Now unfortunately, their website appears to have suffered from what I can only call a Sophos-icated cyberattack.

How long did that take you?

For cod's sake! Smashing Security, Episode 251: Prawn Hub, Tesla Recall, and IoT Luggage with Carole Theriault. Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 251. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, we are joined this week by a special guest, someone who hasn't been on the show before. It's Ken Munro from Pentest Partners. Hello, Ken.

Hi, Graham. Hi, Carole.

Hi, Ken. Welcome to the show. First timer, eh?

I know. Avid listener too, so I'm quite touched that you invited me along.

Oh. It's our pleasure. Now, Ken, for people who haven't heard, I'm sure lots of our listeners have heard of you actually, because you quite often show up on the TV, BBC Click and things like that. Normally you're fiddling around with IoT gadgets, aren't you?

Yeah, we are the destroyer of things. So my team and I at Pentest Partners are all about doing interesting research in the background whilst we're out pentesting. So our particular interest is smart stuff and we love breaking it partly because it's quite easy sometimes, but also because when you go a bit further and dig into chips, you can find some really interesting stuff.

Yay, we're hopefully gonna hear about it later. But first, can we thank this week's sponsors, 1Password and Qualys? It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

Oh, I'm going to give you something fishy, but for a change, it's gonna be with an F. Better come with chips.

What about you, Ken?

Well, I'd like to talk about the smart stuff, but a slight tangent. I'd like to talk about things getting better amazingly.

Ooh, and I'm talking Elon Teslas and real-time updates. All this and much more coming up on this episode of Smashing Security.

Now, chums, have you ever been tempted by water sports? Is that something which has cropped up with you?

This isn't Sticky Pickles, okay? This is an important show.

I don't mean things like water skiing or synchronised swimming. I mean, Ken, have you ever done anything in the water? Anything? Because you seem like quite a sporty sort of chap. Would that be right?

I used to do quite a bit of kayaking. That was good fun. Very, very wet. Because I spent most of the time swimming out of my canoe because I wasn't very good at it.

But hey. What about fishing? Either of you ever gone fishing?

I have gone fishing, but I've never caught anything.

Oh.

I don't— I'm really glad about that, actually. I don't know if I would be very good at, you know, putting a hook in a fish's mouth.

You know, I'm getting to an age now where the idea of fishing begins to appeal to me. I can imagine pulling on a pair of rubber trousers, wading in up to my waist, setting my tackle loose, all in the hope of getting a quick nibble. It's something which I think I could get quite hooked on.

What the heck's going on with you?

Well, no, I think I'm, you know, it's a gentler, calmer, simpler time, right? Now we're in year 2 of 8 of the great lockdown.

You've been talking for 2 minutes, I'm already blushing. That's all I'm just saying.

This is highly unusual. I think you should consider fishing, at least mull it over. Now, I want to talk to you about a company, a British company called Angling Direct. They've got around about 40 stores up and down the country, millions of customers. They're listed on the London Stock Exchange. You know, they're not some small outfit, certainly not small fry. Tens of thousands of people visit its website every day to buy rods, reels, and bait.

Fishing paraphernalia.

Yeah, you know, the essential equipment you need to go fishing. Now, unfortunately, their website appears to have suffered from what I can only call a sophisticated cyberattack.

How long did that take you? I'm just going to let you hang on that one.

All right. For God's sake, I need to stop carping on. I need to get on with what's happening, because if you visit the Angling Direct website right now, you don't get to see tackle. Instead, you find yourself on the Pornhub website.

What?

Which I suppose means you do get to see tackle.

So someone's redirecting people who are trying to buy fishing rods, et al., to tits. To porn, basically. Sorry. To porn.

Well, boobs, knobs, and yeah, all that kind of equipment instead. That's what you're getting to see.

Can I ask a question?

Yes, of course you may.

Why?

Well, why indeed? Why does anyone do anything these days?

Wow, it's got to be cash, hasn't it? You've got to hold them to ransom.

Yeah.

Hijack their domain.

Exactly.

Take money.

