify risk management and secure the trust of your customers. Plus, use Vanta AI to save time when completing security questionnaires. Smashing Security listeners, you get 20% off Vanta. All you lucky sausages have to do is visit vanta.com/smashing to claim your discount. That's V as in Victor, A-N-T-A.com/smashing. And thanks to Vanta for sponsoring the show.

You've probably heard us talk about Kolide before, but did you know Kolide was just acquired by 1Password? Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first. For over a year, Kolide Device Trust has helped companies with Okta ensure that only known and secure devices can access their data. And that's what they're still doing, but now as part of 1Password. So if you've got Okta and you've been meaning to check out Kolide, now's a great time. Kolide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of. Plus, you can use Kolide on devices without MDM, your Linux fleet, contractor devices, and every BYOD phone and laptop in your company. Now that Kolide is part of 1Password, it's only going to get better. Check it out at kolide.com/smashing to learn more and watch the demo today. That's k-o-l-i-d-e.com/smashing, and thanks to them for supporting the show. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Well, my Pick of the Week this week is not security-related.

Very good.

My Pick of the Week this week is an article I was reading about some of the weirdest secret agent gadgets. I don't know if either of you think of yourselves as a secret agent, James Bond type. You think that'd be glamorous, but you may want to check out the link, which I'm going to share on the Stay Weird website, because I'll tell you about some of the things which I found out about. We've some pictures as well, which I'll share with you too, but other people can check out in the images. We've got exploding rats. So the British during World War II stuffed rats with explosives. And they sort of sent them in. They said, "This way, little Timmy. This way, little Timmy. Go and go into that munitions dump, and then we can blow up and cause damage and confusion." And so the Germans were on top of it. You may have heard the phrase, "You dirty rat." This is where it comes from.

Oh, my God.

No, it's not true.

Okay. You convinced us. It was a very— Yeah, good lie. I like it. All right.

Intercepted it. And so the Brits thought, well, we won't do that anymore. The Germans apparently wasted loads of time and resources looking out for exploding rats as a consequence, thinking any moment we might get attacked by an exploding rat. There were also pigeon cameras in the early 1900s, because obviously drones didn't exist.

Pigeon cameras?

Yeah, they would strap a Polaroid camera to a pigeon.

No, they didn't.

Well, there's a picture, Carole. I've got a picture. Go and check it out.

Okay, just because it's a picture, I don't know if you've heard of DALL·E and AI.

There is a picture of a pigeon sat on a little wooden plinth.

I feel like we talked about this earlier, maybe.

Yeah. With a camera around its neck.

Looks pretty heavy, that camera.

How the hell is that thing gonna fly with that on its neck? I mean, that's glass and metal. How is that gonna fly?

Tell you what, my pigeons could. Mine are really big. I've been feeding them.

They're pretty tough. If you think of how a pigeon walks and what it does with its neck, it's got really strong neck muscles, a pigeon. So it can be used. We've got a glove with a gun hidden inside the glove, which apparently is if you had a meeting with someone who you thought was a bit— Well, maybe you hold that further up to speak.

Extra white glove. No one's going to notice.

No one's going to notice.

Fake hand. Yeah.

Okay. And we've got a dog poop transmitter used by the CIA.

Of course, of course.

It's the size of France, that dog shit. As if what you see, what that would just be on the sidewalk and I'm supposed to go, oh yeah, that's real.

That's right.

Where's the monster that gave, that put this one out?

That's a Great Dane size too, easily.

Yeah.

Look, let me explain how it works, Carole. If you're having a secret meeting that you want to record, right? You might go to the lavatory. You might deposit the transmitting device, as we'll call it, in the lavatory. Don't flush! You probably couldn't flush this. It's so big. It just floats there. And when other people go in there to have their secret conversations, it is recording it and sending the information back to—

Yes, we were going to hear them go, "Jesus Christ, look at that thing! Who fucking put that in the loo and didn't flush?

Jesus!" Go and get the coat hanger. Urgent.

No, God.

Too much. Anyway, this article, I found it very illuminating and very interesting. And that is why it is my pick of the week. Maria, what's your pick of the week?

Follow that. Yeah, we're talking about pigeons and dog shit. Great. My pick of the week is the video game that I've been playing nonstop since— when did I get it? December? It's been out longer than that. Oh, you may have heard of it, so this is not an obscure pick by any stretch of the imagination. It's called Baldur's Gate 3. Have you heard of this?

Oh yes, yes, I've heard of it, but I've never played it.

Yeah, it's won every conceivable award in the game industry that exists. It's made literal billions of dollars. Yeah, so this is not some unknown thing. I'm just adding my voice to the many. I don't play Dungeons and Dragons. This is not me trying to be a hipster. I just don't play it, but it is a Dungeons and Dragons-based game. It's got a lot of D&D lore. I knew none of it going into this game, and the game did a brilliant job of sort of walking me through it. And more importantly—

Have you never played Dungeons and Dragons, Maria?

