Join us as we delve into the world of unexpected security breaches and legal loopholes, where your robot vacuum cleaner might be spying on you, and ordering a pizza could cost you your right to sue.
All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- We hacked a robot vacuum — and could watch live through its camera - ABC News.
- Their Uber Driver Crashed. A Pizza Order Unraveled Their Injury Lawsuit - NY Times.
- A court blocks a couple from suing Uber over a crash, citing terms and conditions - NPR.
- Taken for a Ride: Parents Can't Sue Uber Over Crash After Daughter's Uber Eats Order - Law.inc
- New Jersey Court Bars Uber Crash Victims from Lawsuit, Citing App Agreement - The Legal Journal.
- Couple Seriously Injured in Uber Crash Blocked From Court by Uber Eats Terms - The Insurance Journal.
- Disney axes bid to stop wrongful death lawsuit over Disney+ terms - BBC.
- Sherwood - BBC iPlayer.
- Chocolate Guinness Cake - Nigella.
- The Best Banana Cake I've Ever Had - Sally's Baking Addiction.
- My Favorite Carrot Cake Recipe - Sally's Baking Addiction.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- SentinelOne - secure and protect every aspect of your cloud in real-time.
- 1Password Extended Access Management – Secure every sign-in for every app on every device.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
FOLLOW US:
Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
UNKNOWN. Sean Kelly didn't know that the robot could speak to him. So he said, hello, Sean, I'm watching you. It was able to say, take me to your leader. Smashing Security, episode 388, Vacuum Cleaner Voyeur and Pepperoni Packed Blocks Payout with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 388. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Hello, Carole.
CAROLE THERIAULT. Hello, Graham. Well, you're having trouble.
GRAHAM CLULEY. We discussed before we hit the record button that you were just going to say—
CAROLE THERIAULT. No, no, you, that's not true. We didn't discuss it. You just said, do this. And I just thought, no. All right.
GRAHAM CLULEY. Okay. Well, what do you want to do?
CAROLE THERIAULT. Well, I just want to see how you were.
GRAHAM CLULEY. I'm all right.
CAROLE THERIAULT. You have a big trip coming up. A little stressed, maybe?
GRAHAM CLULEY. Well, by the time people are hearing this, I will be either in the States or on my way back from the States. I'm making a lightning visit to the Rochester Security Summit where I'm giving a keynote. Be very, very exciting.
CAROLE THERIAULT. Yes, Rochester.
GRAHAM CLULEY. Yeah, not Rochester in England. This is Rochester, New York State.
CAROLE THERIAULT. Well, I'm sure there's going to be a welcoming parade for you.
GRAHAM CLULEY. Then I'm off to Oslo, then I'm off to Stockholm. Never stops.
CAROLE THERIAULT. Stop showing off.
GRAHAM CLULEY. I'm not showing off. Well, okay, I am a bit.
CAROLE THERIAULT. Yeah, you are.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Let's kick the show off, shall we? But first, let's thank this week's wonderful sponsors, 1Password, Vanta, and SentinelOne. Now, coming up in today's show, Graham, what do you got?
GRAHAM CLULEY. I'm gonna be explaining how security can really suck.
CAROLE THERIAULT. And I'm gonna talk about how a pizza can screw everything up. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, I want to take you by the hand and drag you halfway around the world to Brisbane, Australia.
CAROLE THERIAULT. That's a long handhold.
GRAHAM CLULEY. It's a long way to hold the hand. It may get a little bit clammy. You can let go if you wish, anyway.
CAROLE THERIAULT. Yeah, it's post-COVID now. We don't really hold hands. That's not— that doesn't— we don't do that.
GRAHAM CLULEY. No, you didn't hold hands during COVID I hope. Now you are allowed to hold hands again, I believe. Anyway, wash your hands, everybody. Sean Kelly is a chap down there in Brisbane, Australia. He's a dad. He's got a lot on his plate. He's got—
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. Twin toddlers.
CAROLE THERIAULT. Oh, maybe he does have a lot on his plate. That's not easy.
