Why a business spat resulted in Liberia falling off the internet, how the US Government shutdown is impacting website security, and the perplexing world of extreme IoT devices.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Zoë Rose.
Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Zoë Rose.
Sponsored By:
- Boxcryptor: Boxcryptor encrypts your sensitive files and folders in Dropbox, Google Drive, OneDrive and many other cloud storages. It combines the benefits of the most user friendly cloud storage services with the highest security standards worldwide. Encrypt your data right on your device before syncing it to the cloud providers of your choice.
- Listeners can get a 40% discount on the Boxcryptor Personal License (private use) and Boxcryptor Business (perfect for self-employed) by visiting smashingsecurity.com/boxcryptor
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Mirai Botnet DDoS (Sky News) — YouTube.
- Massive Cyber Attack Knocks Out Access To Websites (CNBC) — YouTube.
- Download the Mirai source code, and you can run your own IoT botnet — Graham Cluley.
- The makers of the Mirai IoT-hijacking botnet are sentenced — Tripwire State of Security.
- Danny Kaye — Wikipedia.
- "Wonderful Copenhagen" — Danny Kaye from the movie "Hans Christian Andersen".
- International hacker-for-hire jailed for cyber attacks on Liberian telecommunications provider — National Crime Agency.
- Courts Hand Down Hard Jail Time for DDoS — Krebs on Security.
- Liberian ISP sues rival for hiring hacker to attack its network — ZDNet.
- .gov security falters during U.S. shutdown — Netcraft.
- TLS Certificates for Many .gov Domains Not Renewed Due to Government Shutdown — Security Week.
- Owlet.
- Snuza.
- These ‘extreme baby monitors’ claim to track your child’s breathing, heartbeat and every movement — MarketWatch.
- Fisher-Price’s wearable baby monitor is an unreliable rash machine — Engadget.
- Threema - Seriously secure messaging.
- Africa by Toto to play 'for all eternity' in Namib desert — YouTube.
- Africa by Toto to play on eternal loop 'down in Africa' — BBC News.
- "The Brain: The Story of You" by David Eagleman — Amazon.
- "The Coddling of the American Mind: How Good Intentions and Bad Ideas Are Setting Up a Generation for Failure" by Greg Lukianoff — Amazon.
- How Trigger Warnings Are Hurting Mental Health on Campus — The Atlantic.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. There's another app they talk about called Snooza Hero, and this attaches to a child's diaper and monitors baby's abdominal movements to track— not poop— breathing.
ROBOT. I don't think that's what they breathe through. I think that may be your first error there. Smashing Security, episode 111: When rivals Ransomware, Ransomware Rules Hack, and Extreme Baby Monitors with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 111. My name is Graham Cluley.
CAROLE THERIAULT. Ooh, how binary. I'm Carole Theriault.
GRAHAM CLULEY. And hello, Carole.
CAROLE THERIAULT. I know I geeked out there for a second.
GRAHAM CLULEY. You did, you did. You caught me off guard there. Whoa, whoa, man. And we are joined by special guest returning to the show, ethical hacker, Zoe Rose. Hello, Zoe.
ZOE ROSE. Hello.
CAROLE THERIAULT. Such a good job title, eh? Ethical hacker. It's like social warrior somehow.
GRAHAM CLULEY. Rocket scientist. It's pretty cool.
ZOE ROSE. I kind of like the whole, like, professional stalker. I'd be happy with that.
GRAHAM CLULEY. Really?
ZOE ROSE. Yeah.
CAROLE THERIAULT. I went to the dentist this week and they have a thing where it's like, what's your job? And of course, in my head, I'm like, well, why do you care? What business is it of yours? Right? And then I just thought, I'm just going to write podcast host. And then I felt a bit, I don't know, like, oh, Oh, that's it. Yeah, exactly.
GRAHAM CLULEY. A job for which no qualifications are ever required and in fact often a disadvantage, a podcast host.
CAROLE THERIAULT. Yeah, ours is really good. Just people don't know that. Not everybody anyway. Not yet.
GRAHAM CLULEY. So what's coming up on today's show, Krill?
CAROLE THERIAULT. Well, we've got a pretty cool lineup this week. We have you, Graham, talking about how a company shouldn't try and take down its competition. And Zoe from her sick Rik Bedd talks about the cyber impact of the US government shutdown. Yours truly delves into the crazy world of smart baby monitors. You won't believe what they can do now. All this coming up. Are you not running a password manager in your organization? What are you thinking? Check out LastPass Enterprise. Just go to this URL: lastpass.com/smashing. Here you can learn all about what password managers can do for your firm, and you can learn more about LastPass Enterprise. I mean, if you want to solve poor password hygiene, if you fancy securing every password-protected entry point in your business, slide on over to lastpass.com/smashing. I use them, so you should check them out. Hey, Graham? Yes? So I've got a problem.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. I use a cloud service. I put all my files and data up there, and I'm kind of nervous about prying eyes looking at it. Any advice?
GRAHAM CLULEY. Yeah, you've got to encrypt it.
CAROLE THERIAULT. Before I load it up?