Grabbing them by the short and curlies and saying, come on, cough up some money. Angling Direct says it spotted something odd going on in its network late on Friday night. And it appears that the company's DNS records, the things which tell computers where to find Angling Direct's website, they were meddled with, so obviously they were hacked or compromised. Maybe the hackers got hold of the passwords at their DNS record service and redirecting people to Pornhub instead. And also Angling Direct's social media accounts, they were also hacked on Sunday night. Its Twitter account announced, our site has been sold to MindGeek, the founders of Pornhub. Your data has already been transferred and Pornhub Premium will be available for your account for a period of 1 year. And so they were saying, if you register at Pornhub using your Angling Direct login credentials, they would automatically get a premium Pornhub account. I don't know what a premium Pornhub account gives you, but that's—

No ads, probably.

Oh, I suppose so.

I don't think they send you wet wipes or anything that.

Right, okay.

Okay, so is this to embarrass people into action, or is this more thinking so many people are going to go for this freebie?

Well, oh, I see. Do you think maybe that Pornhub are behind it, or a Pornhub affiliate?

No.

Trying to drive traffic thinking there's lots of people who are into fishing.

I'm wondering—

Who might be interested.

No, I'm thinking more, are they thinking that someone's going, oh, a full year of, you know, a full free month of premium porn, that's worth it. And that they'll actually go and log in with their credentials, legitimately.

I don't know. I mean, the thing is that angling is a hobby enjoyed by people of all ages.

Not very sexy, though.

What?

I don't know if people fish for kicks, literally.

People do everything for kicks. People hack IoT devices for kicks, right, Ken?

I'm just thinking, is there some sort of niche area of pornography we don't know about to do with angling? I don't know.

Really into scales.

Anyway, it appears because they're still in control of Angling Direct's details. If you go to Angling Direct's Twitter account right now, the messages are still up there days later. If you try and go to their website, you still get directed to Pornhub instead. So they clearly, after a few days, haven't managed to get a proper handle on this and are still struggling. And the message from these hackers is, if you want to get in touch with us, and they've given an address of , we will tell you how to fix the problem and we can maybe give you your data back. They haven't announced whether they're gonna ask for money, but one assumes that they would.

What are the real people at Angler Direct doing about this?

Well, they've contacted law enforcement agencies, they've told the ICO. They don't believe any financial details have been put at risk. Obviously, there's concern that there may be some credentials and customer information which may possibly have been snaffled up as well. But what I wanted to emphasize, though, is remember I was saying how angling is a hobby which appeals to people of all ages. So it's not just grubby, dirty old men who just want to look at someone's knockers. There are people on Twitter who said, my 5-year-old son has gone to the Angling Direct website today, and I'm having to have this really awkward conversation with him.

That's not a fish, darling. Yeah. So not very good, really. Ken, you deal with companies who've been hacked and breached and things like that. It's interesting, isn't it? Looking at the press release they put out, the statement, the one thing they haven't done is stated it's sophisticated. Yeah.

This one, it doesn't seem to have mentioned the word sophisticated, which is great, the fact they haven't gone for the old cliché. But it's interesting they took DNS and Twitter. That was fascinating, which suggests to me, I don't know, maybe a case of reused passwords.

Yeah, shitty password and shared. Yeah.

So maybe they're using the same password at Cloudflare or wherever it is as they're using on Twitter.

But that seems a real shock. I mean, this is a, what, £70 million turnover business? That would be a bit of an oversight to leave your IT, probably your biggest revenue generating online thing, and have lousy credentials that you reuse everywhere.

Not good. At all. And sadly, seems to be the case with so many organizations when they get breached all the time. So anyway, right now, if you Google for Angling Direct, even Google pops up a message saying, oh, there may be some smutty search results in here because they've sort of now flagged Angling Direct as being an adult website. So it's going to do them harm for a little while, I think.

It's not angling, it's dangling.

See, that's funny, Graham. It almost feels personal to me.

Right. Oh, you think?

Yeah, I don't know.

What do you think? Phish are behind it? So phish are fighting back and they're the ones who— And there was someone else who was saying their 13-year-old son had ended up on this site.

Okay, okay. Yes, yes. Finally, we've had enough of hooks in our mouths. We're gonna show you.

Oh my God. Ken, what have you got to talk to us about this week?