GRAHAM CLULEY. A 5-month-old baby.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. A job. And a wife. What's a guy to do? What's a guy to do in that situation?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. His house must be an utter tip, full of baby vomit and drool and smelly nappies, and then there's the kids to think about as well. Oh, it must be absolutely horrific. And what would any sane man do in such a situation? Well, what would your sane man do in that sort of situation? Carole, what do you think?
CAROLE THERIAULT. What, get a cleaner?
GRAHAM CLULEY. Well, you could get a cleaner. That's one way. Yes, you could get a cleaner. Or you could do what the typical man does, which is spend a ton of cash on a robot vacuum cleaner.
CAROLE THERIAULT. Yes, a Roomba.
GRAHAM CLULEY. Other makes are available.
CAROLE THERIAULT. Yes, of course there are.
GRAHAM CLULEY. Other makes, yes. But yeah, I suppose Roomba is the Hoover. It's become the generic term.
CAROLE THERIAULT. The Kleenex.
GRAHAM CLULEY. Yes. So, you've done what most Australians do really is they just throw money at a problem, hope it goes away. The more money, the more tech you can introduce into your life, the better. He spent $2,500 Australian dollars, which is approximately $1,600 US dollars.
CAROLE THERIAULT. I know somebody that bought a sweater once for $1,000.
GRAHAM CLULEY. A $1,000 sweater.
CAROLE THERIAULT. A $1,000 sweater. You know them too.
GRAHAM CLULEY. What was it made out of?
CAROLE THERIAULT. I don't know, some kind of very fancy wool, probably alpaca or something.
GRAHAM CLULEY. Jeepers.
CAROLE THERIAULT. Anyway, $1,600.
GRAHAM CLULEY. Yes, huge amount. He must have felt pretty confident that he'd made a good choice because he'd bought a top—
CAROLE THERIAULT. Oh, he's loaded.
GRAHAM CLULEY. Well, he'd bought a top-of-the-line vacuum cleaner, the Ecovacs Deebot X2. Sounds professional. It does, doesn't it? And you think, oh, you know, as I've got their top model, it's going to be super secure. And for months and months he was using it. He had the little app on his smartphone. He was loving it, scuttling around, you know, obeying his every command.
CAROLE THERIAULT. How dull do you have to be to sit around and watch your vacuum on your phone clean your house? Room 9, 99% done.
GRAHAM CLULEY. I can kind of identify with that.
CAROLE THERIAULT. Oh, you'd love that.
GRAHAM CLULEY. I can imagine checking in with it, yeah. I would attach some googly eyes to it. I just want to give it a bit of a personality, a bit like one of those Henry the Hoover things. I'd want it to be cute.
CAROLE THERIAULT. You wanna put a little mop on the top to see if it looks like it's got hair?
GRAHAM CLULEY. Yeah, and I would worry that it gets stuck under the piano or, you know, all the time. I would care for it. Because I don't have a cat, I don't have a dog, Carole. So I'd worry—
CAROLE THERIAULT. Yeah, so why not love your vacuum? Okay.
GRAHAM CLULEY. Why not? Why not? So months and months he was using this. Everything seemed fine until he got contacted by a reporter from ABC News.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. In Australia.
CAROLE THERIAULT. Australia.
GRAHAM CLULEY. Who asked if he wanted to take part in a little experiment.
CAROLE THERIAULT. Okay. I don't know. I think this would be a scam right away. I'd be like, what do you mean?
GRAHAM CLULEY. Oh no, this is— There's no criminals in Australia, Carole. There's no— Hang on a minute.
CAROLE THERIAULT. No, but—
GRAHAM CLULEY. Hang on a minute.
CAROLE THERIAULT. It's kind of weird that the media calls you up out of the blue and says, hey, you're randomly selected. It's not the '80s.
GRAHAM CLULEY. Well, they had somehow determined that he had one of these robot vacuums.
CAROLE THERIAULT. Right, right, right.
GRAHAM CLULEY. And they said to him, you know, it's got a security flaw in it. Which means that anyone can see and hear your every move via the robot vacuum. A hacker could seize control of its video camera and microphone, so it can see you in your pajamas.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Or worse.