GRAHAM CLULEY. Well, I would recommend so, because any file which you put on Dropbox or Google Drive or OneDrive or those other sort of cloud services, it could be accessed by that company or indeed law enforcement or any hacker who broke into your account. So what I would recommend is use a piece of software like Boxcryptor. It's what I run on my computer, and any file before it gets uploaded to those cloud services gets encrypted with my own keys, which I control. So the cloud service itself can't see the contents of the files which I'm putting on the cloud drive. It's all encrypted.
CAROLE THERIAULT. Cool, I'll check it out.
GRAHAM CLULEY. Go to Boxcryptor.com, and thanks to Boxcryptor for supporting the show this week. Now, do you chaps remember Mirai. Of course you do. In October 2016, the IoT, Internet of Things, botnet which launched a massive distributed denial of service attack on DNS service company Dyn. A law enforcement official just confirmed to me a few minutes ago that a second major cyberattack is underway right now. Throughout the day, it has been affecting internet traffic up and down the East Coast.
CAROLE THERIAULT. It's believed a virus harnessed the power of hundreds of thousands of internet-connected cameras, kettles, and thermostats to target sites in America and Europe.
GRAHAM CLULEY. The powerful and sophisticated cyberattacks coming wave after wave. Internet users in at least 6 countries, but mostly here in the U.S., unable to load popular websites like Twitter, Netflix, Amazon, PayPal, and a long list of others.
ZOE ROSE. Smashing Security.
CAROLE THERIAULT. Everybody got hit.
GRAHAM CLULEY. Yeah, Amazon, Reddit, Netflix, Twitter, Spotify, GitHub, all of these sites went down. Massive, massive attack. One of the hardest-hitting attacks the internet had ever seen. And the perpetrators of that attack, probably worried that they were going to get caught— spoilers, they actually were— although they only got probation, interestingly. But anyway, that's, that's a whole different story. Those guys who were behind the attack, they released their source code onto the internet, maybe hoping hoping that other people would create their own botnets. And so—
CAROLE THERIAULT. World disruption.
GRAHAM CLULEY. Yeah. If the source code is distributed, it means if law enforcement find it on your hard drive, it doesn't mean necessarily that you're the guy who wrote it. So you put it out there for everyone to copy. Well, it might do.
CAROLE THERIAULT. It might.
GRAHAM CLULEY. But you know, it's a way maybe of covering tracks, but it did allow others to create their own versions of the botnet from the blueprints of the original.
CAROLE THERIAULT. Yeah, just confusing and making the mess much, much worse.
GRAHAM CLULEY. Right. And it was a very successful piece of code. And some took that code and they used it to cryptomine, for instance. They exploited zero-day vulnerabilities, whereas others simply took it to launch more DDoS attacks. And that is what Danny Kaye did.
CAROLE THERIAULT. Danny Kaye.
GRAHAM CLULEY. Do you remember Danny Kaye? Zoe, you're probably too young to know who Danny Kaye is.
CAROLE THERIAULT. I have no idea who Danny Kaye is. What?
GRAHAM CLULEY. You have no idea? You're North American.
ZOE ROSE. I'm guessing that they're important.
GRAHAM CLULEY. Danny Kaye. Don't you remember? Wonderful, wonderful Copenhagen, friendly old girl of a town. Neath her tavern. Do you remember that? What about this one?
ZOE ROSE. You should sing more often.
GRAHAM CLULEY. Thumbelina, Thumbelina, tiny little thing. Thumbelina. Danny Kaye was a song and dance guy. He made loads of—
CAROLE THERIAULT. Based in the UK.
GRAHAM CLULEY. No, he's American, for goodness sake.
CAROLE THERIAULT. Well, I'm not American either.
GRAHAM CLULEY. North America. You don't have any culture in Canada. You borrowed a lot of American stuff. It would've been in the similar—
CAROLE THERIAULT. Have you heard of Poutine?
GRAHAM CLULEY. Have you heard of Avril Lavigne, Graham? Bieber, for goodness' sake, he's one of us. Anyway, it's not that Danny Kaye. It's a different guy.
CAROLE THERIAULT. Oh my God.
ZOE ROSE. So you're just making fun of us for no reason.
GRAHAM CLULEY. I'm not suggesting Danny Kaye, Danny Kaye, who's been dead for 30 years, I'm not suggesting he's been launching DDoS attacks. No, first of all, I am going to take you to Liberia in Africa.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Yeah, Africa, eh?
CAROLE THERIAULT. Yeah, I hear the drumbeats.
ZOE ROSE. Yeah, right.
GRAHAM CLULEY. Yeah, yeah, good.
CAROLE THERIAULT. Okay, we're there.
GRAHAM CLULEY. In Liberia, there is a big telecoms company called Lone Star.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And it has a rival called Cellcom. All right, now Lone Star is the leading phone and internet company in Liberia. If you're in Liberia and you're trying to get internet access, you'd probably go to Lone Star, right? But that was upsetting to the guys who worked at its arch-rival, Cellcom. And one of them decided he would use some dirty tricks to get the upper hand in the market.
ZOE ROSE. Ooh.
GRAHAM CLULEY. So yes, someone working for Cellcom decided they would hire a hacker.
ZOE ROSE. It was not me. Just gonna say.
CAROLE THERIAULT. I'm ethical. I wouldn't do such a thing.
GRAHAM CLULEY. Not an ethical one, Zoe. A naughty hacker.
ZOE ROSE. A naughty, naughty hacker. Okay.