Well, do you know, I want to bring up the subject of regulation and I very rarely talk about laws 'cause usually they're a bit yawn-worthy, aren't they? Going through the details of laws and things.

Really deeply disturbed about what people were doing, because I'm sure there are some 13-year-olds who have seen that kind of content online, but there are other people who certainly haven't and are too young to handle it.

But there's been some progress in the area of IoT. Now, I always thought when we started doing research on these smart devices that a bit of bad press coverage would shock manufacturers' interaction, but you know, it hasn't. Years later, we're still banging our heads against the wall trying to get organizations to up their game. Some have, but it gets really frustrating when you go out and buy a product from Amazon or whoever's selling stuff and you find the same silly mistakes that you were finding 6, 7 years ago.

But don't you think without regulation, you've got some that are going to try and do the best they can because they care and they're being conscientious and they want to put out good and there's other people, cowboys, they're gonna throw it as much as they can, quickly as they can, and try and make a fast buck.

And how is the user gonna make a decision when they're buying the products, aren't you?

Right.

Yeah, there's no marking, that'd be almost impossible to do anyway. So you end up falling victim to lousy advertising and people making grand claims. And I'd just like to know that the product I'm gonna buy is gonna be safe and secure.

Mm-hmm, totally.

Yeah.

Can't argue with that.

So there's an interesting thing, I think it's 29th of October, so pretty recent now, there's a big change that was implemented. So the EU, we've got the Radio Equipment Directive, which is all about basic standards for radio systems, but they've managed to include some standards for smart devices. That's all going to come into effect in 2024, so I understand, but it's maybe the start of a change towards the IoT not being really vulnerable and hackable.

So will this mean that IoT devices which are made in China but are intended for sale in Europe will have to conform to this standard?

That's the idea. So I think that's a huge step forward. It's not the first law. The first I'm aware of that was specific to IoT was in California, came into effect January 1st last year. But the sad thing is I haven't heard of any enforcement action. So it's all very well having a law, but if no one's gonna actually take action and hold these manufacturers to account, it's kind of a bit pointless having a law, isn't it?

Although, yeah, it was hard maybe during the pandemic, that might have taken a backseat, like, we'll start after the pandemic.

Let's do some enforcement later, shall we? And in the meantime, everyone just gets hacked.

That's true.

Yeah.

So, okay. So what can you tell us about what is going to be regulated as part of this? Yeah.

What would have been fixed by these sort of regulations, do you think? What sort of common problems are you seeing?

Well, you'd have thought that consumer privacy would be covered by GDPR, and arguably it is, but again, we don't seem to be seeing too much action taken. So that's a big thing. A big step forward is that consumer privacy is going to be a core part of the Radio Equipment Directive. Which is really cool. So it means that if you've got a smart device with a leaky API that anyone can grab all your personal data from, that's going to be a massive breach. But what I really like to see is some certification around this, and that's a bit of a mess right now. So you've got lots of organizations, companies you probably know, people like BSI, UL, TÜV in Germany, people like that who are trying to get certification schemes to market. But it's a really big job trying to work out if a smart device is secure or not because it's so damn complicated.

Yeah. Spans all devices from vacuum cleaners to computers to, you know, phishing equipment, I'm sure.

There is smart phishing equipment, I have to say.

There you go.

Of all the crazy things, one of my colleagues said, hey, my washing machine's got a web server. Awesome, what could possibly go wrong? So I think that's where we've gotta go. I'm not a massive fan of regulation 'cause it can be argued that it stifles innovation. But I think in this case, I think we actually really need some. There's been some great progress in the UK. So I think this parliamentary session, The Online Safety Bill, I think, has got a bit in it about smart devices, so IoT, with some really basic requirements for cybersecurity. So that's kind of good, but I really want to see some enforcement action.

Well, yeah, but if the requirements though are fairly basic in order to sort of get them passed, is there a danger that the general public will see the equivalent of a Cyber Tick and think, oh, it's safe then?

Well, they're doing that now. They're assuming that's all safe.

