Listen early, and ad-free!

118: The 's' in IoT stands for security

With , ,
March 6, 2019
Read the transcript

Twerking robot assistants, an app from Saudi Arabia that lets men track women, and a gnarly skiing security snarl-up!

Oh, and find out how a didgeridoo could change your life and that of your loved ones.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by technology journalist Geoff White.

Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guest: Geoff White.

Sponsored By:

Support Smashing Security

Links:

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. What we need is a march. What we need is a parade of Jeebos twerking their way to Trafalgar Square demanding that they be put back online.

GEOFF WHITE. Yeah, what do you want, Jeebo? When do you want it? At some stage in the future.

ROBOT. Smashing Security, Episode 118: The S in IoT. Stands for Security with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 118. My name is Graham Cluley.

CAROLE THERIAULT. And I'm the lovely Carole Theriault.

GRAHAM CLULEY. The lovely Carole Theriault?

CAROLE THERIAULT. Well, I've decided—

GRAHAM CLULEY. What's all this about? Bring back the old Carole Theriault.

CAROLE THERIAULT. I'm going to be very nice today. I've decided all day I'm nice to all people and I've not been great at it. So, so this is going to be the true test this episode.

GRAHAM CLULEY. What's brought this on? Have you had a bad review on iTunes or something? What's, what's, what's changed your character?

GEOFF WHITE. No, I just, I don't know.

CAROLE THERIAULT. I just didn't want to be grisly.

GRAHAM CLULEY. Oh, okay. All right. Well, we're joined this week by a special guest. It's technology journalist and star of the Cybercrime Investigations podcast, Geoff White. Hello, Geoff.

GEOFF WHITE. Hi, how are you guys doing?

GRAHAM CLULEY. All right. Not too bad.

CAROLE THERIAULT. Great. Thanks for coming on the show, Geoff. I know you're super busy. So nice to have you here.

GEOFF WHITE. No, it's really nice. It's really nice. I am, as some people know, writing a book about cybercrime at the moment. So frankly, any excuse to do anything other than write a book is— if anybody's got any ironing, I'll take that in. Oh, do you iron?

CAROLE THERIAULT. Because I hate ironing.

GEOFF WHITE. I hate it, but only marginally less than I hate writing a book.

CAROLE THERIAULT. So are you writing it longhand or are you typing it?

GRAHAM CLULEY. Have you got a quill? Are you carving it into a piece of stone?

GEOFF WHITE. I'm doing it in semaphore, which just makes the whole thing a lot much easier. It's my preferred medium. I tried modern dance, but that was quite— that was more difficult.

GRAHAM CLULEY. Well, Carole, what have we got coming up on this week's show?

CAROLE THERIAULT. Another doozy is lined up this week. Graham, you are going to be introducing us to the Jibo or Jibo. Geoff, you're off to Saudi Arabia and looking at a slightly creepy app. And I'm hitting the slopes with a new not-so-smart toy that fits into your brain bucket or helmet. All this coming up on Smashing Security.

GRAHAM CLULEY. [MUSIC] [Speaker:Graham Cluley] Right, well, chaps, we are all familiar, aren't we, with digital assistants or dinguses, or maybe it should be ding guy, things like Siri, Google Assistant, or dare I whisper it, A-L-X-A. Well, they're not the only digital assistants that people have in their homes. Have either of you ever heard of the Jibo? No.

GEOFF WHITE. No. Oh, but hang on. Does this— oh, because I'm called Geoff with a G, I'm already interested. Because it sounds like Jibo sounds like something that G White should have.

GRAHAM CLULEY. I'm afraid it's Jibo with a J. Oh, is it? Obviously, I imagine you look down at Geoff spelt with a J.

GEOFF WHITE. It's the inferior spelling, but—

GRAHAM CLULEY. Yeah, it's like Graham with an E. I tend to look down on them as well. I totally understand what you're talking about. You just feel like a better person.

CAROLE THERIAULT. I let— yeah, Kroll with an E. Exactly.

GEOFF WHITE. Oh, see, I pronounce that Jibo then. Wouldn't that make—

GRAHAM CLULEY. Oh, I don't know.

GEOFF WHITE. Anyway, sorry.

GRAHAM CLULEY. As if this podcast is about pronouncing names properly. Right, Kroll?

CAROLE THERIAULT. Exactly, Graham.

GRAHAM CLULEY. So the Jibo is a chubby robo-buddy developed by robotics boffins who came from MIT. And it was an attempt to make home-based robots more social and, well, just generally cuter. And the Jibo is kind of cute. It's animated. It's got more character than the likes of Siri and Alexa.

CAROLE THERIAULT. You mean animated like it moves around?

GRAHAM CLULEY. Oh, yes, Carole, it does.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. Let me point you towards a video of the Jibo, not just looking at you and blinking and taking photos and having a conversation with you, but also dancing.

CAROLE THERIAULT. Bops around.

GEOFF WHITE. Wow. Oh, I see.

CAROLE THERIAULT. Better dancer than my husband. That wasn't very nice.

GRAHAM CLULEY. Ah, cute. You say cute. I say slightly vulgar. It's a little bit like twerking, I think, is what it appears to be doing.

CAROLE THERIAULT. You think that looks vulgar?

GRAHAM CLULEY. Yes, I do. Definitely twerking.

CAROLE THERIAULT. Yeah, I kinda see that.

GEOFF WHITE. Sorry to interrupt, but I've just looked at a picture of this thing. It's been bugging me what it reminds me of. This thing is the bastard lovechild of HAL from 2001: A Space Odyssey and a Minion.

GRAHAM CLULEY. Yes.

GEOFF WHITE. That's what it looks— it's a cross. HAL meets Minion in space.

