Should Google really be helping the FBI with a bank robbery? What's the story behind the Twitter CEO claiming there's a bomb in their offices? And how much does your car really know about you?
And we mourn the loss of Doctor Who legend Terrance Dicks...
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by technology journalist Geoff White.
Visit https://www.smashingsecurity.com/144 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Geoff White.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
- Detectify: Detectify will run over 1500 security tests against your website, identifying real problems with a list of constantly updated vulnerabilities submitted by a global network of over 150 handpicked ethical hackers.
- Go hack yourself! Take a 14-day free trial at smashingsecurity.com/detectify
Links:
- Feds ordered Google location dragnet to solve Wisconsin bank robbery — The Verge.
- Google reverse location search warrant.
- Manhattan DA Got Innocent People's Google Phone Data Through A 'Reverse Location' Search Warrant — Gothamist.
- Jorge Molina: Avondale police used Google data to wrongfully arrest me — AZCentral.
- About the Twitter CEO '@jack hack' — Graham Cluley.
- Trump says it 'shouldn't be too bad' if someone hacks his Twitter — Business Insider.
- Chuckle Brothers — Wikipedia.
- Wipe Data From Your Car Before Selling It — Consumer Reports.
- Connected Cars, Telematics and Connectivity-as-a-Service : What's the Future? — Dataconomy.
- It looks like tech-savvy drivers will have to lead connected car data purge — The Register.
- It’s too easy to steal a second‑hand connected car — We Live Security.
- Doctor Who writer Terrance Dicks dies, aged 84 — Radio Times.
- Terrance Dicks inspired me to write – and not to feel ashamed of my stammer — New Statesman.
- Terrance Dicks obituary — The Guardian.
- On The Outside It Looked Like An Old Fashioned Police Box... — A radio documentary about the Doctor Who novelisations, many of which were written by Terrance Dicks.
- Cybercrime Investigations podcast — Features some chap called Geoff White.
- Elisabeth Schwarzkopf's appearance on the BBC's Desert Island Discs, 1958 — Where she chooses seven of her own songs.
- Intelligence Squared podcast.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. The other one jumped out over the counter, pulled a handgun out of a plastic bag, and told the tellers to fill it with money. Why was the gun in a plastic bag? Because you don't walk around town, Carole, all around the shopping mall with a gun out.
Yeah, but normally don't people put them in their trousers? Not even in America. What, do people walk around with, like, Sainsbury's bags?
Well, I... with guns in them. Depends on your district, Carole. Around here we have Waitrose. This isn't just a handgun, this is a Duchy Originals handgun.
Hello, hello, and welcome to Smashing Security, episode 144. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault. We are joined this week by cybercrime journalist and podcaster Geoff White. Hello. Dare I say friend. Well,
GEOFF WHITE. you've said it now and you've done it unilaterally. There we are. I'm going to look the smaller man, aren't I, if I say no?
CAROLE. Now, it's wonderful that you're with us because you're working on all sorts of things at the moment, aren't you, Geoff?
GEOFF. Well, yes, I am to my cost. So I've just finished the first, actually the second draft. I'm in the middle of with my book on cybercrime, which is going to be coming out next year, next spring.
Yes, I've had a tiny sneaky peek and it's good, listeners. It's good. Actually, you've got an exclusive on your hands here because I can exclusively reveal the title. Oh, yes, please. Oh, God. Which so far I haven't done because I wasn't sure what it was going to be.
Can we have a little fanfare, first of all? Can we do a little...
CAROLE. We can do that with audio magic, Graham. Yeah, okay.
GEOFF. Well, yeah, please replace that with an actual fanfare. Not that I'm demanding or anything, but... So the book is going to be called crime.com.
That's a great name. It's good, isn't it? Crime.com. Snappy, I thought. Snappy. Memorable?
GRAHAM. I have to ask an obvious question, Geoff. Yes. Have you registered the domain?
GEOFF. No, because some other buggers had it for 15 years and has done nothing with it. Why don't you register crime.com.com.
They've also got that. I have been down this route. I'm sorry, Geoff. Crime.com.com.com. dot com dot com dot com. I have tried every permutation. I'm like, could I put the dot at the beginning and have com dot com? No, I've tried them all.
I don't have the website. Is that a reason not to? Should I change it? It's not too late.
I think it's a good name. Yeah, no, no. Stick with it.
What I do need, though, is I need the subtitle. So they've all got it. I don't know why, but all books now have to be crime dot com slash, you know, yes, the whole thing right here. Read it now, you know, the secrets to the and I can't.
One man's fearless
GRAHAM. journey into the underbelly of cybercrime. I like that. That's pretty good, actually. Because it is. It's about your investigations, right?
CAROLE. Pissing on the lamppost of cybercrime.
GEOFF. Both excellent suggestions. And forgive me if I don't take either of them off. OK.
GRAHAM. Perfect. Carole, what have we got coming up this week on the show?
CAROLE. Hands up for this week's sponsors, LastPass and Detectify. Their support helps us give you this show for free.
On today's show, Graham tells us how Google helped the FBI with a bank robbery. Well, investigating the bank robbery, I'm assuming, not executing it. Geoff gives us the inside scoop on the hack-targeting Twitter CEO Jack Dorsey. And if you have ever driven a smart car, you may want to hear what I've found out.
All this and more coming up on this killer episode of Smashing Security.
GRAHAM. Excellent. Now, fellows, fellows. By the way, it's been pointed out to me that I have been opening my section of the show by saying chaps. And I don't want to point any fingers as to who pointed out to me. That may not be completely accurate gender-wise. I
CAROLE. think a number of people pointed
GRAHAM. it out to you. Yes, a number of people. Someone got in touch. A listener got in touch about it and also a co-host. Ironically, yeah.