Although there's some good surveys actually. So Department for Culture, Media and Sport did some work a little while back and they actually went out and talked to people and started to gather what were the things that were worrying people about buying smart products. And one of the things towards the top of the list was actually cybersecurity, that people were worried generally about these invasive devices and what are they doing? Is that Home Assistant listening to me all the time? Is it sending adverts based on what I say when it hears me? And I think that's a real obstacle. So if we can encourage these smart device manufacturers to go, "Hey, no, actually we really are secure. Look, here's how we keep your data private, and here's how we don't snoop on you." I think people would buy more.

Do you think they should have stickers like they do in the supermarket when they say, you know, something has a lot of sugar or a lot of fat or anything, and it says, "Listening to you at all times, taking pictures whenever it wants." Like, would that help?

There's been a lot of work on trying to come up with a label, but yeah, when you buy your fridge freezer, right? So it'll come up with a rating and you go for the one that's gonna save you loads of electricity. But IoT is so much more nuanced and there's so many different areas of it. It's a complex ecosystem. So you've got the thing and you've got the hardware security on it, cameras, microphones, speakers, all those sort of things, Bluetooth, Wi-Fi. Then you've got an API that hooks it up to the mobile phone and the app. Then you've got a cloud platform and it's so complicated. So yeah, we judge food on 5 scores, I think.

Yeah, yeah, yeah. That's totally true. Yeah.

I think the other bit we've got a real issue with is certain vested interests from some industry lobbies. So what is a smart device? Where do you draw the line? When is it, is it a laptop? Is it your phone? Is it your car? Is it a smart speaker? Because the automotive industry is a very powerful lobby, and I believe there was quite hard lobbying in the US to ensure that Senate Bill 327 didn't apply. But that said, cybersecurity in cars is improving.

Yeah, but why should there be any cybersecurity regulations regarding cars? I mean, they're only something you can drive down the highway at 100 kilometers an hour and crash around. It's not as though it's really important, is it?

No, but a vacuum could really attack your ankles as well, right?

Yes, you've gotta watch out for robot vacuum cleaners. What are the weirdest IoT things that you've hacked, Ken?

Wow. Over the years, you'll know we've done a few connected adult toys, and you might remember one last year where we saw a connected male chastity device.

Oh yes, Graham did that story, I believe.

Sounds like my cup of tea, yeah.

Right up your street, hey? We were talking about dangling anyway, but—

Was this the Leaky lock? Was it called Leaky?

God, it's such a bad name.

It was called QIUI. Q-I-U-I.

I knew it was something like that, yes. Leaky.

You remember that my amazing colleague Alex discovered that the API had some major flaws. You could actually leave people locked in or locked out or other things. You end up having to destroy the damn thing to get your meat and veg out, which is quite an awful story really. But the bit that was actually probably more sinister was that it also leaked your position, and there are a lot of countries in the world where they aren't so tolerant of—

Oh, I see. Geographic— I understand position. I thought you meant—

Not that position.

I thought you meant sort of angle of elevation or something.

No, the angle of— anyway, yes. But what I've heard recently is that—

Still blushing to say it.

Yeah.

Said device manufacturer is upgrading their product and now offering the ability to give electronic shocks.

Oh, for God's sake. I think I know someone who might like that, actually.

No, not me.

I'm just thinking API security flaws, and now we've got a shock device. So you could just see some poor gentleman walking down the street, all of a sudden leaping in the air because some damn hacker's taken control of the API.

I mean, fine if you want that sort of thing to happen, but—

Not in a public street though.

Well, you know, if it's not raining or something, so there's no danger of electrocuting anybody else.

He's not plugged in.

It's just— I know, yeah, you don't really want that happening, do you, without your thumbs up, as it were? Maybe that's the wrong phrase. But yes, good.

Still blushing. Excellent work, Ken. I think you've done jolly well there, Ken. I'm cleaning this up a little bit, okay? So don't lower the tone, gentlemen. But I'm going to natter about what most people think is an extremely sexy car, the Tesla. Do you guys think of it as sexy?

I don't think of it as sexy, no.

Oh no, but you're in love with Elon, that's why.

Well, no, because I'm not in love with Elon. I just don't find him very sexy. He's just, you know, it's a twit, isn't he?

I don't know. I think he swooned a bit over him. Ken, what about you?