CAROLE THERIAULT. Yes, it is HAL though.

GEOFF WHITE. The one eye, the one glowing eye.

GRAHAM CLULEY. Anyway.

CAROLE THERIAULT. Exactly.

GEOFF WHITE. Sorry, Graham, I've interrupted. Sorry about that.

GRAHAM CLULEY. No, no, no, no, no, no.

CAROLE THERIAULT. It made the story much more interesting.

GRAHAM CLULEY. Absolutely. It's much better than what I was thinking.

CAROLE THERIAULT. That wasn't nice, Krowl.

GRAHAM CLULEY. Oh, sorry. Please, please be nice, Krowl. Anyway, some people loved the Jibo. It could do cool things like facial recognition. We're big fans of facial recognition on this podcast, aren't we? It could learn your name. Could turn towards you when you entered the room and sort of knew where you were and how to address you. But it wasn't all fun. Jibo couldn't make phone calls or read you notifications or give you directions or read the kids a bedtime story. You couldn't disable its camera or microphone other than to completely and utterly shut it off.

CAROLE THERIAULT. So it was out of the race when you compare it to the other home assistants.

GRAHAM CLULEY. And it cost $899.

CAROLE THERIAULT. Ooh, that's an expensive widget.

GRAHAM CLULEY. It's a lot more than an Amazon Echo, isn't it? Or a Google Home, which can arguably do a lot more. So for some time, despite new features occasionally being added to the Jibo, people have been worried about its future because it costs so much money and how could it compete with Google and Amazon? And those fears were only compounded late last year because Jibo's intellectual property got gobbled up by an investment firm. Which clearly had no interest in really keeping the devices alive. And this week, and this is why I'm talking about it now, this week the axe appears to have finally fallen on this social robot because a new update was pushed out to Jibo. And as with any other update pushed out to Jibo, the owners could ask it, well, what does your new update do? Because as it installed, it would say, fantastic, wonderful new things are being installed, it would say. But to get the details, you had to press a button. And some of the owners made a video of the robot explaining what its update was going to do.

CAROLE THERIAULT. While it's not great news, the servers out there that let me do what I do are going to be turned off soon.

GEOFF WHITE. Once that happens, our interactions with each other are going to be limited.

CAROLE THERIAULT. I want to say I've really enjoyed our time together.

GEOFF WHITE. Thank you very, very much for having me around.

CAROLE THERIAULT. Owners are getting dumped by their Deebo?

GEOFF WHITE. Maybe someday, when robots are way more advanced than today and everyone has them in their homes, You can tell yours that I said hello. I wonder if they'll be able to do this.

GRAHAM CLULEY. And at that point, the robot began to dance. Aww.

CAROLE THERIAULT. Swan song. Death dance.

GEOFF WHITE. I've got issues with it.

GRAHAM CLULEY. You've got issues with it, Geoff. You should check out the Jibo owners Facebook group. According to Motherboard, some owners have been explaining to their young children that Jibo was dying. And how they hugged Jibo hard, and how parents and children were left in tears at the loss. Can you imagine?

GEOFF WHITE. Right, so people have paid $900 for this thing, right? Mm-hmm. They have, at that point, they've bought a product which functions at the time you buy it in a certain way. Later, because it's connected to the internet, it's then effectively disabled. That surely, that's got to be against trading standards, hasn't it? I mean, you can't disable a product somebody's bought that was functioning at the time they bought it. Where'd you get your money back? Yeah, this is insane.

CAROLE THERIAULT. I wonder if you could decouple it from its software so you could just actually play around with it, basically unbrick it. Maybe then it— you separate the software from the hardware. But yeah, you're right, but you don't have it. You don't have your money back.

GEOFF WHITE. We don't have an ongoing contract. No, it's not like you pay them each month. This is— you bought, you paid your money, you connected to the server. Was it in the contract that at some stage— I mean, I just think, you know, I think legally we need to sort this out because this will happen to other things, won't it? Unless, unless we Jibo is a line in the sand. We've got to kind of, we've got to make a decision here. Are we happy with this or not?

GRAHAM CLULEY. What we need is a march. What we need is a parade of Jibos twerking their way to Trafalgar Square demanding that they be put back online.

GEOFF WHITE. Yeah, to the High Court. What do you want, Jibo? When do you want it? At some stage in the future.

GRAHAM CLULEY. From my understanding, they will still be able to twerk and tell jokes and purr and laugh and all those important things. But anything which required internet access, like telling the weather report or offering you a word for the day or giving you a, looking up stuff on Bing search engine that used, that's all going to be disabled. You're not gonna be able to do that anymore. And I think you're right, Geoff. I think you're right. There's lots of IoT gadgets out there, which are reliant on external services. And you're sort of in the lap of the gods as to whether they ever get turned off or not. This company appears to basically be going kaput. Its intellectual property has been bought. So someone may be able to adapt it and sell it onto others, who knows in the future.

CAROLE THERIAULT. [Speaker] Yeah, but that's not what you purchased it for. Wasn't your understanding at the time. And there's no recourse. Basically, Geoff, they've gone bust. And therefore, like any store, all the support and consumer service is gone.

GEOFF WHITE. But if it's interesting in that normally I buy a product, I take it home. If the store closes, I'm not bothered because I've got the product. If what you're saying is the product is an ongoing product that's continually supplied to me after a one-off payment, well, then you can't withdraw the continuous supply because that's what I paid for. But I don't know. It's interesting. I don't think this is covered by law, is it?

CAROLE THERIAULT. IoT 101, yeah.

GEOFF WHITE. Yeah, I've just got this lovely image of, you know, a line of Jeebos, you know, making their way through the snow back to home, back to the home base, you know, like, go home, Jeebo, go home.