CAROLE. Ironically, listener who got in touch with Graham about this. not even 48 hours before after 143 episodes i decided to go why every time
GRAHAM. anyway so thank you very much so fellows fellows um i've got a question for you uh where were you on saturday the 13th of october 2018 oh
GEOFF. No idea. I don't know. Okay let
GRAHAM. me narrow it down a little
GEOFF. Not anywhere near the story you're about to tell. Do you own
GRAHAM. a light green zip-up hooded jacket, Geoff? I do. Oh, God, where's this going? Interesting. No alibi, white clothes. Carole, have you got blue jeans, black shoes? Yep. Sunglasses, gloves? Yep. Do you own a hoodie? Wearing one right now. Are you between 38 and 48 years of age? Steady. Are you 5'6" to 5'8" tall, unshaven? At the moment, maybe. With a stocky build? No, that's definitely not me. The reason why I'm asking is that the FBI are trying to identify a couple of chaps who walked into the Great Midwest Bank in Hartland, Wisconsin. It was at two minutes after nine in the morning. They were the first customers of the day inside the bank.
CAROLE. Sheila still talking to Barbara about her weekend.
GRAHAM. And while one man distracted the tellers behind the counter, the other one jumped over the counter, pulled a handgun out of a plastic bag and told the tellers to fill it with money.
Why was the gun in a plastic bag? Because you don't walk around town, Carole, around the shopping mall with a gun out.
CAROLE. Don't people put them in their trousers?
GRAHAM. Not even in America.
CAROLE. What, do people walk around with Sainsbury's bags? With guns in them.
GRAHAM. Well, I don't know. It depends on your district, Carole. Around here we have Waitrose.
This isn't just a handgun, this is a Duchy Originals handgun. It's an organic handgun.
Anyway, they left the bank with a tub of hummus. No, no, no, they left the bank just seven minutes later, carrying a bag full of cash, three drawers from the vault and the teller station and the keys to the bank vault itself.
And, of course, the police investigated. And the bank had security cameras. But despite the footage being shared with local media, no leads have emerged in all the months since.
And they even had an eyewitness account. So this bank is part of a sort of mall or whatever they call them in America. You know, a whole bunch of stores around a great big car park.
And there was a shopping plaza, if you like. And there was an eyewitness account of a worker at a nearby store just a couple of doors down, who the previous day had had a strange interaction with a man who had walked into the design exchange store in the same mall.
Design exchange store? Carrying his Waitrose bag.
He walked into design exchange and he seemed confused. It's like, oh, where am I? He seemed puzzled as to why it was full of home decoration products rather than being a bank. And then he scarpered when someone approached him asking if he needed any help.
So one theory is that maybe he thought he was going to the bank to stake it out. And in fact, he walked into the wrong store.
Whoa, whoa, whoa, what's going on here? What's going on? Why am I in a Pottery Barn?
CAROLE. I hate to be, you know, intellectually snobbish here, but that makes me question his intellect. If he walked into a design exchange store and went, why is this not a bank? Before he actually walked in. Surely the big sign on the outside would have told them, and the lamps, the pictures of lamps and clocks and whatever else is in the front of the store.
GRAHAM. Look, mistakes can happen to anyone.
GEOFF. People do walk in through the wrong door sometimes. And also, you know, I pine for the days when banks were all mahogany and intimidation.
Now you go in, they do look a bit like IKEA, don't they? There's bleached wood and there's no counter. There's someone greeting you. Hi, Geoff. How's it going?
Yeah, you know, what can we do for you? And it's like, I'd like a latte. You know, I don't blame him.
I could walk into a Home Depot, whatever, and start depositing my cash into an antique drawer or something, thinking it was a... Anyway, yeah. So, yeah, I'm with him so far.
GRAHAM. So the cops' investigation is going nowhere, right? They haven't really worked out who these two guys are.
So the cops used a rather inventive method to try and locate the suspected robbers. Now, worldwide, Android has around 85% of the smartphone market. And if you think about it...
GEOFF. Seriously?
GRAHAM. Yeah, 85%.
GEOFF. Incredible.
GRAHAM. If you just look at the States, Android has about 60% share, but worldwide, 85%. So if you think that many, many people, particularly of robbing bank sort of age, probably carry a phone around with them. And many people will not have changed their standard Google settings.
And so they will have enabled or left enabled Google location services. And Google location services is basically fairly regularly polling your device, keeping track of where you are in the world, so that you can share that information with your buddies if you wish to, right? As well as being able to use it for other purposes as well.
So what the cops think is if we can serve Google with a search warrant, we can ask for data that would identify any Android user who's been sending that data within a 100-foot radius of the bank during the 30-minute window when the robbery took place. And they're thinking, there's a chance we might identify either these guys or people who will have seen them?
CAROLE. I don't know if I like this.
GRAHAM. The word dragnet is coming up in my thoughts.
CAROLE. Yeah, just my issue here is you've got all these people who have nothing to do with the robbery, whose information are being handed over to Wisconsin police.
GRAHAM. And the extraordinary thing is, at least I found it extraordinary, is this is apparently completely and utterly legal for the police to do. Now, police would have to come up with some really convincing evidence if they had a suspect in mind.
So if they had a person of interest and they thought we need to investigate them and we need to go to a judge or whatever, you'd have to put together some fairly compelling evidence to say, this is why we need to do a search warrant on this particular individual and grab their data from the technology company. But if they do a rather wider dragnet, as Geoff calls it, of anybody who happened to be within that radius in that 30-minute time period, then they're pretty much given free reign to do it.
And this kind of warrant is called a reverse location search warrant, and it's been done by law enforcement agencies around the world, particularly in America. And it's not just in relation to this particular bank robbery.
Last month, it was used to identify members of a group called The Proud Boys, a group of right-wing extremists, and some of them are alleged to have beaten up some lefty protesters at a rally in the Upper East Side of Manhattan recently.
GEOFF. So that's interesting. So saying Dragnet, is there an analogy here with CCTV, where if the bank, well, the bank had CCTV, the police would just grab the tapes and then go through it and see everybody's face who walked in and out. Is that the analogy, that they're just simply grabbing the phone details of every phone that walked in and out?
GRAHAM. I guess that is the kind of precedent which has been set. But of course, with the information from a mobile phone, that's much more identifiable, isn't it, than a blurry image of someone's face?