GRAHAM CLULEY. With instructions to ruin Lone Star's service and reputation. And they approached Danny Kaye, not the one I was talking about, but a different Daniel Kaye, a British cybercriminal, to do their dirty work. And they offered him $10,000.
ZOE ROSE. Oh, nice. Maybe it shouldn't be.
GRAHAM CLULEY. Now you're tempted. Now you're thinking about it, aren't you?
ZOE ROSE. Oh, that would be quite lovely. Imagine how many ferrets I could buy with that.
GRAHAM CLULEY. Oh, here we go with the ferrets again. Daniel Kaye Also known as Poparet or Best Buy. Best Buy. Yeah, I imagine that domain name's gone if he's trying to grab it. He is one of the many folks who downloaded the source code for Mirai when it was published.
CAROLE THERIAULT. Aha.
GRAHAM CLULEY. And in November 2016, from his base in Cyprus, he hijacked a huge number of Chinese-manufactured webcams, ones branded Dahua.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Without the owner's knowledge. And ordered his army of zombies, which he was now under control— not real zombies, but zombie devices— to attack Lone Star Systems, all controlled from his mobile phone. That's what hackers can do these days, launch DDoS attacks from their mobile phone and command thousands and thousands of devices.
CAROLE THERIAULT. So this guy's got control of the webcams and he's got them to attack Lone Star Systems.
GRAHAM CLULEY. Yeah, exactly. Lone Star's infrastructure is getting bombarded with all this traffic. So this is what K was doing. And sure enough, Lone Star's infrastructure crashed. And K thought, well, that's not quite good enough. What I'm also going to do is I'm going to grab all of these Deutsche Telekom routers, which I've hijacked in Germany, and I'm going to get all of those to attack Lone Star too. And at its height, the botnet had recruited over 1 million devices worldwide.
ZOE ROSE. Gee.
GRAHAM CLULEY. So it's a pretty big deal, just like the original Mirai attack. And the consequence was it wasn't just Lone Star which had a connectivity problem, but Liberia itself. The whole country effectively fell off the internet.
ZOE ROSE. Yeah, I guess that makes sense, doesn't it?
GRAHAM CLULEY. And users in Liberia were there trying to use their mobile phones and suddenly, hang on, my mobile phone doesn't have any connection any longer. I can't communicate with the outside world because the system has gone down.
CAROLE THERIAULT. And they wouldn't even be able to use Wi-Fi because that would be all cluggy too.
GRAHAM CLULEY. Exactly.
ZOE ROSE. Right now I can visualise all of this. You should read children's stories.
GRAHAM CLULEY. It's that simple.
CAROLE THERIAULT. Don't be insulted. Don't be insulted.
ZOE ROSE. That's not an insult.
CAROLE THERIAULT. Exactly.
ZOE ROSE. I'm visualising all of the little bits jumping off the edge of the world because, you know, they fall off the internet.
GRAHAM CLULEY. Like lemons, aren't they, bits? There's a world bit shortage, you know. We've got to look after the bit. We have to. Anyway. It did lots of damage to Lone Star too. Lone Star's former chief executive, who has the name Babatunde Osho—
ZOE ROSE. Oh, I love it.
GRAHAM CLULEY. Well, I don't know if I got it right. He said that it had been a devastating attack. He said it seriously compromised our ability to provide a reliable internet connection to our customers. And Daniel Kaye's actions prevented our customers from communicating with each other.
CAROLE THERIAULT. He wasn't going to say it was nothing, was he?
GRAHAM CLULEY. No, but they had an impact on the bottom line as well because people switched to competitors. People decided they didn't trust Lone Star anymore. Their annual revenue dropped by tens of millions of dollars, they claim, and they've got liabilities. They have to pay out for all the people who lost connectivities as well. So it was a pretty big deal. The National Crime Agency in the UK, they're the ones who prosecuted and caught Daniel Kaye, and they took him to court.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Where he admitted all sorts of wrongdoing. Interestingly, by the way, British law, unlike some other countries, allows a cybercriminal to be persecuted for an offense anywhere in the world. So although he was at one point being spoken to by the German authorities, he was brought back to the UK in order to get him for the Liberia attack, and he's now been jailed for 32 months.
CAROLE THERIAULT. Huh.
GRAHAM CLULEY. Now, there's one extra little wiggle in the story though, which is that Remember I said that an employee of Cellcom, the company, had hired him to launch this attack. And there is now legal action being taken by Lone Star against Cellcom. They're suing them for the attack. They're saying, okay, so we've got the hacker, great, but who paid them to do this? There's no indication that Cellcom knew that one of its employees had hired Daniel Kaye to hack and to launch this DDoS attack. But in his own testimony, Kay says that he was hired by the company's CEO. So they can say that none of our employees.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. I'm not pointing any fingers.
CAROLE THERIAULT. Actually, a CEO is an employee.
GRAHAM CLULEY. A CEO is an employee.
CAROLE THERIAULT. So you can't say that.
GRAHAM CLULEY. And maybe Kay was telling a fib or—
ZOE ROSE. But maybe he's like, none of my employees. Or something like that.
GRAHAM CLULEY. Yeah, oh, very clever.
ZOE ROSE. I don't know anyone that hired outside of me or something, just cut off the last bit.
CAROLE THERIAULT. If anyone was negatively affected by my actions, I would like to offer an apology.
ZOE ROSE. Yeah.