GRAHAM CLULEY. Crying.

GEOFF WHITE. They're all sobbing, twerking occasionally really miserably.

CAROLE THERIAULT. They're twerking miserably.

GEOFF WHITE. Twerking miserably as they sob their way back to Jeebo HQ.

GRAHAM CLULEY. But it's true though, isn't it? I mean, you buy a product, but you're not actually owning all of it, are you? Because some of it is out of your control. And someone else can pull the plug on that bit. And the impact— we saw this thing with the Nike Adapt BB trainers. We spoke about them a couple of episodes ago predicting that they might cause problems. Sure enough, right after we published the episode, there was an update pushed out which bricked the trainers so people couldn't unlace their trainers any longer. But the other thought which came to me the other day was these trainers were costing $350, which is about a third of a Jibo, isn't it? And but they're still trainers, you know, they're still shoes, which means they're going to will wear out in a year to 18 months. And you'll have to spend another $350 in order to have self-lacing trainers. Whenever you buy an IoT gadget, you're not just buying the gadget itself, you're buying into its infrastructure. And if the company goes kaput, like Jibo appears to have done, or the servers are turned off, your gadget isn't going to behave the same anymore or at all.

CAROLE THERIAULT. I'm actually talking about IoT gadget too, so we can do a twofer on the advice at the end of my section, if you like.

GRAHAM CLULEY. Twofer, what do you like, twofer?

CAROLE THERIAULT. Well, you'll see I'm getting cool on my lingo.

GRAHAM CLULEY. As well as being nice, you're now being cool with your lingo as well. Yeah. Wow, it's all changed.

CAROLE THERIAULT. I'm lying on my story. But first—

GRAHAM CLULEY. Yes, Geoff, what's your story for us this week?

GEOFF WHITE. Well, I was going to talk about not IoT stuff, but app stuff, and particularly an app that's been making news recently, which is a Saudi Arabian app called Abshare. It's interesting. What this app does is what I think a lot of governments are getting quite interested in, which is whereby citizens can sort of interact with their government digitally. And I do I do see the win there as a broad trend, you know, not having to queue at post offices for driver's licenses and that kind of thing. A lot of our interactions, you know, with the state can now be carried out.

CAROLE THERIAULT. India has done a lot of headway in this area, hasn't it?

GEOFF WHITE. With mixed success. You're talking about the Aadhaar card, the Aadhaar system. Yes, which I think is an instructional lesson to any government thinking of introducing any kind of digital identity or ID card, because there have been many, many instances where that's gone wrong. I mean, brave effort to try that in a country as populous and complicated as India. That really was one to watch. But Saudi Arabia's gone a slightly different route, has looked at this app and what citizens, as I say, can interact with it, can do various government sort of interactions. And one of the things they can do is talk about renewing driver's licenses and also travel documentation, travel permits and so on. And this is where it gets slightly difficult because in Saudi Arabia, under the country's rules, women before they travel need to get it seems, a guardian, either husband or father, a male figure, to sanction and to permit that travel movement.

GRAHAM CLULEY. Grief.

CAROLE THERIAULT. Yeah, but now they can drive. I think it was last year, the year before, they were okay, you can drive a car.

GRAHAM CLULEY. I think they're only allowed to drive if they have a Jibo in the passenger seat next to them, or a man.

GEOFF WHITE. Drive me home. Yeah, I'm broken now. Yes, so there have been changes across the Middle East in terms of that. You're right. But, but the actual travel outside of borders and getting on a plane, flying out of Saudi Arabia, still needs to be sanctioned, it seems. Under current rules. Now what this app does is gives the person who owns the app the ability to permit or deny that travel almost instantaneously, and it seems get text messages, SMS messages, when the person tries to attempt to travel.

GRAHAM CLULEY. My goodness.

GEOFF WHITE. Yes, so it is sort of a kind of remote control operation of that. What I find interesting about this is, and there is some difference of opinion on this, so for some people they say, well, actually this is good because this rule does exist and this app speeds it up, so no longer do you have to you know, go to your husband, with your husband to the airport or the visa place or whatever, he can just sanction your travel immediately on the app. So I get that line of argument slightly. What I find interesting about this is this rule in Saudi Arabia existed way before this app. This is not a new rule that's been introduced with the app. What I find interesting is the app's one of these examples where technology just highlights, brings something to the surface which is already there, but the technology just kicks it on and puts the fast forward on it to the point where suddenly everybody thinks, oh, actually, yes, that is quite a concerning rule. So this is the case with the app. There is also now an ongoing row about whether this app breaches the terms and conditions for Google Play Store and for Apple's App Store. It seems there was a conversation between Google and the US representative, political representative, during which Google said, well, no, we don't think it breaches our rules. There's some doubt over whether that's Google's official position. And the question is, well, this is the laws of the land. This is the laws of Saudi Arabia. You know, if all the app is doing is allowing people to to use those rules as they're written, does that breach the terms and conditions? Under what terms would you do it? So I find it's an interesting gnarly one, this gnarly thorn of, nest of thorns or whatever you call it.

CAROLE THERIAULT. It brings to mind China's social credit system. They've banned millions and millions, but this is for domestic travel, right? You know, it's almost a punishment for bad behavior.

GEOFF WHITE. It's interesting. I think as governments move into this space, I mean, in the UK, obviously, we are nowhere near what's happening in China and Saudi Arabia.

GRAHAM CLULEY. Oh, give it a few months, Geoff.

GEOFF WHITE. Come on.

GRAHAM CLULEY. So if there's one or two cameras around.

