Sex Toys Are Just As Poorly-Secured As The Rest Of The Internet of Broken Things
Furnished content.
At this point we've pretty well documented how the "internet of things" is a privacy and security dumpster fire. Whether it's tea kettles that expose your WiFi credentials or smart fridges that leak your Gmail password, companies were so busy trying to make a buck by embedding network chipsets into everything, they couldn't be bothered to adhere to even the most modest security and privacy guidelines. As a result, billions upon billions of devices are now being connected to the internet with little to no meaningful security and a total disregard to user privacy -- posing a potentially fatal threat to us all.Unsurprisingly, the sex toy division of the internet of broken things is no exception to this rule. One "smart dildo" manufacturer was recently forced to shell out $3.75 million after it was caught collecting, err, "usage habits" of the company's customers. According to the lawsuit, Standard Innovation's We-Vibe vibrator collected sensitive data about customer usage, including "selected vibration settings," the device's battery life, and even the vibrator's "temperature." At no point did the company apparently think it was a good idea to clearly inform users of this data collection.But security is also lacking elsewhere in the world of internet-connected sex toys. Alex Lomas of Pentest Partners recently took a look at the security in many internet-connected sex toys, and walked away arguably unimpressed. Using a Bluetooth "dongle" and antenna, Lomas drove around Berlin looking for openly accessible sex toys (he calls it "screwdriving," in a riff off of wardriving). He subsequently found it's relatively trivial to discover and hijack everything from vibrators to smart butt plugs -- thanks to the way Bluetooth Low Energy (BLE) connectivity works:"The only protection you have is that BLE devices will generally only pair with one device at a time, but range is limited and if the user walks out of range of their smartphone or the phone battery dies, the adult toy will become available for others to connect to without any authentication. I should say at this point that this is purely passive reconnaissance based on the BLE advertisements the device sends out - attempting to connect to the device and actually control it without consent is not something I or you should do. But now one could drive the Hush's motor to full speed, and as long as the attacker remains connected over BLE and not the victim, there is no way they can stop the vibrations." Lomas found that hearing aids that also use the BLE standard are similarly vulnerable, letting an attacker easily disrupt functionality of the devices. He proceeds to note that this could all be prevented via any number of improvements to these devices, including usage of a unique PIN, the need for local physical interaction (like a button push) to connect, or lowering the Bluetooth signal strength.But as we've noted previously, a big part of the security and privacy apathy coming from router and IOT device makers is due to the fact that nobody in these supply chains has the financial incentive to try very hard (if at all), so most will be off hyping the next iteration of their magical, intelligent butt plug -- instead of shoring up the problems with the last generation.
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 06-Oct-2017
path: /Policy | permalink | edit (requires password)
Hundreds Of Cases Dismissed Thanks To Baltimore PD Misconduct
Furnished content.
After years of listening to tough-on-crime legislators and the tough-on-crime lawmen that love to hear them talk about filthy criminals beating the system by getting off on technicalities, it's somewhat funny to discover lots of what's complained about is nothing more than good old-fashioned due process and/or the collateral damage of crooked, inept, or lazy cops.We've seen a lot of en masse criminal case dismissals recently. Thousands of convictions and charges were dropped in Massachusetts as the result of a state crime lab tech's years of faked drug tests. All over the nation, cops are letting perps walk rather than discuss law enforcement's worst-kept secret: Stingray devices.Add to that list several hundred cases being dropped by prosecutors in Baltimore -- all thanks to officer misconduct. [via Scott Shackford at Reason]Hundreds of criminal cases are impacted by the questionable conduct of Baltimore police officers, the city's top prosecutor announced in a statement.Baltimore State's Attorney Marilyn J. Mosby's office released the updated numbers Wednesday. She said the actions of eight officers indicted for racketeering have affected 295 cases, and three more incidents of questionable use of body-worn cameras have impacted a total of 569 cases. Overall, she said up to 338 cases have been or could be dismissed. The body camera footage at issue was discussed here earlier. What looked like an officer planting evidence turned out to be an officer performing an improvisational reenactment of "discovering" evidence he had actually discovered earlier (but without his body camera turned on). While less malicious than framing someone, the end result is no less questionable: a cop stuffing drugs into an object for recorded "discovery" later. Either way, it's something no cop should be doing, especially when they're wearing body cameras they can activate at any time.The numbers of dismissals will likely continue to grow. Moby's office counts up to 338 possible dismissals so far, but characterizes these totals as "preliminary." The Baltimore PD, however, is spinning these dismissals in a different -- but wholly expected -- direction. While promising to "work to address the concerns" raised by the racketeering and footage-faking, police spokesman T.J. Smith claims these multiple cases of footage manipulation (there are four in total) are not indicative of larger, unaddressed problems with officer accountability.Smith pointed out the importance of separating the four incidents, as they are "unique and independent of each other," adding that while eight officers are in federal prison for their criminal conduct, "the cases involving body-worn camera footage is still being investigated and no criminal wrongdoing has been proven." Well, "unique" and "independent" except for the fact they all involved members of the Baltimore PD. Only a fool (or a police union spokesman) would believe these are the only times Baltimore officers have massaged camera footage and that the hundreds of cases edging towards dismissal will be the end of the prosecutorial bleeding. Misconduct of this type -- especially misuse of recording equipment -- tends to be a department-wide problem, rather than a few "bad apples" rising to the top of the barrel to be plucked and tossed by prosecutors.
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 06-Oct-2017
path: /Policy | permalink | edit (requires password)
|
|