CAROLE. Exactly. You get their name, you probably get all their data, you get their IP address.
GRAHAM. I think it's probably still sharing your basic GPS information. And, you know, there is a legitimate purpose for that, which is if you want to share your location with your friends and family via Google services, then you've allowed them permission to look up where your phone currently is. Or indeed, if you've lost your device, that information is being stored by Google as to where your device is.
CAROLE. And I guess it's up to Google to decide who it shares it with. And it says we need a search warrant. They present one and they say, here's all the information on people nearby.
GRAHAM. There was another case as well, as well as these Trump lovers beating up people, there was another case where a man was arrested for murder based upon information Google supplied, only to be later released as it was found his Google account was actually associated with a variety of different smartphones and devices, one of which was in the ownership of his former stepfather. So they're having a whole series of these sort of cases. Now, you're probably wondering how successful the police were in identifying those responsible for this bank robbery.
CAROLE. Well, with Google's help, I imagine it'd be very easy.
GRAHAM. Well, it turns out that the police so far, at least, have not named or arrested anyone in connection with this robbery. So the investigation continues, which either suggests that these two bank robbers turned off their location history and location services. I'd like to think so.
CAROLE. Although they did walk into... Or might
GRAHAM. They have been iPhone users, which maybe is another way to defend yourself as well?
CAROLE. Well, if they're successful bank robbers, they probably can afford the latest iPhone tech.
GRAHAM. So does this not work on an iPhone then? Well, certainly there are services whereby you can share your location on iPhone as well. And I think they are enabled by default. I have to remember, I'm pretty sure that I had to turn off on my iPhone all kinds of location tracking things, some of which was being used by ad services, for instance. What I'm unclear about, maybe we can have listeners contact us if they know, is whether Apple itself has access to that information. Because quite often Apple will design these things so that they themselves don't have any information they can share with law enforcement on this to avoid this kind of uncomfortable people. Much to law enforcement's frustration. Yes, indeed.
CAROLE. So, Graham, are you advising that robbers now just leave their phones at home? Is that the whole point of this story?
GRAHAM. The good news, Carole, is that we've got no bad guys listening to our podcast. Everyone who listens to our podcast is a good person. Thank God for that. So I shouldn't say guy, should I? I should say fellows. Yeah, well. Geoff,
GEOFF. What's your story for us this week? I know it's a couple of days old at the time of recording, but I do want to talk about the Jack Dorsey Twitter hack. The Jack attack. The Jack hack. The Jack attack. The Jack hijack. Hijack, Jack. Hijack. I mean, it's useful that his name is also a sort of assonance type thing for various ways to describe it. So yes, this was Jack Dorsey's Twitter account and obviously Jack Dorsey being the boss of Twitter. His Twitter account was hijacked very briefly. I think it's about 20 minutes and a series of inflammatory tweets were sent out from his account. One of which talked about a bomb threat, I think it was at Twitter HQ. There were references to far-right stuff, bit of reference to Hitler, very salacious stuff. The account got closed down. They obviously sorted out the problem. There's no longer salacious tweets coming from Jack Dorsey's Twitter account. So on the surface of it, embarrassing obviously for the boss of Twitter to have his own account hijacked. And then there's a whole issue of, well, how did this happen? What's emerged afterwards is it seems Jack Dorsey's been the victim of the SIM swap, the classic SIM swap attack. Not an expert in those particular things, but as I understand it, if I'm a hacker and I want to take over your phone account, for example, I'll phone up, I'll find out who you're with, you know, 3 or BT or whoever you're with, you know, and I will phone them up and say, oh, I'm a customer of yours and I've got a new SIM card in my phone and I want to attach my number to this new SIM card. And obviously I'm the hacker doing it, so it's not my number at all, it's your number. Now the mobile phone company will then often try and establish, you know, are you the customer? So they'll ask for maybe a date of birth, mother's maiden name, address.
CAROLE. Anything available on LinkedIn. Well, exactly,
GEOFF. Yeah. So that's the problem, basically. If I can grab enough information about you, I can phone up your mobile phone company and effectively hijack your mobile phone number. And your mobile phone number then becomes the number on my phone that I've got my SIM card in.
Now usefully with Twitter, they have a system where you can tweet using just a text message. So you can send a text to a particular number, and that text, if it's linked, if your phone's linked to your Twitter account, that text will become your tweet. You will have tweeted the text effectively. So it's a really handy way, on the face of it, to get tweets out.
GRAHAM. Well, you know, I at first thought, why on earth would someone want this kind of feature? Why would you want to send a tweet via SMS rather than using your smartphone app, for instance, to send a tweet, which is going to be a much easier process.
But then I thought about it as I was robbing a bank in Wisconsin a few months ago. I realized, well, I don't really want to carry a smartphone with me, do I? Because Google are going to be tracking. So I'll just take this old 1990s dumb phone with me. And then I can keep up to date on Twitter via SMS message.
GEOFF. I mean, there are some really good reasons, I think, for the SMS Twitter. Well, some good commercial reasons, as you say, if you don't have access to a smartphone. So in countries that are less economically developed around the world, there's less smartphone penetration. They can update by SMS.
And also, if you're not near Wi-Fi or if the Wi-Fi gets shut down, I know there were instances in which the government was trying to shut down Wi-Fi networks and so on. Being able to just text through a mobile phone mast was useful. So, you know, all good reasons.
The issue I've got with this is everybody's reporting, OK, Jack Dorsey's Twitter account hacked and so on. It does mean that for a period of at least 20 minutes, possibly more, hackers had access. Effectively, they had Jack Dorsey's phone in a way. They had his number under their control.
I mean, does that mean if anybody phoned Jack Dorsey during that period, the call went through to them? And if people sent text messages, did they get text messages and so on?
Isn't that the risk that if your number's hijacked, it's way beyond just being able to tweet from your phone. That person is then, they have your number and whatever's going on with your number, they have. So I'm interested as to how far it went and to what kind of access that gets.