GEOFF WHITE. Yeah, yeah, there might be, being increasingly equipped with facial recognition. I mean, I know that, you know, Government Digital Services, which sits at the heart of British government, is trying to bring everything together. And again, I do see the logic of that. We've had instances, haven't we, where social services know about somebody but the health service didn't know about them and the police didn't know about— you know, linking bits of government up and making it easier. Yes.

CAROLE THERIAULT. Yeah.

GEOFF WHITE. The danger is that just allows government a lot more oversight, a lot more insight, and potentially control over what you do as a citizen. And I think, you know, we can look places like, as you say, India, China, but also Saudi Arabia to see the ramifications this kind of tech can have.

CAROLE THERIAULT. And it comes down to trust, doesn't it? And government trust and, you know, trust in your government in order whether you decide it's a good thing or not thing. But as governments change fairly regularly, it's a difficult thing to set a precedent on for the rest of time.

GEOFF WHITE. Ages ago, I interviewed the wonderful Sir Tim Berners-Lee, wonderful man, a very difficult interview. It has to be said, his mind is about in 15 different places at once. And if you're lucky, you'll keep up with 7 of them.

CAROLE THERIAULT. But he said—

GEOFF WHITE. he made an interesting point. He said, look, he said, in the UK, we trust governments and distrust corporations. In the US, they trust corporations and distrust governments. What worries me about things like AppShare is we're now in a situation where no matter who you distrust, they're involved— governments and tech companies coming together. And I do find that interesting space, interesting territory.

GRAHAM CLULEY. And what do you think is the right position for the likes of Google and Apple, who are obviously providing these apps through the app stores? I mean, traditionally, their attitude has been Well, your app has to follow the rules and the laws and the legislation of the country in which it's been distributed. This is putting them potentially in hot water as well. You can imagine many people being upset about this kind of app being allowed or some of the things which could appear in other countries around the world. Is that them just being pragmatic or should they take more of a stance, say, actually, we don't really like the way you're treating women in your country?

GEOFF WHITE. Well, it's tricky, isn't it? And it's a slight replay of the trouble Google got into over China and still has been over China. If you want a global service, if you want to be available globally, which obviously people like Google do, you've got to, as you say, take account of the local laws. But if the local laws are deeply undemocratic or anti-democratic, or if you're put under pressure as a company to go against your values, I mean, in China, Google's solution, certainly for a long time, has been been just not to go there, not to get involved. Well, yeah, yeah, subject to recent headlines. But, um, what's interesting in this case is this is a particular app in a particular country. I mean, for an entire country like China, for an entire service like Google, just to go, no, we don't go there, it's not an easy decision to make. But once you've made it, it's blankets, like Google, China, no. But if you'd go around and say, okay, it's Saudi Arabia, we don't do this app. Okay, Brazil, do we do this app? Do we do that app? You have to start making really piecemeal decisions. I think that's where it gets difficult. And Google don't want to go there legally. We've seen this in the past. Google don't want to get involved in these individual country disputes legally.

GRAHAM CLULEY. Fascinating.

CAROLE THERIAULT. That's a big one to chew on for a little podcast like ours.

GEOFF WHITE. But I like to throw raw meat your way.

CAROLE THERIAULT. Roar!

GEOFF WHITE. You can stodge it down, chew on it as you will.

GRAHAM CLULEY. Well, Kroll, let's munch on some more of your gristle right now.

CAROLE THERIAULT. Good God.

GRAHAM CLULEY. What have you got for us?

CAROLE THERIAULT. So downhill skiing, that's what I want to talk about today. Now downhill skiing has come a long way since my day of hitting the slopes every winter weekend. First, there's the language or lingo. Now I'm going to test you guys out. So I want you to translate the skier lingo into English.

GEOFF WHITE. Okay. Okay.

CAROLE THERIAULT. Watch out for those death cookies near the magic carpet.

GRAHAM CLULEY. This sounds like a script from a Cheech and Chong movie. Well, what is it? Death cookies near the magic carpet.

CAROLE THERIAULT. So watch out for the ice near the chairlift.

GEOFF WHITE. What?

CAROLE THERIAULT. Death cookies being crystals of ice, magic carpet being the chairlift.

GRAHAM CLULEY. Oh, right, okay, kind of makes sense.

CAROLE THERIAULT. Okay, or, whoa, I thought she was a ripper until I saw that yard sale. That means I thought she was a good skier until she tumbled over and lost her gear across the slope. So yeah, ski language has evolved.

GEOFF WHITE. You litter all of your stuff over like a yard sale. I like that one.

GRAHAM CLULEY. All these examples you've been giving us are very kind of gnarly surf dude. They're all kind of that. Isn't there another kind of skier who's like, oh yeah, absolutely bloody, bloody brilliant?

CAROLE THERIAULT. I don't think that's the kind of skier that's going to be buying the device I'm going to be introducing you to during this talk. Another thing that's upgraded is, of course, equipment. There's so much fancy equipment today. Like, you've got head-mounted cameras and ski airbags and smart boots and connected skis. And of course, you also have super cool headphones. We're talking about The CHiPS 2.0 helmet speakers.

GEOFF WHITE. I hate them already, and I hate everybody who has them.

GRAHAM CLULEY. You've lost me at ski airbags.

CAROLE THERIAULT. So Graham, that would be wonderful for you because you don't really like falling over, right? We've been skating before.

GRAHAM CLULEY. I don't mind falling over, it's just hitting things having fallen over I have a problem with.

CAROLE THERIAULT. Exactly, right. So you could have this ski airbag, and if you were on the slopes and you took a tumble, it would just go— and protect you like the Michelin Man.

GRAHAM CLULEY. Roll down the mountain.