CAROLE THERIAULT. So if I were the vacuum owner, I'd be like, "Could or has?" There's a big difference.
GRAHAM CLULEY. Well, that's the experiment, isn't it? That's the thing, isn't it? Is this theoretical or not? I mean, I have to ask, why does a robot vacuum even need a camera and a microphone?
CAROLE THERIAULT. So you can tell it off and it can respond and thank you for the advice?
GRAHAM CLULEY. Do you think that's what it is?
CAROLE THERIAULT. No, I have no idea.
GRAHAM CLULEY. You think it's voice activated?
CAROLE THERIAULT. So yeah, so you can probably go, "Go to bed." Because your girlfriend's come over, right? And it's busily vacuuming the bathroom.
GRAHAM CLULEY. Make yourself scarce. Yes.
CAROLE THERIAULT. Go home.
GRAHAM CLULEY. That's what you do. If your girlfriend's coming over, you tidy up your house. And then when she arrives, you say, "I'm sorry it's such a mess." Because your girlfriend will see all the mess which you haven't noticed when you did your tidy up.
So similarly, if you have a robot vacuum cleaner, you set it to work for 8 hours, and then you will say to the person coming round for the date or whatever, you say, I'm so sorry, I haven't had time to clear up. Although you have cleared up because she will see mess. And so that's sort of, you know, there's a level of mess that you know.
CAROLE THERIAULT. I don't even know what you're talking about. I have no idea.
I just right now I want to know, has this happened? Because that's very mortifying because you've had this for months and months in your house. You've been strutting around naked, presumably having a few rows with your other half. You know, dealing with screaming babies everywhere, kids. How does he have young babies and the thing hasn't been jammed with, you know, some kind of food product?
GRAHAM CLULEY. Like pacifiers or all that goo they eat. Yeah, I mean, you know, babies make a lot of mess.
But you need to know, is this a serious problem? Am I going to have to wear a balaclava while I go around the house? Am I going to have to invest in a dustpan and brush?
CAROLE THERIAULT. Maybe you can get your money back.
GRAHAM CLULEY. Yes. Maybe you can. Well, this flaw was not just theoretical. It had actually been exploited by an independent security researcher called Denis Geese, or Geese. I'm not sure.
His hobby is hunting for flaws in robot vacuums. That's what he likes to do.
CAROLE THERIAULT. I love that.
GRAHAM CLULEY. He loves to have a little meddle and a fiddle with a vacuum. And he's looking for security holes.
He's looking for ways to meddle around with them. And he discovered a method to remotely exploit all of Ecovacs' robots, not just the vacuum cleaners, but also they do lawn mowers as well.
CAROLE THERIAULT. What?
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. That's much more scary.
GRAHAM CLULEY. It's a similar technology.
CAROLE THERIAULT. Because it's got blades. Yeah, but it doesn't— it has blades, right?
It's not just a suction to pick up little dust and stuff and wrappers and whatever else. It has blades that cut grass.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. You wouldn't want that hunting your cat down.
GRAHAM CLULEY. But I think most people don't go sunbathing in the back garden, do they, when there's a robot lawnmower going across the grass, do they? I mean, you kind of hear it coming, I would think.
CAROLE THERIAULT. It depends how big your garden is, I imagine.
GRAHAM CLULEY. La-di-da.
CAROLE THERIAULT. You could have your headphones on, your noise-cancelling headphones.
GRAHAM CLULEY. I suppose. It's a very good point.
I think ABC News have investigated the wrong thing. Because they concentrated on the DEEBOT X2. When they should have got the lawnmower instead. Okay, so this Geese guy, I'm gonna call him Geese.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. This Geese guy discovered a way to exploit these robots, including the vacuum cleaners via Bluetooth, gaining access to sensitive information, functionalities. Oh, including the onboard camera and microphone.
CAROLE THERIAULT. Bluetooth, Bluetooth.
GRAHAM CLULEY. Ah, I knew you'd say that. What's your problem?
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. No, no, no, no, well—
CAROLE THERIAULT. Don't you need to be within a very small range?