So I'm an EV buff. I have two EVs. Absolutely love them. And we bought a Model S a few years ago to reverse engineer it and find out about how it updates itself over there, because that's kind of cool. I really liked that bit, but the bit that surprised me a bit is when we were taking the car apart is I was a little surprised about the build quality. It wasn't quite what I was expecting. There was rust behind the dash already after two, two and a half years.

Really?

Mm.

Don't get me wrong, I love the technicality, the amazing wizardry of the Tesla, and I love that, you know, the acceleration in a straight line is mind-blowing. But not quite there with the rest of the bit, you know, the bit that other car manufacturers did years ago.

Okay. I am so glad you're on the show today to help me on this. So you guys may have heard about Tesla's glitches late last month when cars started behaving erratically after receiving an overnight software update.

Oh, yes. This is when, yes, they started going into cold sacks and things, didn't they? Or—

Yes, that was part of it.

Yeah, yeah, getting stuck.

Yeah, but it got worse than that. Some owners reported that their cars suddenly started slamming on the brakes at highway speeds.

Oh well, yes, now not ideal.

No. CEO Elon Musk got on Twitter, acknowledged the problem, and vowed that the update was being rolled back. And the glitch reportedly affected about 12,000 cars and lasted only a few hours, thanks to real-time emergency software updates.

Well, you say only a few hours, but if those, you know, if you'd set off on your journey and—

To go to work in the morning, yeah.

Yeah, update rolled out onto your Tesla and then suddenly your Tesla begins to brake randomly, that's not really that great, is it? If it's slamming on its brakes.

Totally agree, but it's kind of interesting. And I want us to keep in mind this whole idea of real-time emergency software updates, because that's kind of where I want to go with this. Now, of course, this isn't the first time there's been some kind of snafu with Teslas. Just before this software glitch where the Teslas were behaving erratically and slamming on the brakes, Tesla was publicly dinged by the NHTSA, National Highway Traffic Safety Administration, for failing to issue a formal recall over a previous incident where basically dozens or so of Teslas, when on autopilot or when autopilot was activated, had crashes involving parked emergency vehicles. So they couldn't read them and it would crash into them.

Well, specifically emergency vehicles like fire and ambulances.

They didn't go into details. Parked emergency vehicles. That's what I imagined from it, right? Ambulances, fire, exactly.

Wonder why it targeted them.

Well, maybe they're not where they're supposed to be. Maybe they're parked in weird places. They're not where cars expect them to be, maybe. Elon and co dealt with this issue by issuing an emergency real-time software update to enable its cars to better see parked emergency vehicles in low lighting. So it was obviously a lighting issue again. Again, real-time updates to the rescue. But the thing is, there's more and more incidents. Of course there would be. But last June, Reuters reported that US auto safety regulators had opened 30 investigations into Tesla crashes. They had involved at the time 10 deaths over the last 5 years where this concept of advanced driver assistance systems were suspected of use. Did you look at that when you were looking at Teslas, Ken, the driver assistance systems?

Didn't so much look at the ADAS. We were more interested in how the updates were being done. That's the key thing for me. And I think in fairness, Tesla did something quite cool. Do you remember the Beast from the East storm a few years back? And one of the updates they pushed out enabled further range for a period of time so people could get home if they were stuck in the snow. And I kind of like that. So there are clearly some benefits, but the bit that worries me is, are Tesla testing their software enough?

Yeah, agree.

Well, they are testing it, but they're testing it out on the public road with plenty of people who are driving these dodgy updates on their way to work, aren't they?

Yeah. So the latest iteration of Tesla software is called Full Self-Driving. And this is Full Self-Driving navigates city and residential streets with an attentive owner behind the wheel at all times. And about 12,000 drivers paid as much as $10 grand to be first in line to upgrade, be part of this beta team to test out this full self-driving. You say, Graham, they're testing them on our roads where you drive your kids to school or you're going bowling this Friday, you're taking away for a date. And there's these cars there that are under test. Now Elon's saying, look, it's a beta, there's going to be some problem. And I'm wondering what the fuck are you doing on the roads?

I mean, I guess they really want to test the software and sometimes going out into the world is what's required, but it's bizarre, isn't it, that people will spend $10,000 to get a piece of beta software. Can you imagine doing that with your computer if you wanted a new version of Windows? Oh, you want it a few weeks earlier than everybody else. So please, can you give it to me in its buggy state and I'll give you $10,000, Microsoft?