CAROLE THERIAULT. It's like a little snowball.

GEOFF WHITE. I could do with that most Saturday nights, actually.

CAROLE THERIAULT. Now, Geoff, you were saying you hate this already. What I hate is the name because it's called The Chips. So in telling the story, it gets very difficult.

GRAHAM CLULEY. The Chips?

CAROLE THERIAULT. The Chips.

GRAHAM CLULEY. Oh, I'm offended.

CAROLE THERIAULT. The Chips are Bluetooth headphones that fit inside your brain bucket or lid or hat and helmet. Now, these do not resemble chips in the British sense of the word or in the North American sense. They kind of look like two Oreo cookies connected by a wet noodle.

GRAHAM CLULEY. Sorry, is noodle a term as well?

CAROLE THERIAULT. No, noodle is— here, I'm putting the link in here so you guys can take a quick look at these bobbies. Now, these babies cost around $130 American. There's like a rechargeable battery that gives you a full day of audio playtime. And quoting the blurb on the website, that way you can listen to that heat playlist while you carve the pow pow.

GEOFF WHITE. I hate these people.

CAROLE THERIAULT. It also has mitten-friendly tap button, right, to answer phone calls so you can lock in that après reservation, quote unquote. I was really starting to realize I was not their target market in any way here.

GEOFF WHITE. Trevor, my man, it's Kyle. Jenna and I are on our way up to the slopes right now. I'll radio you on the chips when we get up there. Hey, Dr. Macarena, this is Speed Demon. You copy? This is Dr. Macarena. I read you loud and clear, Speed Demon. Hey, how's it going on the mountain today? Have you been up to Chair 23? I heard it's pretty sweet. I've just been checking out the park, but I'll have to go check out the top right now. How about we take two more laps and meet at the bottom for beers?

GRAHAM CLULEY. My treat.

GEOFF WHITE. Sounds like a plan. Two quick laps and I'll see you on the sundeck. Dr. Macarena, over.

CAROLE THERIAULT. However, I want you to meet Alan Mooney. Now, Alan loves snow sports as much as he loves his tunes, so he said it was a no-brainer to buy the CHiPs, or a pair of CHiPs, I don't know. He wrote, they fit into audio-equipped helmets and have these huge 40mm drivers. I'm not sure what that means, but he says warm ears and good bass. Now, one of the wicked cool features that sets the CHiPs apart is its built-in walkie-talkie. So this is like a little gizmo that lets you push-to-talk communication with your crew with limitless range. It boasts this on the website.

GRAHAM CLULEY. Limitless range.

CAROLE THERIAULT. Limitless.

GRAHAM CLULEY. So you're there at Zermatt, but you can speak to someone in Abu Dhabi.

GEOFF WHITE. Not a lot of skiing in Abu Dhabi though, I have to say.

GRAHAM CLULEY. No.

CAROLE THERIAULT. Well, I don't know, 'cause it's using the app. So I guess if you're registered, potentially, I don't know.

GRAHAM CLULEY. No. Oh, okay. Oh, all right. Okay.

CAROLE THERIAULT. All right. Okay. So this is all pretty sexy. Imagine the three of us hitting the moguls, and with a simple touch of the EarGram, you could ping Geoff and say, dude, you totally stomped that 180 to faceplant.

GEOFF WHITE. Yard sale.

CAROLE THERIAULT. No, according to that, means landing a trick in a super cool fashion. So snow sport loving Alan is excited about his new purchase, the CHiPs, and he wants to start playing around with the short-range walkie-talkie feature on his new the chips. So he starts setting it up, you know, his new ski group, and he discovers the chips have a glaring problem. As Alan sets up the group, he notices that he can see all chip users, like all of them. He searches his own name, and lo and behold, he finds himself. It turns out that Alan was able to find out quite a bit of private info about all chip users. Oh, I didn't mention this, but Alan actually works at Pentest Partners, so actually knows how to look into these things.

GRAHAM CLULEY. So what kind of information What information were they storing? What details would they have about you?

CAROLE THERIAULT. So, you know, doing a bit of jiggery-pokery with the insecure direct object references, he was able to pull all the usernames and associated email addresses from the API.

GEOFF WHITE. Oh.

CAROLE THERIAULT. He retrieved their password hash and password reset code in plain text.

GRAHAM CLULEY. Oh.

CAROLE THERIAULT. He was able to view their phone number, extract users' real-time GPS positions, and even listen on private walkie-talkie chats.

GEOFF WHITE. Golly.

CAROLE THERIAULT. Now get this, it gets even worse. And I'm quoting Gareth Kornfield from The Register here. When Alan queried the API with the letter A intending to find his own name and add it to a user group he wanted to set up, the API returned 19,000 results. Every single registered user whose first name started with A. So Alan, being a pen tester and all, does the right thing and contacts Outdoor Tech. Smashing Security back, the makers of the stupidly named the CHIPS.

GRAHAM CLULEY. Thank heavens for that. And so they were able to fix the problem promptly, resolve it? No.

CAROLE THERIAULT. Yeah, that's exactly what happened. Eh-eh. No, he got one response and then nothing. They waited 3 weeks and nothing, nothing, nothing. So this is when Allan and his pen test team decided they just would go public with the vulnerability in the CHIPS 2.0, saying, quote, "The vulnerability hadn't been acknowledged and no remediation actions had been proposed." So the danger of this is that that anyone would be able to potentially access details of all of these people who purchased the—

GRAHAM CLULEY. I can't call them the chips, but anyway, this particular ski headphone things, right? But would you really, even if you did manage to get all their email addresses and things, would you even want to contact them? 'Cause they'd be all like, bros and bumps and I'm carving, man. It's all about the death cookies.