But the other thing about this is Twitter sort of said, look, this wasn't a failing at our end. We believe this was a mobile phone operator failure, i.e. mobile phone company may have inadvertently allowed this SIM swap to happen.
I've spoken to young hackers in the past for whom SIM swapping is just stock in trade. It's what they do, blagging their way into a Twitter account, basically, or into a mobile phone account. So I was interested in this, you know, how much information would you need?
And usefully, perhaps not usefully, my partner lost her phone recently and has had to go through a very similar process. She's got a new handset, but an old SIM. So she wanted to go to, and I'm going to say the mobile phone provider because this is good for them, 3, the mobile phone provider.
She put the SIM in and said, right, you know, phone 3 and said, I want my old number from the phone that got stolen, got lost. I want that number now on this SIM. And 3 said, oh, you have come into the store. And by the way, we need your passport. We've got to photocopy your passport to prove it's you.
So clearly there are some mobile phone providers who are really checking a lot of detail before they're assigning your old number to a new SIM card.
CAROLE. Why do they need my passport? Why do they need a photocopy?
GEOFF. I'm sure Jack Dorsey actually would be the kind of person who would say, well, hang on, I wish they had checked passports because then I wouldn't have had my SIM hijacked. So there's lots of interesting fallout.
I don't know. Look, the whole thing about using your phone as two-factor authentication, I just have issues with it. So not letting the cat out of the bag, but this isn't the first time a partner's phone has gone. There was another phone lost in India. And she... She won't listen to this, will she? I hope not. I'm just—
CAROLE. I'm thinking of marriage relations right now.
GEOFF. I want to keep them nice. Oh, cool. Nobody listens to this.
GRAHAM. The secret of a happy relationship is you never get any loved ones to listen to your podcast.
GEOFF. Exactly. But no, so a phone got stolen in India. And of course it was used by my partner as a two-factor authentication thing for her Gmail. So from then on, no more access to Gmail.
So it just felt there was a single point of failure with this phone and I think if you're using it as two-factor authentication you just got to think right if I lose this what actually happens. So I myself haven't gone down the whole mobile phone as two-factor authentication route for good or for ill, but those are my concerns with it and Jack Dorsey's hack seems to kind of exonerate my position.
GRAHAM. I this whole SMS A lot of people are quite down on the idea of two-factor authentication via SMS because of the danger of SIM swap and the thought that someone else will be able to break into your Gmail account or whatever account because they get the code texted to them. My feeling is it's better than no two-factor authentication at all. I would prefer if people had a hardware key or if they had an app authenticator, maybe on their smartphone or some other device, for their two-factor authentication. But if you don't have that for any reason, I would rather you had SMS based two factor authentication, even though it's not entirely secure. It's better than what most people are doing. But I think you're right to raise this alarm as to, well, what are you going to do when you lose your mobile phone? How are you going to handle that situation?
CAROLE. I've had that headache. Well, my phone broke rather than lost. But yeah, same issue. Right. Because that's my default place to do the multi-factor. And suddenly it was out of commission.
GEOFF. Yeah. I know it's controversial, as I say, but I just think that debate is opening up because people do need to think if your phone goes, what are you going to do?
GRAHAM. I also feel that Twitter isn't entirely, you know, maybe even Jack Dorsey himself is not entirely blameless about this because although I don't normally like to blame the victim. I mean, he is the boss of Twitter and he can change the way that Twitter works. And Twitter, by default, opens up this SMS gateway for people to use on your account. And my feeling is, well, why is that enabled by default? I would expect most Twitter users don't have a requirement for that. And so it's functionality
CAROLE. and ease of use over security, right? There's a constant battle. If
GRAHAM. there is this problem of mobile phone numbers being hijacked and then used to tweet without authorization, then why isn't there more of a safeguard? There should be a pin which you have to add, a numeric pin so that when you send an SMS, you have to add 551 or something to the end of the message. so Twitter can say, oh, this really is a text message from this person, rather than someone who's spoofing the mobile phone number or someone who has grabbed it through a SIM swap fraud. Good thought.
CAROLE. Good. Something else for us to remember.
GRAHAM. Well, Carole, you don't have to remember it at all because you're not using SMS for tweeting, are you? No, certainly not. I don't tweet. You tweet. I do occasionally.
GEOFF. A little bit. It's a very special day when I do. As a postscript to this, Donald Trump has inevitably weighed into the debate and I think was either asked about this or commented on it and said, I don't care if people get into my Twitter account, all they're going to see is the tweets I've done, right? This man is head of the world's most powerful countries. So I think actually if somebody did break into Donald's Twitter account, we might get more sense, more sanity in the world. I don't know. Oh, by the way, the other thing is this was carried out by a group calling themselves the Chuckling Squad. Yes. And the fact they called the Chuckling Squad makes me wonder. Link to the Chuckle Brothers? TV Tricksters? To me, to you, to me, to
CAROLE. you. No, it's my turn. It's me, it's me.
GRAHAM. Carole, what have you got for us rather than references to 1980s BBC children's TV stars?
CAROLE. Geoff, are you partial to cars? Do you have a fancy car? What kind of car do you own?
GEOFF. No, I've got an old Nissan Micra. It's 20 years old.
CAROLE. Oh, right. So you're like me. Yeah, I'm trying to drive my car into the ground. But Graham, you are driving
GRAHAM. a smarter car, aren't you? I wouldn't call it smart as such. It does beep a lot. if I drove bad. Actually, it beeps all the time, yes, if I'm driving badly, yes.
CAROLE. Yeah, but, you know, cars today are much smarter than they used to be, aren't they? Because, for example, if you were in a bad mood, Graham, and you jumped into your car, you might just go to your playlist, Bluetooth up your phone to your car, and then blast your favourite songs. Probably the Doctor Who, you know. Doctor Who Megamix, you mean. Exactly, Doctor Who Megamix. I imagine
GEOFF. that's what it's called, anyway.