GRAHAM CLULEY. Interesting, isn't it?
CAROLE THERIAULT. I don't know what happened to you.
GRAHAM CLULEY. Interesting. I thought you'd fall into my little bear trap there. Yes, normally— that's the thing, isn't it, with Bluetooth? Normally you think it's hard enough for me to connect my Bluetooth headphones with my Bluetooth laptop when I'm sat 2 feet away from it.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. How's a hacker going to connect to my robot vacuum cleaner? Is a hacker going to get underneath my sofa?
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. How are they gonna do it?
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Turns out they could do it.
CAROLE THERIAULT. Bluetooth extender?
GRAHAM CLULEY. No, no, no.
CAROLE THERIAULT. Okay. Daisy chain Bluetooth?
GRAHAM CLULEY. No, no, no, no, no.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. You're gonna find out.
CAROLE THERIAULT. I was guessing.
GRAHAM CLULEY. Oh yeah, well, no, it's good. So it's a problem, as you're gonna find out, because they don't have to be in the same room or even in the same office or home.
CAROLE THERIAULT. Oh my gosh.
GRAHAM CLULEY. Let me tell you. When they eventually decided to do this test, this experiment, the wife— remember I mentioned the wife earlier— the wife said, no, you're not doing this with ABC News. You're not doing this in our house. The place is a tip. We're not having the cameras in here. No way are we doing this. Plus the privacy concerns. You can take your robot vacuum cleaner, you nerd, to your office in downtown, and they can do the experiment there. Because in Sean Kelly's office, they've got a little office kitchen. So he took his robot there. And that is on the 4th floor, right?
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Of a tower block.
CAROLE THERIAULT. Yep.
GRAHAM CLULEY. And the reporter who was doing the hacking was over the other side of the street at ground level in a park.
CAROLE THERIAULT. Jesus.
GRAHAM CLULEY. And he was able to gain Bluetooth connectivity with this vacuum cleaner. I mean, that's pretty impressive.
CAROLE THERIAULT. What can you do with the vacuum once you've taken control? Vacuum nonstop?
GRAHAM CLULEY. Well, you can do—
CAROLE THERIAULT. I'm just trying to think of the world-ending scenario.
GRAHAM CLULEY. Well, the main thing I think, Carole, is the privacy angle of taking over the camera and the microphone.
CAROLE THERIAULT. Oh, of course. It's vacuuming all night. I can't sleep!
GRAHAM CLULEY. This— yeah, it's a denial of sleep attack. This researcher even said he could brick the robot, which is pretty much how any robot vacuum responds when it encounters a stray sock anyway. But he could, you know, completely clog it up and stop it.
CAROLE THERIAULT. Ah.
GRAHAM CLULEY. So, this Geese chap, let's go back to him, right? He found this vulnerability in these Ecovacs robots.
CAROLE THERIAULT. Yeah, yeah, yeah.
GRAHAM CLULEY. And in the vacuum cleaner. He told Ecovacs responsibly.
CAROLE THERIAULT. Yep, as you're supposed to.
GRAHAM CLULEY. About the vulnerability in December 2023.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And by this August, still hadn't been dealt with. They didn't respond to him. And so he decided, well, I'm going off to Vegas, I'm going to this hacking convention, I'm gonna talk about it there. He didn't share too many details, 'cause he knew the security hole still hadn't been addressed. But that's how ABC News found out about it. And they contacted this researcher. And with Sean Kelly's permission, they hacked his robot vacuum.
CAROLE THERIAULT. Live on air!
GRAHAM CLULEY. Well, I don't—
CAROLE THERIAULT. It's just very funny. I just think a lawnmower would've gotten a bit more headlines. I just really think.
GRAHAM CLULEY. So they were able to view shocking footage of Sean Kelly making a cup of coffee in his office kitchen on the fourth floor of this tower block. But they were also able to speak to him.
Sean Kelly didn't know that the robot could speak to him. So it was able to say, "Hello, Sean. I'm watching you."
CAROLE THERIAULT. It did.