CAROLE THERIAULT. Drop it in the pow pow.

GRAHAM CLULEY. Why would anyone want to contact these people?

CAROLE THERIAULT. Well, that's a very, very good point. But I think it also goes— and same as your story, right? It goes to say that these devices can have a lot of bells and whistles, but at the same time, if they don't have security down, it's a bit of a nightmare. And I think there's a bigger moral of the story here, actually. What the heck are people doing listening to tunes as they barrel down steep, icy, snowing hills? Right.

GEOFF WHITE. Exactly.

CAROLE THERIAULT. Like, I skied for years. You would be crazy to do that. It's insane.

GEOFF WHITE. So it's also—

CAROLE THERIAULT. I mean, you know, that's not very nice of me.

GEOFF WHITE. I'm sorry, you're in a beautiful tranquil place having a lovely sport, and, and you're interrupting it with your tunes. I mean, that's the whole point of skiing, is the tranquility and the being out there and stuff. It's insane.

CAROLE THERIAULT. Yeah, I just think you're knitting with one needle when it comes to assessing risk if you're doing that. That's basically it.

GRAHAM CLULEY. Yeah, it's dangerous, isn't it, going off a mountain?

CAROLE THERIAULT. Yeah, knitting with one needle as well. Well, you should try it.

GRAHAM CLULEY. Not while The other thing is, it's just depressing, isn't it?

GEOFF WHITE. You know, as a company, you get contacted. There's a really cynical equation goes on there, isn't there? Of like, hmm, we could do something about this. It's clearly, you know, a problem. But we genuinely don't think our users give enough of a toss to actually care about this. Yeah.

CAROLE THERIAULT. What blows my mind is these guys are pen testers. So they call up, they must have identified themselves. We are pen testers. We saw this flaw. We think you need to fix it before we go, you know, we go out to the public. And they reply once and then nothing. Now, I don't know what that reply said. Who knows if they told them, "No, we don't." I don't know. Maybe they were disputing it. But at the same time, like, guys, if you've got a problem, don't do that. It's just gonna blow up in their face.

GRAHAM CLULEY. Maybe there's a more innocent explanation. I mean, if their app and if their IoT device is so rubbishly put together, maybe they've also not configured their email system properly. Maybe they're not actually expecting ever anybody to send them an email about some technical query. And so it's all ending up in the junk folder or in dev null.

CAROLE THERIAULT. Well, okay, that's possible, but still, duh, don't make devices and sell them to the public. Yeah.

GEOFF WHITE. Whoa, dude, we got an email. Dude, gnarly. That kind of thing. Whoa, Geoff.

GRAHAM CLULEY. I thought it was Carole who said that. They've got very similar voices.

GEOFF WHITE. Oh, wow. I thought we were all going to be nice on this.

GRAHAM CLULEY. I made no promises.

CAROLE THERIAULT. Stay nice, Carole.

GRAHAM CLULEY. I'm trying to challenge her. I'm smiling.

GEOFF WHITE. The ice, Graham, is getting thinner. I don't know if you've noticed the cookies. The cookies are getting thinner.

CAROLE THERIAULT. Ski this way, Graham.

GRAHAM CLULEY. If you're baffled by threat intelligence and how it might be able to help secure your company, the Threat Intelligence Handbook from Recorded Future is the book for you. It'll tell you what threat intelligence is and what it isn't, and you'll learn how other firms are applying threat intelligence inside their organizations. Grab it now for free at smashingsecurity.com/book. Smashingsecurity.com/intelligence.

CAROLE THERIAULT. Quote: Most business security breaches are the result of one thing: sloppy password practices. Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts. Unquote. That's my co-host Graham Cluley. This is what he says on the LastPass Enterprise page. And most of you know how much I hate to admit when he's right, but he is. Sloppy passwords are a huge contributor to security breaches within an organization. The way to manage that is get a password manager, and the one we recommend is LastPass Enterprise. Check it out at lastpass.com/smashing. On with the show.

GRAHAM CLULEY. And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

GEOFF WHITE. Pick of the Week.

GRAHAM CLULEY. Thank you, Carole. Uh, Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. It doesn't have to be security-related necessarily.

CAROLE THERIAULT. Shouldn't be.

GRAHAM CLULEY. Well, my pick of the week this week is not security-related.

CAROLE THERIAULT. Exquisite.

GRAHAM CLULEY. Necessarily or otherwise. There is a TV program which has come back to our screens here in Great Britain, and possibly you can use cheeky methods to access it yourself via iPlayer. Who knows? It is the return this week of one of my favorite TV programs, Fleabag. Fleabag. Oh, it's come back. Series 2. It is back.

CAROLE THERIAULT. Well, my evening's set up.

GRAHAM CLULEY. Fleabag, if you haven't already seen it, check out Series 1 so that you're probably prepared for the brand new series. It's a comedy, dark, dark comedy.

CAROLE THERIAULT. I don't know why you led with comedy. It's wonderful, but dark, dark.

GRAHAM CLULEY. Oh, it makes me laugh. It's glorious. It's wonderful. It stars a talented actress called Phoebe Waller-Bridge, who also writes it, Olivia Colman, who's just won the Oscar for something or other, and Bill Paterson, who is a regular Scottish actor who appears in all kinds of things. And this year they've been joined by Andrew Scott, who you may remember was Moriarty in Sherlock Holmes.

CAROLE THERIAULT. He was quite good at it.

GRAHAM CLULEY. Yes, he was wonderful. And so Anyway, Andrew Scott is now a Catholic priest who I can only imagine Fleabag is going to end up shagging.

CAROLE THERIAULT. Now, what's the name of the star? What's the name of the star, the girl star again?