CAROLE. And you know, your car collects your GPS information, so where you've been and how long you've been there and time stamped on which days. And people also use it to open their carports, right? You put in little codes so that your garage door opens or that your gated community, if you're all la-di-da, you know, the gates would open. And there's also this stuff called vehicle telematics. Have you heard of that term? This is the tech that sends and receives and stores all the info that controls a vehicle remotely be it stationary or on the move so does your car occasionally when you're driving and you go over a line does it kind of try and jerk you back into lane
GEOFF. No my partner does that mine too in car device human human's always best way to go Ah,
CAROLE. you're in the wrong lane.
GEOFF. No, but I know what you mean. Yes, there's cars, aren't there, that automatically steer you into the lanes and all that kind of stuff.
CAROLE. Did yours do that, Graham?
GRAHAM. It doesn't automatically steer me, no, but it would sort of buzz and beep. It can automatically stop if it thinks, or slow down if it thinks I'm about to hit something. Right, right, right. Which I have tested on occasion. So
CAROLE. It has some kind of quote-unquote intelligence. And all this tech is great, say many, many millions of users. You know, how wonderful to blare your device's playlist via Bluetooth, and how wonderful to access step-by-step navigation instructions on a large built-in screen.
I mean, my car doesn't even have cup holders, which is just my biggest beef with my car. I don't want any of the smart stuff. I just really wish I had a cup holder for hot coffee because it's really hard.
GEOFF. I could beat that. My car's got a tape player.
Oh, wow. Okay, yeah. I have to get tapes from people. Have you any idea how hard they are to track down these days?
Oh, wow. Mixtapes. I've got mixtapes. I love it. Literally mixtapes. Anyway.
CAROLE. Let's say you have this fancy smart car of yours, Graham, and you drive it around for yonks, right? To and from work. Oh, yeah. That's not very far for you as you work from home. Up and down the stairs. To and from your conferences, right?
When you're doing your errands and you're shopping, when you're off on holidays. Yes, yes. And you realize that the mileage is getting up there and you think it's time to trade it in. Right. What do you think of completely cleaning and sanitizing your car from your existence? That's a really
GRAHAM. Good point. Yeah, I mean, to be honest, I probably wouldn't think about that, no.
If indeed you know how, I mean, it's a... Yeah. I might sort of wipe the radio, you know, if I preset it to some embarrassing station.
Like what? Pray tell?
I don't know. You can't be talking about Radio 4 right now. I'll tell you what I have done actually. I'll tell you what I have done. I have wiped the sat-nav in the past because of course... Clever. Because of course you might put friends and family's addresses in there.
Yeah. And one of the things I do is I don't set an address as home for instance. I always think if someone steals my car I don't want them knowing how to get to my house. Yeah, right. I do that too. Instead, I just put in the city where I live. And from there, I know how to get back to my house. Because
CAROLE. I think if you were doing a private sale, you might think you might be more alert on that sort of stuff. But if you were going back to a dealer to do a trade in or to upgrade or whatever, you might assume that the dealer is going to wipe all that clean for you before they put it back on the market.
And the problem seems to be that the onus is on the driver to get rid of the information before they trade or sell the car. Because there's so many and probably a growing number of interdependent and fully independent services that are all working both without even paying attention to each other and some are cooperating to get you the information you need. Like up ahead, there's traffic.
And it's very difficult for a dealer to be able to reach an individual car to go through and wipe all that because it could be many, many different services depending on what car you have, what model, etc, etc.
So U.S. car industry executive turned privacy advocate Andrea Amico told The Register, infotainment systems, even from the same manufacturer, come with a variety of both hardware and firmware. Even within the same manufacturing year of production, variances between models can go from small to huge. If it was truly easy and intuitive to delete information, we would not see the statistics we see.
So basically, people are not cleaning their cars. Yeah. So it's up to us, the dear owners, to wipe our smart cars before trading and selling them in. The question is, though, how do you go about doing that?
Consumer Report put together a pretty solid list of advice. First is unpair all Bluetooth devices. Now, I think most people would think about that. You pair your devices with your car so they can make and receive phone calls and receive and send texts via speech, not typing away as you fly down the motorway.
And you even can create a mobile hotspot in your car and have Internet available to your passengers and drivers. So all that information can be stored either in the car or in the car's cloud server or one of the cloud servers that is made available to your car.
So that brings me to my second point, log out of any cloud accounts. Now apparently inside your manual for your car, there is information on how to ensure that you're getting you're off all the cloud accounts. So take a look at that.
But certain automakers store cloud accounts with driver data, you know, including radio presets like you talked about, favorite temperature settings, right, navigation destinations, driving history. And you might want to make sure you're logged out of all those before you get rid of your vehicle.
Remove tracking devices. Now, Graham, isn't this what you were speaking about a few weeks ago when we were talking about Mercedes? So this is where auto dealers and banks and insurance companies may attach tracking devices to your car just for when they're setting up financing and coverage deals. So
GRAHAM. I think many of the threats which you've been talking about here have been a threat to the seller rather than the new buyer. But there is a problem in so much as if the seller doesn't, for instance, disconnect their car tracking app from your car, the new one which you've bought via the dealer, then there's the potential for the previous owner to know where your car is and maybe even unlock it remotely via the app.
And take it back. And take it back or who knows what. Yeah, good point. Right.
And so there is this huge problem of dealers not properly wiping the car because you can't necessarily trust the previous owner to have done it, as we've discussed. But sometimes they may not do it with actual malicious intent.
CAROLE. And what we've learned here, though, what I've learned is you actually can't trust the dealer to do it either. Not because they're necessarily too lazy to do it, but because they don't actually know how in lots of cases.
So I think that's a safe assumption for you, the user, even if there's a few about you. Don't yell at me if you do know how to do it. Well done, you.
GRAHAM. Well, they may not have access to passwords. Who knows? There may not be a method of doing that.
CAROLE. Sure, sure, yeah. Now, this is an interesting one, right? Resetting the vehicle's telematic services.
So telematic services provide services to the vehicle drivers for either a subscription or for any other arrangement, right? Maybe it's a one-off sale. And these can be emergency services or information services to help the driving experience.