I have never, and that always shocks people.

It does shock, 'cause you're such a nerd.

I know, I know. And my husband is a diehard D&D fan, diehard. But I have never played it. I've tried many times. I don't know if it's because of when I grew up and it was very much a teenage boy thing and being the only girl surrounded by gross teenage boys was just really not appealing. It's changed a lot since then. It's changed a lot. But yeah, my husband was watching me play and he was, "you're learning about this thing." I'm, "I have no idea what you're talking about, but I'm enjoying this game a great deal." Super fun. The story is fantastic. I joke that it's kind of a dating sim disguised as a Dungeons and Dragons game. You can romance different people throughout the game and the relationships are surprisingly complex for a video game.

Dungeons and Dragons Eagles fans probably need a dating sim, don't they? They probably need a little bit. They're not going to get it in real life, so it's a good idea.

Yeah, honestly. And because they're nerds, you can have a polycule, and it's very nerdy.

Polycules. Where do you play this? Is this on a computer?

You can play it through Steam. I have it on the Xbox. I think there's a PS5 version. It's just everywhere. This, as I said, won every Gaming Award. It's a massive, massive success.

But now we have your stamp of approval.

Yeah, I'm just adding—if someone wants to message me about Baldur's Gate 3, I'm all about it. I already beat the game. I'm happy to chat about it. I really, really enjoyed it. I put easily 150 hours into my first playthrough, and I'm playing it now again. So yeah, Baldur's Gate 3, highly recommend.

Whoa. Now I know why you don't answer my phone call. Yeah, I'm playing Baldur's Gate 3.

Yeah.

So my pick of the week—I should first explain that I kind of got into birds during the pando.

Carole, what's your pick of the week?

I'm no birder or anything, or twitcher, I don't know what they're called, but I can kind of identify all the birds in my yard and I even know the families, which ones get on with others, who's trying to woohoo.

Woohoo? Is that the noise they make? I know who's wooing who. Yeah, I know who the enemies are and all that jazz. Okay, crazy bird lady, that's me.

I have. I think I have that on my phone.

Really?

Yes. It's a really cool app. It's free.

Yeah, I do. Yep. Yeah.

Yep. So do I. I've had it on for months and months. So it's a free global bird guide with photos, sounds, and maps. Okay, so there's three different main things I see that I use it for. So you can listen. There's a listen sound ID component which listens to—

Oh, it's Shazam.

Shazam for birds. Yes, that is exactly what it's like.

That's so clever. That's so clever.

Listens to birds around you and then shows you real-time suggestions who's singing. And it works completely offline. So you can identify birds that you hear no matter where you are, even if you have no—see, you could have done this, Graham. You could have done this instead of working on the podcast because you don't need to. You can do this all completely offline. You can obviously send them a snap of a picture or one from your camera roll, and Photo ID will provide you with a short list of possible matches. And you can build a digital scrapbook of your birding memories. I haven't done that. But you just kind of like, this is my bird. And each time you identify a bird, it will add it to your growing list. So it's very, very cool.

Can you make the sound of a particular bird for us, Crooks? You must be learned. Could you make one?

No, no, no. I'm going to—

No, not the phone. I want to hear you.

Yeah, this will be me. This is me. This is me.

Oh, this is you. Let's hear it.

This is the Eurasian blackbird, right? So this is its song. Okay. And then this is one of their calls.

Cool, right? Oh, I feel more relaxed having heard that. It's so nice.

It's a very nice app. It's very cute. You can just kind of even also go Oxford or wherever you live just to see what birds are around that you can try and ID. So it's free, it's great, and you help the world by mapping all these wonderful birds. So Merlin Bird ID, and that's my pick of the week.

Well, haven't we done well? Three excellent picks of the week this week. I'm including mine, obviously. And that just about wraps up the show for this week.

Spy turds.

Maria, what's the best way for folks to find out what you're up to?

If you want to hear my damn voice in your ear holes every day, I'm the host of T-Minus Space Daily. You can get it on your favorite podcast app. I did a really good job of selling it right now. Please don't fire me. And the website is based on n2k.com and I'm also on the Fediverse at Varmazis. So find me there.

Super stuff. And you can follow us on Twitter at Smashing Security, no G. Twitter allows to have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts.

And huge shout out to our episode sponsors, Fanta, Kolide, and KiteWorks, and of course to our wonderful Patreon community. It's thanks to them all this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 364 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye. Bye.

Bye.

I think you'll find it wasn't this year. It wasn't this year. It took you five days.

Well, actually. Well, actually. Oh, that was brilliant. That was still my favorite moment for the whole episode, was right at the top. It was all downhill.

It's all downhill. Yeah.

Oh my God.

Slippery slope.