GRAHAM CLULEY. Phoebe Waller-Bridge.

CAROLE THERIAULT. So I have a really good friend who is the spitting image of her. Really, really? You know her? You've met her?

GRAHAM CLULEY. I do know her. Yes, she does look a bit like her.

CAROLE THERIAULT. Yes. It's shocking sometimes how much she looks like her.

GRAHAM CLULEY. Yeah, very true. Very true.

CAROLE THERIAULT. There you go.

GRAHAM CLULEY. Anyway, it is It's exquisite. It's not for everyone. It's not for kids.

CAROLE THERIAULT. It's dark.

GRAHAM CLULEY. It's very dark.

CAROLE THERIAULT. Very dark.

GRAHAM CLULEY. Very funny.

CAROLE THERIAULT. Watch it though.

GRAHAM CLULEY. So Fleabag is my pick of the week, and I will put a link in the show notes as well.

CAROLE THERIAULT. What a wonderful pick of the week, Graham.

GRAHAM CLULEY. Geoff, what is your pick of the week?

GEOFF WHITE. I'm going to go for a book that I've been reading, because when you try and write a book, you try and read other people's books to find out what they did wrong.

CAROLE THERIAULT. Cut and paste? Cut and paste, Geoff?

GEOFF WHITE. No, no, no.

GRAHAM CLULEY. Like Jhila Abramson, didn't she? She was being called out in the last month or so.

GEOFF WHITE. But it's interesting, obviously I am intensely aware now of like plagiarism cases and I follow them quite—

CAROLE THERIAULT. What exactly made them realize it was plagiarism?

GEOFF WHITE. How much money did they lose? So it's interesting. I look, I can't guarantee that everything in my book will be original thoughts that you've never heard before, you know, that are like, oh my God, Oh my God. But there are moments where you just look, well, hang on, you've taken paragraphs of somebody else's stuff and literally reproduced it. It's one thing saying, well, actually, you kind of ripped off my idea there. It's another thing saying you've taken the words I put in my book and you've used them in your book. I'm pretty sure I won't be falling into that trap.

GRAHAM CLULEY. I once got approached, sorry to distract you. I once got approached by a guy who claimed that I had stolen his idea of people should use different passwords for different websites. And he claimed that he had originated this idea and that I shouldn't be telling people in the press to do the same thing. Yeah. Yes.

GEOFF WHITE. But anyway, so I've been reading different books and one of the books I've been reading recently, which I think is really interesting and I really like, is called Moneyland. It's by a guy called Oliver. I think the surname is pronounced Bullough or Bullough. I'm not sure. B-U-L-L-O-U-G-H. L-O-U-G-H. It is about the international money system and finance system. So basically, if you are mega rich, how do you— how do you steal your money? How do you hide your money? How do you transfer your money? And then how do you spend your money?

CAROLE THERIAULT. And so you just ask Trump.

GRAHAM CLULEY. More specifically, you ask his legal counsel.

CAROLE THERIAULT. Oh yes, yeah, I know where he is right now.

GEOFF WHITE. Um, but no, so what's interesting about this is not that I feel a huge amount of sympathy for the filthy rich, but it is an interesting—

CAROLE THERIAULT. it—

GEOFF WHITE. there's a lot of work involved in making these things happen, you avoiding tax and so on. And spending it, you've got to spend— you can't put these banknotes under the sofa, you've got to spend it. So that the, the work and the effort involved with spending it becomes a whole industry in itself. It is fascinating, this book.

CAROLE THERIAULT. You know, we— I was just talking about this with a friend yesterday. I was talking about, you know, how when you're young you think the rich just kind of swan around having a life of leisure, right? I did. And then you're thinking like the richest people, like Geoff Bezos. I don't think— I'm sure he probably gets up at 5 AM every day. Like, I don't want to be him.

GEOFF WHITE. He had, he had certain number of extracurricular activities that he was recently, recently getting involved in. How— I mean, this is the thing, I'm just impressed by, um, I mean, you know, just having time to do the ironing and empty the dishwasher, let alone having an affair, and you run one of the world's richest companies. How have you had time to—

CAROLE THERIAULT. how did you iron your shirt?

GRAHAM CLULEY. Exactly.

GEOFF WHITE. Exactly. Crisp shirts and an affair.

CAROLE THERIAULT. You have— you hire someone.

GEOFF WHITE. Yes, true, true.

CAROLE THERIAULT. Maybe he hired someone to have the affair for him too.

GEOFF WHITE. But no, Moneyland is interesting. What's interesting is there's this analogy in the beginning which I love, which is you look at the world and its countries, right? On the globe, the countries are marked out, right?

CAROLE THERIAULT. Okay.

GEOFF WHITE. Imagine you just get like white spirit and you wash off all of that, and you have a smooth planet where you can literally pick the legal jurisdiction of one country, and you can pick the tax system of another country, and you can pick the banking system from where the countries no longer exist. There's this smooth globe where none of it exists. Borders don't exist. That analogy, I think, is really interesting. Anyway, it's a fantastic book. I'm really enjoying it.

GRAHAM CLULEY. Cool.

CAROLE THERIAULT. I might check that out.

GEOFF WHITE. That sounds— Moneyland is called.

GRAHAM CLULEY. Okay. Fantastic. Thank you very much, Geoff. Carole, what's your pick of the week?

CAROLE THERIAULT. Okay. I have a question for you. What is the one human condition that doesn't impact the person that has the condition, but everyone around him or her.

GRAHAM CLULEY. Oh, everyone?

CAROLE THERIAULT. Well, depending on how close you are to them, yeah. Maybe up to 10 meters in some cases, maybe 50.