GRAHAM CLULEY. So companies, watch out because it's not always just pizza-eating bad guys who are launching DDoS attacks.
CAROLE THERIAULT. It could be greedy rivals.
GRAHAM CLULEY. Yeah, it could be rivals as well.
ZOE ROSE. You know what? That is actually more common than you could imagine. I'm actually surprised, having the cases that I've worked on, that it has been a rival. Maybe they'd be better if they like had more sauna.
CAROLE THERIAULT. Sauna?
ZOE ROSE. Yeah, just relax in a sauna.
GRAHAM CLULEY. I can think of nothing less relaxing than being in a sauna dripping with sweat. No, it's more the other naked people with pieces of birch. I don't want to be around that. What's gonna— why am I in this water park?
CAROLE THERIAULT. With ladles, with ladles. Yeah, with ladles.
ZOE ROSE. What, ladles? Yeah, don't they?
CAROLE THERIAULT. I used to have a ladle.
ZOE ROSE. But why is there multiple ladles?
CAROLE THERIAULT. Can people bring their own?
GRAHAM CLULEY. Yes. You don't want to reuse someone else's ladle. You don't know what's been dangling in it.
ZOE ROSE. Oh, okay.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Very good advice.
GRAHAM CLULEY. Yeah.
ZOE ROSE. No, I just got back from camp and after class, after jiu-jitsu, we all go into the sauna and it's really hard to be angry at people when you're all sat naked being like drenched in sweat. Because you all look miserable and you are pretty miserable, but it feels really good. And then you go out in the snow and like freeze your butt off, and then you come back. So I feel like if they all kind of spent that bonding time of freezing their butt and then warming it, they'd be less scrumpy.
GRAHAM CLULEY. You know what, jail suddenly seems so much more appealing. Zoe, what's your story for us?
ZOE ROSE. So everybody knows about the government shutdown The exceptionally long government shutdown in the US of A.
CAROLE THERIAULT. Yeah, yeah.
ZOE ROSE. And on my Twitter feed, all I've seen is fast food. Don't know why, but, um, that's what's going on right now. So they're ordering a lot of fast food, but what they're not doing, what they're not doing, is renewing their TLS certificates.
GRAHAM CLULEY. So Zoe, for people who aren't, you know, up to speed on website security, what actually are these certificates and what do they do? What's the benefit of having them? In place.
ZOE ROSE. I remember Troy Hunt explained it. It's that little handbag in the top corner of the URL bar.
GRAHAM CLULEY. You might have a handbag, I have a padlock next to HTTPS.
ZOE ROSE. Yeah, but apparently, apparently some people think it's a handbag because it's on shopping websites.
CAROLE THERIAULT. Of course, I love it.
ZOE ROSE. Yeah, I know, that made me so happy. I then wanted to get a handbag that looked like it.
GRAHAM CLULEY. Specifically, it's, it's telling you that any information you send from your computer to its server is encrypted in transit.
ZOE ROSE. Correct. And then anything back is again encrypted.
GRAHAM CLULEY. So tell us, what's going on with TLS certificates?
ZOE ROSE. Well, apparently, according to the government's website, nothing. They're not updating them. So essentially, their websites are— well, two things: they're manually set, so somebody manually has to renew the certificates every year or whenever they expire, which sounds like, oh, it's not that big of a deal, but could you imagine how many websites they have? And, and It's a pretty big, important thing that you go to your website of the government and it's like, "Oh, is it secure? No." Do they actually care? They care more about a wall to physically block it than online security, which is a much bigger landscape.
CAROLE THERIAULT. In these government shutdown scenarios, they only keep a skeleton staff to look after the critical systems. Like food ordering. Yeah, like food. Well, didn't he do that himself?
ZOE ROSE. Actually, I have no idea. It's just all over my feed and it's really annoying because I've blocked him, so you'd think it would stop showing up. Anyway, it's annoying.
CAROLE THERIAULT. But so what you're saying is they didn't think that these certificates were critical.
ZOE ROSE. And that's what the second point I was going to make is, is not only are they manually doing it, but they also are not prioritizing their citizens' security, right, when they access these websites.
GRAHAM CLULEY. Right.
ZOE ROSE. And whilst you think, okay, well, you know, that's still available, maybe that's okay. But not all the websites are available because some websites, they've set up HSTS, I think is the thing.
GRAHAM CLULEY. Yeah.
ZOE ROSE. So basically it means if it's not going to it securely, it's not going to go to it at all, which my security by design heart is like, that is lovely, except for the fact that when you don't renew it it's not going to be able to be accessed.
CAROLE THERIAULT. Can I ask you a question, Zoe?
ZOE ROSE. Yeah.
CAROLE THERIAULT. So imagine if you had been working for a month now for the government without pay, and you were in charge of updating these certificates. As an ethical hacker background person, which way do you go?
ZOE ROSE. Well, I am a very strange person, and I really like—
GRAHAM CLULEY. No, I can confirm this.
ZOE ROSE. But no, I do a lot of volunteer work, The reason I got into security has always been to be the person I needed 10 years ago. So I would prioritise doing the certificate renewal. However, I do not work for the government and I don't know what other tasks they've got going on. So I imagine, not to be all pointing the finger, it's their fault, they're horrible people, but I imagine their task list went from being pretty big but manageable to being holy moly, I am drowning.