GRAHAM CLULEY. Which freaked him out.
CAROLE THERIAULT. Imagine with your vacuum with the googly eyes.
GRAHAM CLULEY. Yes! Take me to your leader.
You'd say, "I'll get the president on the phone immediately." Would you really be frightened?
CAROLE THERIAULT. Wouldn't you—
GRAHAM CLULEY. Of course you would.
CAROLE THERIAULT. Yeah, you probably would.
GRAHAM CLULEY. You would be frightened. Because you're thinking, "This is the singularity."
CAROLE THERIAULT. This is all the AI coming to life. Or who's on the other side of it also is maybe the big question.
GRAHAM CLULEY. Exactly. This is Terminator 2: Judgment Day.
This is how it all began. Skynet.
GRAHAM CLULEY. So, initially, Ecovacs said, "Look, this isn't a problem." They said this requires specialized hacking tools.
It requires physical access to the device. An ABC News reporter said, no, it doesn't.
GRAHAM CLULEY. We're just a TV news reporter. All I needed was a smartphone.
I haven't even seen the vacuum cleaner. I've done this from the park.
GRAHAM CLULEY. And now Ecovacs are taking it a bit more seriously. Now, you may be thinking, well, why didn't this Sean Kelly guy check to see if his vacuum was certified for good security?
Has it got one of these sort of kite marks? There are regulators around the world saying this device has reached this cybersecurity standard.
GRAHAM CLULEY. You know, these testing standards that exist. Have you heard of these, Carole, in various industries?
CAROLE THERIAULT. I have heard of them. Some of them happen to be very, very, you know, on board.
But I didn't know there was any mandated certification that were required with these devices. I suppose it depends on which jurisdiction you're in.
GRAHAM CLULEY. I think more and more of these are actually becoming part of— In Germany, there's an organisation called TÜV. Have you ever heard of TÜV?
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. TÜV, umlaut V. And they certified that this Ecovacs Deebot X2 met standard ETSI EN 303645.
And the standard is being adopted by, for instance, Australia's cybersecurity strategy. There are organizations around the world and regulators are saying, if you're getting IoT devices, they have to meet certain standards.
GRAHAM CLULEY. Now, look out for these certifications. And most home robotics companies, including Ecovacs and the Roombas and the Xiaomis and the iRobots of this world, they routinely have products certified to that standard.
And many countries say require it as a baseline requirement, but it seems it's possible to get certified. Someone made a boo-boo.
GRAHAM CLULEY. Well, who's certifying the certifiers? Because if Germany's TÜV have given it their stamp of approval, and they're saying, "We are confident," this is what they said, they said, "We're confident our tests met all the aspects of this standard."
Yeah, because the standards are stipulated to them.
CAROLE THERIAULT. Right? Right, so it doesn't mean nothing can hack this or no one can break this.
It just means, you know, we tested everything on the list.
GRAHAM CLULEY. This is the problem, the standards aren't actually doing the job because the consumer—
CAROLE THERIAULT. Well, in this very, very, very niche example of a rogue vacuum cleaner with a Bluetooth, I don't know how the Bluetooth worked from across the park. I don't get that, but—
GRAHAM CLULEY. Well, I think maybe it was good weather or something. Who knows? Who knows how it happened? But anyway, it happened. So it can happen. And by the way, the Bluetooth was only for the initial compromise, and once that was done, the researcher in Germany was able to see everything which was going on and hear everything and send it further commands.
So it was only for the initial compromise that you had to be within maybe 60 feet or whatever it was. So I think for consumers, it means the cybersecurity standards are failing. Clearly the standards are insufficient because there are oodles of vulnerabilities which are being found in these devices and yet they're still carrying these kind of checkmarks.
CAROLE THERIAULT. "Oh. Well, I'll have my husband call you later." Well, poor old Sean Kelly.
GRAHAM CLULEY. He hasn't thrown out his robot vacuum cleaner.
CAROLE THERIAULT. Just put a bit of tape and—
GRAHAM CLULEY. He's waiting for the update. Apparently a security update's gonna be pushed out in November. And for now, he's just tossing a little dishcloth over it.