It's insane, isn't it? That's the problem, isn't it? We talk about AI and machine learning, but the machine has to learn. And when you're coming to driving, you do that by driving, but yet paying for the privilege, that's incredible.

Well, and also, hang on a moment. Also, if you're the kind of person who's prepared to pay $10,000 to get this potentially dodgy software, that might say something about your character. Maybe you could even make some suggestions as to what you are as a driver, because maybe you are a little bit reckless. Maybe you are a little bit more dangerous because you clearly think that's a sensible thing to do, to spend that kind of money.

I don't know. I think Tesla must— they must underwrite the insurance. How do you get insurance for that?

I think one thing I did read with Teslas is that they first start rolling out updates like this to people who've got a 100% driving record. So the car, I believe, is actually measuring how good a driver you are and gives you a percentage. Tesla owners who are listening to this, write in and tell us that we're wrong about all these facts. But I think that's how they begin to roll out the updates, so they try and work out who is the safest first. But I think the sheer fact that you spend extra money suggests to me that maybe you're not completely complacent.

Here's another weird thing about this real-time update. So on my phone, for example, or on my computer, I might do updates, software updates, browser, whatever, and configuration options will sometimes change back to default. So if you're in a car and you have things like brake assist turned on or heated seats, Graham, switched off, right, and they default to on after an emergency update.

Yeah, that would be bad. I certainly remember a long trip which I took with you once, Carole. We were going from Boston up to somewhere in Canada. I was driving and the heated seat would mysteriously keep on being turned on underneath me, which made me feel quite ill.

Like you're having a heated seat war.

I won. Yeah, funny.

Anyway, to Ken's point earlier about regulations, US regulators have been pushing Elon for quite a while to say, hey, look, when you do one of these real-time emergency security updates, can you let us know? Right? And he's been tap dancing around and sidestepping. But I think the heat is on because for the first time he reported to the National Highway Traffic when Tesla started reacting erratically following that software update we started the story with. And not only that, earlier this week Tesla is now recalling the 12,000 vehicles because they think there was a communication error in it.

So these people that may have paid extra cash to be able to play with this system, this driving system that they've got, now have to — their car's being recalled.

Really? Oh my goodness.

Do they get their cash back? I don't know, I wonder.

Go and spend it on a different electric car, maybe.

I think it's about time there's regulations for this. I think it's good that he needs to report them because we need to know, don't you think?

Listen to both of you. You're all just regulations are great, oh, isn't it wonderful having rules? Shouldn't things just be a bit more free and easy, able to whatever we like?

Do you want me to cheer this up? Do you want to hear a few Elon Musk jokes?

Oh yeah, go on then. I love the idea of a joke about Elon Musk.

What is Elon Musk's favorite country? Madagascar.

Oh.

Why does Elon Musk want so many satellites? He's transmittin' with them.

Oh, cruel.

What dark corner of the web have you gone to to find these?

Elon Musk's tunnel digging venture just got approved for expansion. Even more boring than before.

Ding ding.

Bing. Ken, I'm so sorry we invited you on the show.

He's loving it, right, Ken?

The puns are impressive.

Thanks, man.

From startup to enterprise, 1Password makes it easy for your team to store, generate, and share strong passwords. The less time you need to spend dealing with hacks, phishing scams, lost passwords, the better, right? Well, it's not just for IT and security teams. All kinds of teams inside your company, like finance, HR, legal, marketing— they can also store and share sensitive information such as business credit cards, sensitive documents, and shared logins inside 1Password. Work securely from home or in the office. 1Password allows secure access to logins and important resources anywhere you work. Find out more and try 1Password for free for 14 days at 1Password.com. And thanks to 1Password for supporting the show.

Qualys, one of the pioneering providers of disruptive cloud-based IT, were one of the first SaaS security companies, and they deliver continuous critical security intelligence via their Qualys Cloud Platform and integrated cloud apps. Plus, their 21st annual security conference is coming up between November 15th and 18th this year in Las Vegas, but you can also attend online. One cool highlight is you'll get a keynote speech from Chris Krebs, former director of CISA, with further talks around the role of automation in security. Want to learn more? Of course you do! Visit smashingsecurity.com/qualyslasvegas. That's Q-U-A-L-Y-S-L-A-S-V-E-G-A-S. And thanks to Qualys for sponsoring the show.