GRAHAM CLULEY. Well, and also, I mean, there probably are considerable numbers of websites which are affected by this, there can be costs associated with getting a new website security certificate.
ZOE ROSE. But, uh, Let's Encrypt.
GRAHAM CLULEY. Well, yes, you can do that, and then it— and then it would— if you were using Let's Encrypt, then they would be automatically renewing themselves, right? Yeah, and there is no cost. So they clearly haven't been set up in that fashion, which is a choice which they've made, which is fair enough. But if you haven't— if you have a country where they keep on having government shutdowns and these sort of things happen, I think we've had had 4 in the last couple of years, then now's the time to take action, isn't it? To prevent it from being a problem in future.
ZOE ROSE. Because everybody knows that, you know, your disaster recovery, your business continuity plans, they're all fine and dandy until something happens. Then you realize, oh, this wasn't covered. So it could potentially be that they just didn't put 2 and 2 together before it shut down, because there was— they did mention in some articles that there was some certificates that did expire right before the shutdown but never got a chance to be renewed, right? So they're out of date still. So it's— I, I can't imagine it's malicious. I can't imagine it's a lack of caring. I suspect it's just they're doing— like, the people that are actually like trying, they're doing as best they can. Um, they're going to miss things. It's just unfortunate that the general public are the ones that are being punished for this because the information isn't always available because some of the sites are not available and the sites that are potentially could be compromised.
GRAHAM CLULEY. And the longer the shutdown carries on, the more websites are going to start to crumble a little bit, or things aren't going to be renewed, or updates aren't going to occur.
ZOE ROSE. I always view hacktivists as like people that do political graffiti on websites because like they can do— I mean, as the websites are, you know, compromised, as the systems are more vulnerable, because if they're not doing certificates automated, you know, what's their vulnerability testing like? What's their patch management testing like? It's a huge concern, especially if you're a country that some places don't seem to like you that much, you know. I mean, I'm not pointing the finger at anyone, but I mean, that's, that's a potential that they're increasing their risk.
GRAHAM CLULEY. Oh, absolutely. I mean, if, if that— if a new vulnerability became publicly known about some web server software which is widely used in the US government Is there anybody to roll out that patch across those systems urgently, or is there going to be a big data breach? Yes.
CAROLE THERIAULT. Can you imagine that phone call? Hi, Frank. Hi, Frank.
ZOE ROSE. Hi.
CAROLE THERIAULT. Yes, sorry, I know you haven't been paid for 6 weeks, but can you help us out here?
ZOE ROSE. Yeah, I know that you're, you know, angry and potentially a disgruntled employee that may become an insider threat, but could you fix this quickly? We're not going to pay you for it, but we'll give you a pat on the back.
CAROLE THERIAULT. Help us out.
GRAHAM CLULEY. Kroll, what have you got for us this week?
CAROLE THERIAULT. I think we can all agree that generating fear and doubt is a surefire way that companies adopt to land grab customers, bump up profits, that sort of thing. Insurers will convince you that, of course, something bad might happen. Wouldn't it be great if they were there for you? Like, say there's a car accident or you get robbed or you lose your job. You've got ads aimed at teens as well, like telling them they won't feel so awkward and insecure if they have the latest smartphone or if they eat avocados. What? It's true. We've also got what I want to focus on today. And this is a plethora of smart devices aimed specifically at parents, like smart baby monitors. Now, we all know there's a lot of joys to being a brand new parent, right, Graham? You come home with this brand new life that you've created.
GRAHAM CLULEY. You do. You do. Yes.
CAROLE THERIAULT. And now the scary bit is you've got to keep him or her alive.
GRAHAM CLULEY. Oh, it's petrifying.
CAROLE THERIAULT. Yes, I bet it is. Exactly. Now, of course, parents are naturally built for this job. Otherwise, none of us would be here today. I mean, it's as natural as falling in love or having a poop, right?
ZOE ROSE. Oh, I'm female. We do not do those disgusting things.
GRAHAM CLULEY. At least not at the same time.
CAROLE THERIAULT. And now, baby monitors. This niche industry has skipped along at quite a clip. Recently, we are now beyond smart baby monitors. Let me introduce you to extreme baby monitors.
ZOE ROSE. Extreme?
CAROLE THERIAULT. Extreme.
ZOE ROSE. Do they like monitor the baby's like heart and breath and all the other things?
CAROLE THERIAULT. It's like you're reading my mind.
ZOE ROSE. What, really?
GRAHAM CLULEY. Do they?
CAROLE THERIAULT. According to an article in Marketplace, there's some crazy stuff out there. Check this out. Now let me introduce you to Owlet. Now this is $300. It's a smart sock that wraps around a child's foot and it claims it can monitor the child's heart rate and oxygen levels while they sleep.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Right? And parents can have an accompanying app for sleep data and they can, you know, monitor their child and see everything and kind of track stuff.
GRAHAM CLULEY. Mm-hmm.
CAROLE THERIAULT. There's another app they talk about called Snooza Hero.
ZOE ROSE. Snooza Hero.
CAROLE THERIAULT. And this attaches to a child's diaper and monitors baby's abdominal movements to track—
ZOE ROSE. Oh!
CAROLE THERIAULT. Not poop. Breathing.
GRAHAM CLULEY. I don't think that's what they breathe through. I think that may be your first error there.