Yep. He says, to cover up the camera.
CAROLE THERIAULT. What about the sound thing? He's not thought about that?
GRAHAM CLULEY. Maybe he's just putting on some good old-fashioned Australian rock. Those poor kids. Drown it out.
Oh well, they're Australian kids. They'll be fine. Carole, what's your story for us this week?
CAROLE THERIAULT. So this is the story of Georgia and John McGinty. Oh, yes. So it's January 2022, and George and John, a New Jersey couple, and they're packing for a ski trip, which they're gonna go on with their 12-year-old daughter.
You know, this is just after the holidays, and these guys are gonna go hit the slopes. So everyone is madly packing for the slopes. Lovely.
You know, bring the goggles, the zinc cream, the hot shots, the sunnies, all the stuff. And that's when their daughter, watching her folks dash about the house, says something to the effect of, "Mom, Dad, I'm starving! Can we order pizza? There's no food in the house."
GRAHAM CLULEY. For God's sake.
CAROLE THERIAULT. So Mum's okay, of course, yes, yes. And tosses over her phone and tells her to hit up the Uber, right? And buy a pie.
GRAHAM CLULEY. What? You don't call Uber for a pie. Well, a pizza pie. You call Uber for a lift.
CAROLE THERIAULT. Yeah, but no, no, Uber does Uber Eats. What do you?
GRAHAM CLULEY. Oh, it's just Just Eat and Deliveroo.
CAROLE THERIAULT. Just Eats, DoorDash, all that stuff. Yeah. Oh, okay.
GRAHAM CLULEY. Okay. Okay. So there's an Uber food delivery service. Okay.
CAROLE THERIAULT. Well, it makes sense, right? There are already people in the car. Why not?
GRAHAM CLULEY. Does it mean that people, when they catch an Uber on a journey, they can smell Chinese food which is in the boot?
CAROLE THERIAULT. Yeah, someone's got some kimchi and someone's got some spaghetti. There's a burger and you get to have all that. Right. But I do think it's probably a pretty normal experience with your tween, right?
If you are running around busy, dinner's late, they're hungry, you might throw them a phone and just order something. Anyhow, family go skiing and no one gets injured despite it being quite a dangerous sport.
Thank goodness. It's not as dangerous as riding this particular Uber car in New Jersey on a cold March evening. Because this is a few months after the pizza.
The McGintys have gone out for dinner. Yes. And Georgia orders an Uber home, right? And they're nattering in the backseat of the Uber, and bam! The driver T-bones another car while they're in the backseat.
GRAHAM CLULEY. A T-bone steak? Well— Is this an Uber Eats car, or was this just— Plain Uber taxi crash.
CAROLE THERIAULT. I don't know if that's a good joke to have at this stage, because when you hit a car dead on a T— That's not good.
GRAHAM CLULEY. Okay, so the taxi, the Uber taxi crashes into another car and it—
CAROLE THERIAULT. Crashes head on to another car. Exactly. Okay, that's bad. Now, the question I have for you at this stage is, do you wear seatbelts in cabs and in Ubers?
GRAHAM CLULEY. Truth. It depends on how much of a maniac the taxi driver is.
CAROLE THERIAULT. Oh, you might put it on surreptitiously if they start driving too fast?
GRAHAM CLULEY. Oh, I definitely have. Yeah. When I think, what the— 'bloody hell is this guy doing?' Yes, I have.
CAROLE THERIAULT. Okay, but not as a matter of course, right?
GRAHAM CLULEY. Probably not.
CAROLE THERIAULT. And I think that's probably fairly normal. Of course, I think it must be a legal requirement. Yeah. Do. Yeah. Okay, from now on, because this was a bad accident. I couldn't find information actually that specified whether the McGintys were wearing seatbelts or not, but the injuries are so bad, whatever, draw your own conclusion. But Ms. McGinty, 51, fractures in the spine and ribs among other injuries, unable to work for over a year. Oh, wow. And Mr. McGinty, 58, experienced fractured sternum, serious breaks in his left arm and wrist, has not fully regained use of his wrist.