GRAHAM. Can you not simply order kit to wipe telematics? That's what I would... it just sounds so sci-fi, doesn't it?
You have to wipe the telematics of your car. What on earth?
CAROLE. Listen to the advice of how to do it, okay? Blue Link, Ford Pass and OnStar services that can send data from your car to the cloud even if you don't have a current subscription and their analysts at Consumer Reports advises is that you look for an SOS or call button on the rearview mirror or overhead console, press it, and you'll be connected to a live operator.
And that is how you go and change the account owner. What?
GRAHAM. Oh, so when you make the SOS emergency call, you say, "I'm actually only ringing. Sorry to waste your time, I'd like my account wiped. This is my GDPR request to be forgotten, which I'm making here by pressing the button."
See, I've had cars in the past which have these buttons which claim to cause... I've never, ever dared press them because I'm too scared as to whether it's going to be the ejector seat or something. Even if I've had a crash, I would never press that button.
I'm just saying you may want to if you sell your car, just to make sure.
GEOFF. I just can't believe all these buttons. I've got hazard warning lights and I've got the rear demisting. That's it. Those are the buttons I've got.
CAROLE. Don't you feel lucky?
GEOFF. Yes, I feel incredibly lucky.
GRAHAM. Yeah, me too.
CAROLE. He is lucky. He's got mixtape.
I pressed the wrong button in my mum's car a little while ago and I just had this horrible feeling that I was driving along and I'd wet myself. But it was the heated seat thing.
GRAHAM. Oh, I hate a heated seat.
CAROLE. Graham and I have an ongoing war. I'm about 10 years old now with the heated seats, you know, secretly, whenever we have to travel together, putting on the other person's heated seat very quietly if we're in his car.
And then he just starts sweating. Watching them squirm.
GRAHAM. I feel like I've got a tropical disease and then I realise I've just got Carole next to me.
CAROLE. Yep. Well, I've shown his son how to do it. So he's taking the baton now.
Now, Graham, you brought up GDPR and very good point because that occurred to me as well. So this could be a really yucky issue for car companies if they don't step up to figure out how to wipe cars from PII data.
Because think about it, right? I don't have a smart car, but you do. And you have connected your phone to your smart car. And all your contacts are likely to be stored in a car-tied cloud server somewhere, which means my information as one of your contacts is also there.
So how is this really different from Facebook and that scandal where people that weren't members of Facebook or users were actually, their information was payload?
GRAHAM. I don't actually do that with my car. It is true that you can.
I believe there is even a way of accessing Facebook via my car, but I obviously, and Twitter, and I wouldn't allow any of that nonsense. So I simply use it to listen to podcasts. I don't actually connect to any accounts or something.
CAROLE. Lots of people out there do though.
GRAHAM. Very good that you're better, that you're actually security aware.
CAROLE. I just want to say I'm better than the rest of you, yes.
GEOFF. But you're right, it's the stuff that's in the car, actually in the physical car itself, that's stored that you can probably wipe, I guess, if you get to it. But then the issue you raise about the cloud, where it's all got sent off to another server somewhere, and you, A, didn't even know that was happening, B, have no idea how to recover it and get it back or wipe it, and C, it potentially stays with the car.
So even if you did wipe the local copy...
CAROLE. Yeah, I see. I'm worrying it's staying with a third party that's working with the car manufacturer, of which there may be, you know, hundreds, depending on what services you require.
And they're the ones who are storing the information. So you might be thinking, oh, I bought a, you know, whatever, Toyota, BMW, whatever car, fancy car with the smart stuff. And who knows who's actually holding data.
Now, as you can imagine, I was pretty smug when I was researching this story, right? Because I'm not a smart car owner. And Graham knows I'm very good at being smug.
So there I was, smugging away. And as I was researching, I came across this older article penned by upcoming guest John Leyden.
And his piece raised a really scary point. Car rentals.
So everything I've talked about here, even if you don't have a smart car at home, if you happen to rent one when you're off on holiday or on a work gig and you plug your smartphone into its little you know or connect by Bluetooth or you know get some Wi-Fi going in the car and that is a problem now because give me a break they're cleaning any cars before they transfer the renting to someone else.
GEOFF. We actually, that happened. We, not to bring up my partner again, but we were source of all tech insights my partner. We hired a car and sure enough she plugged a phone, connected a phone up, and we were stunned to see, you know, 400 names and phone numbers pop up on the dashboard.
Oh, crumbs. Perfect example, exactly. We did test this. So when we unplugged the phone and disconnected the Bluetooth, the numbers disappeared from the readout on the dashboard. But we wondered now whether they disappeared from the car or a cloud server somewhere.
CAROLE. Well, according to John Leyden, this article, and this article is about, I don't know, I think eight months old. But he wrote, drivers normally get a warning when they hook up to their car through Bluetooth, but this is omitted when a USB connection is made.
So motorists can unwittingly transfer their smartphone contacts and call logs onto the systems of leased or rented cars. And that is seriously scary to me because, yeah, I've probably done this loads of times. And I've never thought about wiping a car, you know, a rental car before. So I've learned something super valuable. Drop every friend or contact with a smart car. I do, Graham. Never buy or rent a smart car. In fact, I probably should avoid leaving the house altogether because it's just too scary out there. So this is the new me, Carole the hermit.
GRAHAM. Whatever your industry, Detectify can help you stay on top of security and build safer web apps. Just enter the name of your website and Detectify will run over 1,500 security tests against it, identifying real problems with a list of constantly updated vulnerabilities submitted by a global network of over 150 hand-picked ethical hackers.
The service can even help you discover web assets like unknown subdomains and determine if they're vulnerable to hostile subdomain takeover. So what are you waiting for? Go hack yourself. Take a 14-day free trial at www.smashingsecurity.com slash detectify. Detect with an IFY on the end. And thanks then for supporting the show.
CAROLE. Hey, Graham.
GRAHAM. Yes.
CAROLE. There are people out there with companies a little bit bigger than ours. And one of the issues that they face is visibility and oversight. And when it comes to cybersecurity, that is super important.