CAROLE THERIAULT. So if the child doesn't move for 15 seconds, the company says the device will vibrate in an effort to rouse the child. And if movement stops for 15 seconds on 3 occasions, parents will be alerted. Okay, now this runs at $110.
ZOE ROSE. $110 diaper.
CAROLE THERIAULT. Dollars.
ZOE ROSE. No, I meant $110 diaper.
GRAHAM CLULEY. Are they reusable or do you have to get a new one?
CAROLE THERIAULT. Well, it's not a diaper. It's kind of like this thing attaches to the child's diaper.
ZOE ROSE. You know what? This sounds like— I attended a talk recently that was absolutely brilliant. Um, this guy and his like obsession with technology. It was great. But he even mentioned, you know, I have to take time off and go out to the country and do like have no access to technology. And like, now this company is like starting babies young. Pretty soon we're not going to be able to— we're not going to be able to function without technology. Another, another interesting point he made was how we have all this technology to teach us how to be human again.
CAROLE THERIAULT. Yeah, it's crazy, isn't it? Because that's exactly it. So it seems as though these two tools seem to market themselves as a way of easing your parental anxiety about your baby.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. So I did a little digging into these two extreme baby monitors. And I don't mean just reading their web pages for their marketing campaigns. I looked into their T&Cs and privacy agreements. And I want to invite you on my little choo-choo train of basic recon. And this is to help people who have to purchase any smart device, be it for your baby, your home, your health. These are the kind of things I say you need to look at. Right. So first stop is data collection. What are they collecting from from you and what do they do with it? The Smart Sock creators, Owlet, they grab info like sleeping habits from your baby and your use of the app. So your IP address, length of time you use it, your location, web browser info, and even unique device identifiers. And in their privacy agreement, they state that we may share your information with our vendors, service providers, and other third parties that perform services on our behalf. So they're okay to share information Snooza says they don't disclose any personal information to third parties whatsoever, and they purely just use the information to provide services.
ZOE ROSE. Yeah, but what if they get, you know, purchased?
CAROLE THERIAULT. Well, very good point. And even with those good intentions, you might say at this point, okay, I'm more happy with looking at Snooza, for example, in this situation. You know, they're not selling my data. They're not leaving that door open in their privacy agreement. But the second stop, of course, is security, right? So even if they have no intention of sharing the data, if they're a victim of a data breach attack or something, doing, then the intention is moot. So I wanted to look at their infosecurity in their agreement.
ZOE ROSE. Right?
CAROLE THERIAULT. Honestly, I found both websites to have crappy info about how they see security, and neither filled me with confidence. Now, that's not to say that they have crappy security. The information they provide on their site and in their agreements is about as bog-standard as you can get. And I think it's probably okay if it was a Joe Schmo retail product, but it's not, right? It's a smart device. So they have little lines like, we take reasonable steps to, and we use certain technical safeguards, but there's nothing specific.
ZOE ROSE. Do they say we have bank-level or military-level security?
CAROLE THERIAULT. Ha ha ha ha ha ha ha.
GRAHAM CLULEY. No. They never say what bank, do they? That's the thing which worries me.
ZOE ROSE. Well, I always, I'm always like, I've worked for banks. You have that level of security? Oh, but no, that's interesting.
CAROLE THERIAULT. Now, neither guarantee the security of your data. And okay, I get that. But neither say what recourse will be available to you as a customer should they get hit by a breach or whatever. So in other words, They're basically saying, use this product and trust our data collection and management at your own risk.
ZOE ROSE. And it's also saying we don't actually know what the risk is, so please don't sue us.
GRAHAM CLULEY. That, that's true of most companies though, isn't it, Carole? You know, I mean, most companies on their websites probably say, look, we're not going to guarantee anything, we're certainly not going to claim this is wrapped around your baby's body. I mean, I'm glad you said body. I was wondering what you're going to Go there.
ZOE ROSE. Well, it's wrapped around the baby's bottom.
GRAHAM CLULEY. Oh, there you are.
CAROLE THERIAULT. Yeah.
ZOE ROSE. And the foot.
CAROLE THERIAULT. Now we're at our final, third and final stop, right? Right. Of our top level. So it's trust. So who is saying that this smart device works, right? Who's overseeing the use of it? What's the security of it? You know, what's the quality of the smart baby monitor? To my mind, the website should be full of endorsements from trusted consortiums and organizations or whatever, loaded with trusted medical professionals recommending them.
GRAHAM CLULEY. At the very least, they have a Kardashian, shouldn't they, on the front page?
ZOE ROSE. Or 9 out of 10 doctors.
GRAHAM CLULEY. Kanye and Kim with North West saying, we put this on our baby's bottom, and as a result, there are no unexpected gusts. We're able to monitor their breathing. Everything's wonderful. That's the sort of thing I think in today's social media obsessed age, we need people like them to tell us which smart devices to get.
ZOE ROSE. Could it sync to a Twitter account? The baby poops.
GRAHAM CLULEY. I think you've just given them an idea. Thank you for that, Zoe.
CAROLE THERIAULT. So none of these sites seem to have anything that I could find which suggested, yeah, this is endorsed by something trustworthy.
ZOE ROSE. Not even a psychiatrist or something?