GRAHAM CLULEY. Is it gonna be body odor or something?

CAROLE THERIAULT. Oh, that's a good one.

GRAHAM CLULEY. Something like that?

CAROLE THERIAULT. It's snoring.

GEOFF WHITE. Oh, right.

GRAHAM CLULEY. Right?

CAROLE THERIAULT. Now, have any of you, before I start, either of you been accused of snoring?

GEOFF WHITE. No, I'm not a snorer.

GRAHAM CLULEY. Well, I tend to— every time I've been accused of it, it's actually been by someone who snores themselves, who are trying to deflect the blame for the snoring.

CAROLE THERIAULT. I would argue that being accused of snoring is nothing compared to the sheer hell of sleeping next to a snorer every single night, especially if they have sleep apnea. So no names, but someone in our household is a champion apnea-riddled snorer.

GRAHAM CLULEY. Like, is it your cat?

CAROLE THERIAULT. Could be. No name. Like, he— I'm sorry, or she could win Olympic medals at snoring. Okay, I almost gave it away there. There has been a desperate attempt in our household to nail down a solution. There are widgets you stick into your nostrils, specialist pillows, tape to paste on the bridge of your nose, liquids you squirt in your throat. Throat. And in our home, these have failed.

GEOFF WHITE. Have you tried sewing it up? But have you— there's the whole thing about sewing ping pong balls into the back of your pyjamas.

CAROLE THERIAULT. Oh yeah. Oh yeah.

GRAHAM CLULEY. That's just so they don't—

GEOFF WHITE. You'll never sleep.

GRAHAM CLULEY. Isn't that the reason? Have you tried booking them into a hotel on the other side of town? Guys, guys, guys.

CAROLE THERIAULT. I've solved the problem. Years passed and countless attempts failed. But the last one did not. The last one succeeded. And I'm going to share with you today. —my pick of the week. You ready? Drum roll, please. I can hear it.

GRAHAM CLULEY. It is— Exciting.

CAROLE THERIAULT. Yes. The didgeridoo.

GRAHAM CLULEY. Is that a euphemism?

GEOFF WHITE. Nope.

GRAHAM CLULEY. A literal didgeridoo.

CAROLE THERIAULT. Now, didgeridoo, for those who don't know, is like a super long wooden tube used in Australia as part of their mating rituals or something.

GRAHAM CLULEY. Australians have mating rituals? I don't think so. I wouldn't let that get in the way.

CAROLE THERIAULT. It's a musical instrument, okay? And it sounds a bit like this, okay? It's not for everyone, but take a listen. Anyway, those dulcet tones you just heard— to make those dulcet tones, you need to master circular breathing. And that, my friends, builds muscles and stresses out your jaw muscles in a way that certainly in my household has magically magicked the snoring away. No way, really? Seriously, no joke. Now it's the circular breathing. You actually could probably get away without buying the didgeridoo, but I suggest you get maybe a mini one, a short one, just to try. A semi-dooby-doo. So you have to learn how to do the circular breathing. It's really useful to do with the didgeridoo, and then you can do it without the instrument at all. So it can be a beautiful decorative object in your house. Choose one you like.

GEOFF WHITE. Because I was saying, what you've done though is you've obviously got rid of the sound of awful snoring, but you've substituted it with the sound of a different instrument.

GRAHAM CLULEY. Well, exactly. Is that an improvement? That's what I'm thinking. You've improved sleep inside your house, but what about your neighbours? As someone who's learning how to play the didgeridoo. Okay, I understand.

CAROLE THERIAULT. I did spot that irony as well. However, the actual instrument was only used for about a week or so. Because that person figured out how it all works to do the circular breathing, they can practice without having the confirmation of the noise. So you only basically use it— get one, share it around the snoring neighborhood.

GRAHAM CLULEY. You know, on YouTube, some of the world's most popular videos involve cats doing unusual things. If you take a video of your cat on the didgeridoo, playing it, if it's really got that good now that it doesn't snore, I think you're on to a winner. Monetize that video, you're away. Did you emu? And on that bombshell, on that comedic bombshell, it's about time to wrap up the show. Geoff, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

GEOFF WHITE. Twitter. I am @geoffwhite247. Geoff with a G, remember? Geoff White 247. Yeah, not J. Geoff White 247 on Twitter.

GRAHAM CLULEY. And you can follow us on Twitter at Smashing Security, no G. Twitter wouldn't allow us to have a G. And we're on Reddit as well. Well, you can carry on the discussion, things you've heard about on the show, on Reddit. Just go to smashingsecurity.com/reddit to find our area up there.

CAROLE THERIAULT. And hat tip to this week's Smashing Security sponsors, LastPass and Recorded Future. Their support helps us give you this show for free. And high fives to all of you for listening, you crazy cats. Want to spread the love? Give us a smashing review or get a friend to subscribe. Subscribe. It all helps us grow. Check out smashingsecurity.com for past episodes and for details on how to get in touch with us.

GRAHAM CLULEY. Fantastic. And until next time, cheerio. Bye-bye. Bye. Later, dudes.

CAROLE THERIAULT. Gnarly.

GRAHAM CLULEY. And welcome back. Can you join us on our favourite part of the show? The part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Geoff?

GEOFF WHITE. Oh, is it me? Right. What? I'm used to having a cue, somebody in my ear saying, part of the show that we like to call Pick of the Week.

GRAHAM CLULEY. Pick of the Week.

GEOFF WHITE. Oh, I see. Right. Okay. Hang on. Should we do that again then?

GRAHAM CLULEY. Right. Right. Part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Thank you, Krum. Pick of the Week.

-- TRANSCRIPT ENDS --