And they say, not surprisingly, that the incident had devastating impact on their health, emotional stability, finances, and the ability to care for their 12-year-old daughter. Right. Yeah. So months go by, and the healing phase has taken its sweet, sweet time. And this may have given the McGintys time to noodle out and process this whole accident. You know, what happened? It's almost a full year now after the incident. February 2023, we're now. So the duo come up with a plan. Let's just sue Uber, right? It was their driver, the Uber driver that crashed and caused the injuries. And Uber has liability insurance for this type of thing.
GRAHAM CLULEY. So they're suing for the harm that's been done to them.
CAROLE THERIAULT. Damages, for extensive injuries, compensation.
GRAHAM CLULEY. And presumably there may be medical bills and things as well.
CAROLE THERIAULT. Operations and, you know, physiotherapy. It's weird, isn't it?
GRAHAM CLULEY. Because here in England, you'd never think of suing. You'd think, oh well, I'll just get on then. But I guess in America, everyone sues everyone.
CAROLE THERIAULT. I don't know. You don't? Depends how bad. I mean, what if you were in an Uber, you know, with your mum or son or daughter or something and someone happens to die? The driver was a bit tired. Oh, he was a little drunk. Oh, well.
GRAHAM CLULEY. There he was making pasta in the front seat while he's driving along.
CAROLE THERIAULT. Yes! He had a toaster oven under the side.
GRAHAM CLULEY. He had his George Foreman grill.
CAROLE THERIAULT. So the McGintys hit the New Jersey court seeking compensation for their extensive injuries. Right. The amount wasn't disclosed, but I imagine it was a pretty sum. Yeah, yeah. And Uber rather than agree to all this, filed a motion to compel arbitration. And this would mean that the McGintys wouldn't get their day in court.
They would have to go into a meeting room and do this all privately. And Uber said that the reason that the McGintys had to do this was that they had already agreed to Uber's terms and services. Right. When the daughter ordered that pizza, what Uber are claiming is when she signed and said, "Yeah, yeah, yeah, terms and conditions, I just want a pizza," they pre-agreed to arbitration in any case they would undertake with Uber. No.
GRAHAM CLULEY. And the McGintys are like, "What does pizza have to do with a cab journey?" So the Uber conglomerate, the huge Uber organization rather than just the division which brings you chicken wings?
CAROLE THERIAULT. Exactly. And the McGintys are like, "What does pizza have to do with a cab journey?" Well, it's all under, as you say, all under the Uber flag. So Uber is trying to enforce a binding arbitration clause. And the problem is the McGintys are saying, we did not agree to that directly. You know, prove it. And in fact, my daughter did it. So what are you doing? Yeah.
GRAHAM CLULEY. Yeah, it was the daughter. Well, so they're saying, yeah. If they were to go to arbitration with Uber's lawyers, and Uber said, well, we'll offer you this much. Couldn't they just have said, well, no, we'd like a bit more, please? Couldn't they just have carried on arguing until the amount got to the amount which they want?
CAROLE THERIAULT. I will explain why that is a bit more painful than it sounds. Uber appeals, right? Says, look, you know, we had this thing. And the lower court, New Jersey lower court, thinks about it.
And by November, so 10 months after they kicked off this whole thing, the lower court decides in favour of the McGintys, denying Uber's motion to compel arbitration. And the lower court cites that Uber failed to clearly or unambiguously inform the user of the waiver to the right to pursue claims in a digital forum.
GRAHAM CLULEY. Quite a brave thing for the lower court to do because they're never going to get Uber Eats delivering them any pizza after making a decision like that.
CAROLE THERIAULT. Did anyone spit in this?
GRAHAM CLULEY. Did anyone spit in this? Yeah, exactly. Yeah, seems to have some special different kind of topping on this one.
CAROLE THERIAULT. Yeah. Yeah, so woohoo for the McGintys, right?
GRAHAM CLULEY. Woohoo! Very good. But wait, U-turn!