CAROLE THERIAULT. No, they have parents saying, oh, this makes me sleep much better at night. They have those kind of messages, but nothing from any authority. And the problem is this, you know, smart companies are jumping on the bandwagon to secure market share, to make a buck. I don't feel they're consulting internet security experts enough or providing sufficient evidence that they're taking security seriously.
ZOE ROSE. Well, they haven't called me, so clearly—
GRAHAM CLULEY. or if they, or if they are, they're not then communicating. Exactly right.
ZOE ROSE. Yeah.
CAROLE THERIAULT. So I have a solution here. So if you're a consumer, if you're a consumer, be you a company or an individual, you've got to get comfortable with reading the small print. You've got to read the privacy agreements, and you've got to ask yourself, what do they collect What do they do with it? And who's recommending this product? And as a manufacturer, why are you not partnering with trusted security teams that can help you bake in security from the get-go? Think about future-proofing so it can be updated in future and then brag about it all over your site. You know, it'll build public confidence. It'll lead the way for others to do the right thing to protect consumers.
ZOE ROSE. Yeah, I mean, there are some websites that do it. Like, um, an example is 3ma. I really like the way that they explain how their software works because they're security-focused, they're privacy-focused, and so they make sure to explain to their users, who tend to be technical anyway, but they explain it quite non-technically and it's brilliant. I wish more organizations took the time to do that.
CAROLE THERIAULT. Yeah. You know, if you take these steps, it'll help avoid stories and headlines like Engadget's Fisher-Price baby monitor It's a rash machine is what the review said. So look, it says Sproutling, which is the name of the Fisher-Price baby monitor. Sproutling isn't really a baby monitor. It's a solid sound machine paired with a terrible sleep tracker and buggy app. Almost nothing works as it's supposed to, and there are countless questionable design decisions. And beware if your child has sensitive skin, the wearable will not sit well with them. And it's $250.
ZOE ROSE. Oh man.
CAROLE THERIAULT. And, you know, this is a kind of recognized name, right? Fisher-Price is not something that, you know, it's not like some new kid on the block. So, you know, keep your wits about you. Be savvy out there.
GRAHAM CLULEY. The New Kids on the Block might be available if Kanye West isn't available because they're not such big stars these days.
ZOE ROSE. Getting there. Just a thought.
GRAHAM CLULEY. Just a thought.
CAROLE THERIAULT. You're so hip with the kids, James.
GRAHAM CLULEY. Oh, yep. That's me.
ZOE ROSE. Yep.
CAROLE THERIAULT. Thank you.
GRAHAM CLULEY. And you join us on our favorite part of the show. The part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
ZOE ROSE. Pick of the Week. I got it this time.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. It doesn't have to be security-related necessarily.
CAROLE THERIAULT. Definitely shouldn't be.
GRAHAM CLULEY. Well, mine isn't security-related necessarily. Congratulations, Graham.
ZOE ROSE. Thank you.
GRAHAM CLULEY. Mine is. No, it's all right if it is, Zoe. It's all right. We're coming to you in a moment.
ZOE ROSE. Okay, I've got a different one.
GRAHAM CLULEY. It doesn't have to be necessary. I've got a different one.
ZOE ROSE. I've got a book.
GRAHAM CLULEY. Don't listen to her, Zoe.
CAROLE THERIAULT. Yes, definitely listen to me.
GRAHAM CLULEY. The Namib Desert in southern Africa is not my pick of the week, but it is believed to be the oldest desert in the world, having been there for 55 million years. I don't know how they test that.
ZOE ROSE. So just a couple years, then, yeah.
GRAHAM CLULEY. Just sand dunes and all the rest of it. And a Namibian artist going by the name of Max Seedentopf has set up a sound installation somewhere at a secret location in the 81,000 square kilometre desert to play on endless loop the song Africa by Toto.
CAROLE THERIAULT. Oh my God, that is like noise pollution beyond anything I can imagine.
GRAHAM CLULEY. I have included a link to YouTube. It's set to play forever. It's a solar-powered MP3 player with only one track being Toto's Africa.
CAROLE THERIAULT. God, listen to the wind. It kind of enhances the song, if that's possible.
ZOE ROSE. No! Is it really that good a song though?
CAROLE THERIAULT. No, Zoe, it is not.
GRAHAM CLULEY. If you are marooned in the Namib Desert and feeling a bit lonely and you start stumbled across it. It would be rather magical experience, I think.
CAROLE THERIAULT. How far would that sound carry? There's nothing blocking it, it's just sand.
ZOE ROSE. Won't the speakers and that just be covered and it will just be underground?
CAROLE THERIAULT. One can only hope.
GRAHAM CLULEY. Well, Seedentopf says that he hopes the song will play for 55 million years, but he does accept that the harsh environment, the desert, might mean that the installation is devoured by the dunes. All I can tell you is, if I hadn't become a podcaster, I would have loved to have been a modern artist and done something like this.
CAROLE THERIAULT. Do you know what I would have loved for you? I would have loved that you were out in the desert and singing out there for everyone in the desert to hear.
GRAHAM CLULEY. A bit more Danny Kaye? Is that what you'd like? Salty old queen of the sea, once I sailed away.
CAROLE THERIAULT. Oh, please, Graham. Seriously, we really want to continue our friendship. This is the second time in the show.
GRAHAM CLULEY. Zoe, what's your pick of the week?