So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass Enterprise. They offer centralized admin oversight and control shared access and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com forward slash smashing.
GRAHAM. And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week is the part of the show where everyone... I haven't done that before. We haven't had Geoff say pick of the week.
GEOFF. I just thought that you'd drop that because every guest like me forgets to do it or doesn't know they're supposed to do it. I just thought you'd learned your lesson but no, we still have to do it, fine, okay.
Leave the awkward pause and I'll try and step in a bit late as I normally do. Geoff Pick of the week.
GRAHAM. Pick of the week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. Doesn't have to be security related necessarily. It could be occasionally. Not necessarily.
Now, my pick of the week this week. Oh, my goodness. A sad moment for everyone like me who's a bit of a Doctor Who fan of old. because one of the godfathers of Doctor Who, one of the great luminaries, Uncle Terry himself, Terence Dicks has died. He died earlier this week. And for those people who don't know, Terence Dicks was someone who not only wrote the occasional Doctor Who story from the 1960s onwards, but he was also the greatest Doctor Who author of all time. He wrote over 60 novelisations of Doctor Who.
CAROLE. So when you say greatest, you mean most prolific?
GRAHAM. He was the most prolific, and in some ways he really moulded what Doctor Who is. And I'll tell you why he is great. To a whole generation of boys growing up in the 1970s and 1980s, Terence Dicks is probably more responsible for getting me and those other lads to read books than anybody else.
CAROLE. So like J.K. Rowling?
GRAHAM. No, not like J.K. Rowling at all. I mean, OK, maybe J.K. Rowling has had a tremendous impact on people as well. But Terence Dicks wrote scores and scores of books.
And when lads in the 70s and 80s were asked by the English teachers who their favourite author was, there's bound to be someone in every school class who said Terence Dicks. And truth be told, it wasn't watching Doctor Who on TV which made me a fan of Doctor Who. I believe it was actually reading the old Target novelisations of Doctor Who stories. because Doctor Who was never repeated. You couldn't get it on video in these days. In those days, you couldn't get it streamed. Your way of recreating what you'd seen on TV was to go and read the book and reread it.
CAROLE. That's a very good point. That's true.
GEOFF. We were allowed at my local library three books at once. You could check out three books in the kids' section of the library. I used to check out three Doctor Who books, read them all in a day, and go back and get three more, and I did that. So yeah, I remember those days of absorbing.
GRAHAM. Doctor Who books. That's very sweet. There's a wonderful tribute by Rob Sherman, who himself wrote a Doctor Who story in 2005, published in the New Statesman, all about how Rob was a young lad with a stammer who met Terrence Dicks and interviewed him and what happened and how Terrence Dicks inspired him to become a writer, which Rob Sherman did. You can go and read it. It's linked in the show notes.
But as a little bit of fun, in honour of Terrence Dicks and his passing, I wanted to play a little game with you. Now, because I've now discovered that Geoff has read a fair number of Doctor Who books.
Touched him, I think, yeah. When I was seven or whatever, yeah.
Okay, okay. I'm going to read out the names of three Doctor Who books and give you a little summary of what happens. And you have to work out which one I've made up. Okay?
So now the game begins, right? Two of these are real and one of them is made up.
First one, Doctor Who and the Danger of the Cybermen. A fantastic story where the fourth Doctor, Thom Baker, took Sarah Jane Smith and Harry Sullivan to the Folkestone Literary Festival. At least he thought he was going to, but he mistakenly landed in a quarry. Who could believe Doctor Who could do such a thing? On an airless planet on the outskirts of the unknown universe. That is Folkestone. Sorry to people of Folkestone.
So that's one I want you to consider. The next one is Doctor Who and the Planet of the Spiders. Sarah Jane Smith again, because she's the greatest Doctor Who companion. She visits a Tibetan meditation centre in rural England where a group of middle managers are trying to summon up a spider from the planet Metebelis 3.
And the final story I want you to consider is Doctor Who and the Brain of Morbius. Doctor and Sarah Jane Smith sent by the Time Lords to the planet Karn, graveyard of spaceships. There they encounter the mad scientist Doctor Solon.
So which of those are real and which of them is made up? The Danger of the Cybermen, The Planet of Spiders or The Brain of Morbius. Geoff, have you got any feelings on this one?
GEOFF. I've just got a feeling I'm going Spiders. I think Spiders is the one you made up. Just the middle manager's bit is just a classic Graham-ism, I'm thinking.
GRAHAM. Well, I have to say, Doctor Who and the Planet of the Spiders is a genuine Doctor Who story.
Oh, you snook. Good job, Graham.
The Danger of the Cybermen was utterly made up by me, complete with a really rubbish title. I thought that would make it seem more likely, calling it the Danger of the Cybermen.
But there you are. Anyway, Terrence Dicks, what a chap. Fantastic. And mourned by Doctor Who fans all around the world. So he is my, not just pick of the week, I think he's just pick of a lifetime. What a great impact he had on me.
CAROLE. My husband was very sad too, so RIP Terrence Dicks.
GEOFF. Geoff, what is your pick of the week?
Controversially, my pick of the week is going to be my own podcast.
CAROLE. Good. Should be. It's a great podcast.
GEOFF. Something which not to give the game away I was put up to by someone.
GRAHAM. Have you got a podcast? You've got a podcast, Geoff.
GEOFF. I have. I have got a podcast, weirdly, yeah. Called Cybercrime Investigations, actually, since you asked.
GRAHAM. Is it available on Apple Podcasts and Spotify and all good podcast apps?
GEOFF. It is. It is. Well, Apple Podcasts and SoundCloud, you can get it on as well. If you just look for Cybercrime Investigations and my ugly mug, you'll find it.
And what's it about, Geoff?
Well it's about the investigation wait for it of cybercrimes. When you're trying to research this stuff often a lot of material gets left on the cutting room floor and when I talk to my mate, to my family about this stuff it's often the dead ends and the bits where it's not going well that they're most interested in, they find most interesting.