And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Well, my pick of the week this week is not security related.

Good.

I have gone back through time and I'm remembering how joyful and pleasurable my formative years were when I was a young man. And you could well have found me—

You are so having a midlife crisis right now.

You could.

Every single pick of the week, it's been something from your childhood.

You could well have found me with my nose stuck in a terrific series of illustrated books called Usborne's World of the Unknown. And there was a version about ghosts, one about UFOs, and one about monsters. These were illustrated books looking into mythical monsters, sinister sightings, and things that go bump in the night. I flipping loved these books.

Oh, there's a lot of pictures in them.

There's a lot of pictures and some words. But looking at pictures of UFOs or photographs which claim to be of ghosts or explanations of UFOs and weird monsters from myths, I love them. First published in 1977, the Usborne World of the Unknown books, and my mum and dad must have bought one for me or bought a collection for me. They've recently been republished with introductions from the likes of Robin Ince, Rhys Shearsmith, and friend of the show John Colshaw. So I've bought them for my lad. And if he isn't interested, I'm going to enjoy checking them out as well. I really used to love these books. I remember, it was my favourite book. And I remember once going into the library at school and telling Mr. Bartlett. I said, "I've got these great books at home all about UFOs and monsters and ghosts."

You must have really pissed her off.

Oh, just— my heart sank. Anyway, they are now out. I've bought new copies of them, which my mum will not be taking to the library, and I can thoroughly recommend them. And I will include some links where you can see a video of one of the books, a little trailer for a book, as well as find out more about them because they're great.

Don't rush at the same time. You don't want to DDoS the—

Lots of people do my Picks of the Week, Carole.

No, I know.

A lot of people do. This will be a big hit. Yeah. What more could you want? Yeah.

Pick of the Week. Ken, what's your Pick of the Week?

Well, do you know, one of the things I've missed over the last couple of years has been travelling. I think many people have. Just be able to go to, I don't know, jump on the train, get in the car, or go in the air somewhere. I really missed it. So, this week's pick is for something one of my colleagues, a chap called Chris Towns, flagged up to me. He flagged some luggage to me. Obviously, we need luggage when we travel, but of course, Chris said, well, actually, this is interesting luggage. It's smart luggage. I'm thinking, what? And of course, we had to buy some. You have to have smart luggage, right? Don't you? Yep.

Oh my God.

Probably not, no. I cannot wait to find out what it can actually do. Does it just follow you like a dog behind you?

Yeah.

Oh, for real?

Yeah, absolutely. So it's got a little Bluetooth wrist strap that you wear. So you get at the airport and you just toddle off and your luggage comes behind you. I love the idea of it. It just really tickles me.

What? This is never going to work.

No, no, this is a very good idea for cruises and for older folk that either have tons and tons of huge suitcases or can't actually yank that thing back and forth. Could it jump itself into the cab? That's what I need to know.

Can it go up steps?

Yeah, it should be like a pogo stick.

No, I'm thinking the Terry Pratchett books with the luggage with its legs that can go up. No, this one's got wheels. It's not so much fun, but surprise, surprise. We were having a look at it, and I'm afraid it's not quite as secure as it's supposed to be.

You don't say. What a surprise.

So we've got this ridiculous situation where you've got smart luggage that follows you, but someone else nearby with nothing more than a mobile app and no further authentication can steal your luggage and drive off in the other direction. I love that. What?

You'd be like, "No, my dress is in there."

I just love that. It's something as simple as even your luggage can be hacked, man.

Yeah.

So this is really your unpick of the week, I suppose. You don't really want people to suggest they check this out, it sounds like, until they fix these flaws.

I'm a big luggage fan and I'm a ginormous fan of Victorinox luggage. So I'm just putting it out there — if anyone wants real luggage that's not smart, there's some amazing stuff there.

Those are the people who make the Swiss Army knives, right?