ZOE ROSE. I've read a brilliant book, actually, and I am completely lying. I did not read it. I listened to it on audiobook.
CAROLE THERIAULT. Oh, you experienced it. That's what my brother and I call it.
ZOE ROSE. Yeah, yeah, yeah. And it is called The Brain: The Story of You by David Eagleman.
CAROLE THERIAULT. Okay.
ZOE ROSE. And it's actually read by the author, which I love because often it's read by someone else and it makes me sad. And he has a nice voice, which is important. But essentially, it is a book talking about the brain. It's talking about the development of the brain from being a baby. It's talking about, as you get older, how you learn things, how do you become natural at things, why you act the way you act, you know, all of those good stuff. Anything from, you know, why you're born without knowing how to walk, for example, whereas animals just get up and walk. And why— another example is people that have received Botox actually have a harder time understanding other people's emotions because they don't have the muscle feedback from their face. Because when I'm talking to somebody, I mimic them, I mirror them slightly, and that feedback actually helps me understand, which I thought was actually brilliant.
CAROLE THERIAULT. He's a pretty big dude, David Eagleman.
ZOE ROSE. Yeah, you know, he's got—
CAROLE THERIAULT. he's a neuroscientist, Stanford University.
ZOE ROSE. Oh, you're him right now.
CAROLE THERIAULT. Yes, I thought I knew, I thought I'd read something from him, but I don't think I have. A big recommendation from Zoe to read David Eagleman's The Brain.
GRAHAM CLULEY. And as with all the pick of the weeks and other things which we've mentioned in the show, we put this as a link in our show notes. And so if you go to your podcast app, you should be able to view the show notes there or go to smashingsecurity.com. Carole Theriault, what's your pick of the week?
CAROLE THERIAULT. Okay, mine is also a book.
GRAHAM CLULEY. You're both such eggheads.
ZOE ROSE. Oh, I hadn't— I had a nap to begin with.
GRAHAM CLULEY. Okay, there's no time for that now.
CAROLE THERIAULT. So during the break, I was able to catch up with some reading, and my pick of the week is a book called The Coddling of the American Mind. It's written by Greg Lukianoff and Jonathan Haidt. The book looks at the issue of an increasing number of students wanting to be almost protected or safeguarded from arguments they find challenging or upsetting or whatever. And this book is kind of— looks at all this from different points of view, but with always social psychology or cognitive behavioral therapy in mind. So it details some pretty harrowing situations, from screaming matches between students and teachers to riots where students display classic mob tendencies in order to get their demands met. And the book tries to figure out how did this happen? Why are students acting this way now? And how do we stop it from getting worse? And how do we fix it? How do we address what's going on? Anyway, really, really interesting read. It does talk a lot about cognitive behavioral therapy. So if you want to learn about that, it's a great intro. The two authors actually collaborated on an article with the same title, The Coddling of the American Mind, for The Atlantic a few years back. So you could check that out first if you think that's interesting. Then I suggest buying the book or experiencing the book as an audiobook. There you go.
GRAHAM CLULEY. Did you read it, Carole, or did you experience it?
CAROLE THERIAULT. No, I read it. I read it. No, I read it.
ZOE ROSE. Well, it must have had a lot of time.
CAROLE THERIAULT. I think it's like, I like dividing my life. I spend a lot of time online, right? And I spend a lot of time listening to podcasts. And so sometimes I need to unplug, and a book is something I've always gone to for that. So I'm a bit of a bookworm, old school.
GRAHAM CLULEY. Paper book, or was it a Kindle or A hard copy book, actually.
CAROLE THERIAULT. Yeah, yeah, yeah.
GRAHAM CLULEY. Well, there you go. Well, jolly bloody, bloody good, Carole. Carole, Carole. Well done, you. That just about wraps it up for this week. Zoe, if anyone wants to— of course they will— if folks out there want to follow you on the social medias, what's the best way to do that?
ZOE ROSE. Twitter, mainly. Yeah, Twitter. Because if you add me on Facebook, I'll think you're a creep. It's true though, people I'd meet, I'm like, who are you? Anyway, um, so yes, Twitter, uh, you can follow me at 5683monkey, or if you like ferrets, 5683ferret. Um, I've gotten a lot of followers on that one recently, so don't know what that says about me, but love it.
GRAHAM CLULEY. Okay, fantastic. And you can follow us on Twitter at Smashing Security, no G. Twitter won't allow us to have a G. And you can also check out our online store where folks have been buying an array of fun mugs and t-shirts and stickers emblazoned with our logo or our catchphrases at smashingsecurity.com/store.
CAROLE THERIAULT. Thank you as always for listening to the show. And thank you to our sponsors this week, Boxcryptor and LastPass. And if you like the show as much as we like making it, throw some love our way in the form of telling your friends or even leaving us a review.
GRAHAM CLULEY. Fantastic. Until next time, cheerio. Bye-bye.
CAROLE THERIAULT. Bye everyone.
ZOE ROSE. Now you can tell that person they can give you a 5-star because they gave you 4 stars.
GRAHAM CLULEY. Remember?
CAROLE THERIAULT. Yes. Why did they give us 4 stars again?
ZOE ROSE. I need to to come back apparently.
CAROLE THERIAULT. Oh yeah, yeah, go change your star rating, dude.
-- TRANSCRIPT ENDS --