So that lovely polished version that you put out the end saying we investigated this and I found this and here's the story, it ignores two-thirds usually of what you've actually done which is that didn't work out, that was the wrong guy, I went to the wrong place there. But actually that stuff is quite interesting.
So that's the whole point. Cybercrime Investigations thing is to sort of milk the rest of the investigation I don't normally talk to people about, but also it's quite fun.
And I work with a lovely guy called Glenn Goodman who's a fellow journalist, but knows nothing about tech. So that's quite useful.
CAROLE. I love you two together, actually. I think you guys make such a good pair.
GEOFF. It is good. He's got a great sense of humour and, as I say, also asks the kind of questions that I need to be asked to explain stuff.
So, yes, Cybercrime Investigations is the thing. We've done ones on TalkTalk. We've done ones on the Bangladesh Bank hack. And we did one on – what was the other one we did? We've done various ones anyway, so you can catch up and listen. And it's about 90 minutes long, each one of them. Perfect length, I'd say.
GRAHAM. It's really enjoyable. And I have to say it's one of my favourite cybercrime podcasts.
Very kind.
It's equal first with 538 other ones. No, no it is, no it is genuinely.
I'm just reminded of that episode of Desert Island Discs. Wasn't there some famous opera singer who went on Desert Island Discs and chose 12 of her own records?
CAROLE. I was just having a drink of tea. Did she really?
GRAHAM. I don't know was that a long time ago before I got here? I think it was a long time. It may have been.
CAROLE. I never heard that.
GRAHAM. It's just been terribly polite.
GEOFF. Absolutely brilliant. I mean, shortly after record number three, you'd be saying, do you like anyone else? Anyone else's work you rate? No. No, here's another one by me. I love it.
GRAHAM. Carole, what's your pick of the week?
CAROLE. Well, my pick of the week this week is a podcast. Sorry, Geoff, I should totally have had yours. Is it about cybercrime? Is it hosted by someone called Geoff White?
I'm talking about a podcast called Intelligence Squared. Now, overall, this is a great, great, great podcast. I love it. And you'll hear a array of very smart people talking rather deeply about specific topics, actually. And that comes out every week. And it's great.
Now, the most recent Intelligence Squared pod that came out features a person I'm really into. I like her books. I think she's smart. She's a scholar. She's an author. And she's named Shoshana Zuboff. Oh, yes. Yeah.
And last year, she published this massive tome of a book called The Age of Surveillance Capitalism, which I'm reading slowly and very much enjoying. It's just such a heavy book. My arms get tired because I got a hardback. And whoa, sometimes it's good for the guns.
But this pod is a great intro to Shoshana's work. I've heard her on a few pods, but I really love this one. She talks about how Obama ran the first political campaign that showed the power of targeted advertising. And he had the main Google gurus advising him on how to do all this.
So it's politicians are conflicted because they can directly benefit from the infotech that is infringing on the people they swear to serve and protect, which is an interesting dilemma. Right.
She also talks about Facebook, which she says, and we all agree, has largely been self-regulated for a decade or more since its inception. But, of course, since Cambridge Analytica and everything else, the waters have been heating up, and Zuckerberg has needed to shift his public perception.
So she says, and I paraphrase here, as Zuckerberg is presenting himself as privacy woke, yet the irony is that privacy fundamentally contradicts everything that makes Facebook lucrative for its shareholders, aka him. Because, you know, he has to wear black diamond-crusted pants, I'm sure, on a daily basis.
GRAHAM. Sorry, is that the American definition of the word pants or the British?
CAROLE. British. I'm sure they'd be much more comfortable.
GRAHAM. Oh, yeah, slightly, chafe slightly.
CAROLE. Right now, she sees Zuckerberg and she says he's planning the move to centralize legislation because if the legislation is centralized, you have a lot more representatives that have to agree and that waters down a law. Then Zuckerberg can target all his lawyers and whips and, you know, whatever, what's the word called? Someone who sways... Lobbyists.
Lobbyists, right? To that central jurisdiction. Obviously also can ensure that these elected officials can enjoy the benefits of things they provide targeted advertising.
So this is just two but quite big massive points I think and they're just crammed in amongst others in this tiny 40 minute podcast so go check it out Intelligence Squared with the wonderful learnings from Shoshana Zuboff and then go buy her book and that's my pick of the week.
GRAHAM. Excellent thank you very much Carole and I think that just about wraps it up for this week. Geoff I'm sure lots of people would love to follow you online or maybe give you suggestions on what or go listen to your podcast. Yeah, listen to your podcast, give you an idea for the title of your book or what domains to purchase. What's the best way for folks to get in touch with you?
GEOFF. Twitter's the easiest way, and I am Geoff with a G, G-E-O-F-F, White the colour, and 247, because I am 24-7, seven days a week, Geoff White. Tea! Fromage, but I love
GRAHAM. it. You can follow us on Twitter as well, that's Smash Security, no G, Twitter allows to have a G, and we've got an active community up on Reddit. Just go to smashingsecurity.com slash Reddit and it will take you automagically there.
CAROLE. And once again, thank you to this week's Smashing Security sponsors, Detectify and LastPass. Their amazing support helps us give you the show for free. And thanks to you, you classy, classy humans. Be you a listener, a Patreon supporter, a reviewer. You are the gravy on our mashed potatoes.
GRAHAM. Until next time, cheerio.
CAROLE. Bye-bye.
GEOFF. Bye.
CAROLE. Bye. Are you a big fan of gravy on mashed potatoes?
GRAHAM. Oh yeah peas gravy it doesn't have to be I'm not talking meat gravy it can be veg gravy something but a nice gravy right but mashed potatoes peas and gravy maybe a few roasted carrots I'm in heaven.
GRAHAM. Yeah onion gravy you know what I am too I don't know why I'm questioning that that is pretty awesome isn't it.
GEOFF. In fact I will share if I may Graham's feedback from the book where at one stage I talked about the gravy train coming to a halt at which point Graham's feedback in the in the text was what there's a train for gravy?
-- TRANSCRIPT ENDS --