Yeah, they make lots of things: clothing and bags and stuff. But their suitcases I've had for about 10 years and it's killer — light as anything, four wheels, spinny, great.

Are you sure there's no Bluetooth connection? There's no Wi-Fi on them? Nothing. You sure?

Shut up, don't make me paranoid. Ken will find them if they are.

Well, next time you're in Oxford, Ken, you can come and, you know, mark everything in my house that happens to have a Bluetooth connection that I don't even know about.

What could possibly go wrong?

Carole, what's your pick of the week?

It's non-smart. So my pick of the week — so I like a coffee, right? And I also like to travel. And the thing is, I like my coffee, right, from my local coffee roasters. I like the particular kind, and I like it really strong, almost tar-like. But when I travel, it's really hard because you can kind of bring your equipment, your cafetière and stuff. But if you're in a hotel, you don't have a hob to cook on, right? You have — you might have a kettle, but then what? You get — sometimes you get those Nespresso things, or you have instant coffee. So what do you do if you like to laze in bed with a perfect coffee, if you don't want to go out?

You could light a fire. You could get some kindling and light a fire in the middle of the carpet, couldn't you?

Yes, I could. But there's an easier way. There's an easier way — welcome, or say hello to the AeroPress.

AeroPress.

So it's kind of, you know — a conventional coffee maker drips hot water into a filter full of coffee grounds.

Not really. I don't drink coffee. Is it like a trouser press?

Ken, you've seen a coffee machine before because Graham obviously will play dumb here on this.

I might even confess to having hacked a coffee machine, but are you surprised?

No. But normally the water will drip through, right? But the AeroPress pushes the hot water through this kind of ground coffee puck that you create by pushing it together, and you end up with kind of espresso/conventional coffee. It's really good. And the best thing is it's not made of glass — you can easily throw it into your suitcase and bring it along. There's only three small parts, and the whole thing retails about £30 or $30, and it makes darn good coffee. So if you're going to your in-laws or going somewhere on holiday and you like your coffee, this is a good thing to throw in your suitcase. So check out AeroPress, and I'll throw the links in the show notes.

This is very interesting. Are you specifically saying that your in-laws provide really rubbish coffee?

They tend to combine decaf and caf coffee together, whatever's on sale down at the local store. Oh, and I'm not a ginormous fan of that. I think I'd really like my little jolt of caffeine, but you know, I'm an addict on that front.

Let's hope they don't listen to the show. Have you told them this?

No.

Really hope they don't listen. Good.

Don't email them.

No.

Well, that just about wraps up the show for this week. Ken, thank you so much for joining us. I'm sure lots of our listeners would love to follow you online and find out what you are up to. What's the best way for folks to do that?

What you're hacking next?

Oh my gosh. So the blog's at pentestpartners.com. That's always full of crazy things. But you can catch us on Twitter as well as Pentest Partners or The Ken Munro Show.

Fantastic. And you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G. And we're also on Reddit. Go and check out the Smashing Security subreddit and make sure that you never miss another episode by following Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.

And thank you to this episode's sponsor, episode sponsors, the fabulous 1Password and the wonderful Qualys, and to our wonderful Patreon communities. Thanks to them all that this show is free. For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 250 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye, bye-bye.

Ken, do you think there'll ever be a smart toupee? Like a hairpiece? A syrup?

This is just great, isn't it? It's the weird stuff.

Yes, the weird stuff I like too.

What would a smart toupee do? Would it—

Comb itself?

Would it slowly change its hue?

Oh my good God. There is a patent for a smart wig.

Oh, smart wig.

What about one which automatically gets longer and then gets shorter to make it look like you've had a haircut?

Oh, post-corona.

Didn't Terry Wogan have a series of toupees for that purpose?

You need to get a wig in to the lab, a smart wig, and then we'll do a show.

Sony patented it in 2013, right? So whether it actually came to market, I don't know, but it's supposed to have a Wi-Fi transceiver and Bluetooth too.

It's like, I'm over here.

I remember we were looking at some hair straighteners a while back and they were smart. We're like, why do you need smart hair straighteners? And you could do crazy shit. So if someone left them plugged in, so they'd go off, but then you could remotely outside the house, turn them back on again. If they're on the floor, they'd burn shit. Unbelievable.