CAROLE THERIAULT. It was only a temporary victory because Uber did not like this ruling and hit the appeals court, who ended up reversing the lower court's decision and sided with Uber, saying that Uber's Ts and Cs were valid and enforceable. So the McGintys are now back in arbitration, and that's when I was wondering, why is that so bad?
What do the courts have that arbitration doesn't? So according to this site, law.inc, forced arbitration clauses are powerful tools companies use to limit the legal exposure and public accountability. No media. There's way heavier limitations on evidence gathering.
So they would not be able to compel as much information from Uber's side as they would in a court of law. They're much more restricted appeal options if they don't like the decision. So I don't think you can just take it to court if it doesn't work out your way.
And in arbitration, you have to share the fees. So if they're exorbitant, Uber's unlikely to bat an eyelid while the McGintys might have to remortgage. And typically, from what I read, arbitration firms are already pre-selected inside the Ts and Cs.
So imagine if they're super expensive or, you know, obviously they're getting paid by Uber, so. Yeah. Now you may wonder what other companies might have this type of clause in their Ts and Cs.
GRAHAM CLULEY. And what you're going to tell me is all of them.
CAROLE THERIAULT. Well, I asked Perplexity.ai to give me a list, right? And it went through and it said Amazon, Apple, Google, PayPal, Netflix, DoorDash, Airbnb. So think about it, to your point, right?
You rent a house where you're spied upon by a vacuum. Right. And maybe the vacuum or the lawnmower murders someone in your party and you can't take them to court.
GRAHAM CLULEY. Presumably, you can't even use the hacked vacuum cleaner camera feed to have footage of the murder taking place.
CAROLE THERIAULT. The arbitrator will be like, nope, we don't want to look at that. So the big questions according to Law Inc., which I thought were interesting.
So can minors legally agree to terms of service? So the validity of a minor's acceptance of a contract is a complex issue, it says, and it depends on various factors. But one of the things that will be brought up is, as the mum allowed the daughter to use the account, it could get murky.
GRAHAM CLULEY. Because it was her, it was the mum's phone and it was the mum's login, presumably. Yep. And she gave permission.
CAROLE THERIAULT. But see, that's very scary because loads of parents hand their phones over to their kids to do stuff.
GRAHAM CLULEY. And we need to get our kids to sign a legal document before grabbing our phones, holding them legally responsible for any upcoming legal fees and any other damages which may occur. The kids are going to have to pay it. They can be the ones who are bankrupted.
CAROLE THERIAULT. Now, but there is maybe a silver lining here to this story, okay? Because this is not the first case of this ilk.
In 2023, Jeffrey Piccolo filed a wrongful death suit against Disney and the owners of a restaurant after his wife had died from a severe allergic reaction following a meal at Disney World in Florida. And Disney argued, the same as Uber did, that the case should go instead to arbitration because of a clause in the terms and conditions, get this, of its Disney+ streaming service.
And get this double, Mr. Piccolo had signed up to a 1-month trial in 2019, 4 years prior. One month. That was the agreement that Disney were citing as why he would not be allowed to sue us in court, but he'd have to go to arbitration.
GRAHAM CLULEY. This is why we should always use disposable email addresses when signing up for some of these services. So we should have different email addresses for every service so they can't think, hang on a minute, this person suing us here, 7 years ago, he had a week-long trial.
CAROLE THERIAULT. Of XYZ product. That's a really good suggestion, I think. I didn't think of that. I think that's brilliant.
GRAHAM CLULEY. Well, thank you very much.
CAROLE THERIAULT. That's me. There is a silver lining here because there's been a backlash and Disney has backed down, and now the matter can be heard in court. So that has interesting potential effects for this Uber case.
GRAHAM CLULEY. Do you think they backed down because of the bad publicity? Yes. You know what, this— yeah, right. So that's what we have to do. We have to create a big stink about this Uber and Uber Eats nonsense. Yeah.
CAROLE THERIAULT. Go fart in Ubers. Everyone go make a big stink. Go do that. Follow, follow Graham's advice and parp in Ubers.
GRAHAM CLULEY. Whether you're starting or scaling your company's security program, demonstrating top-notch security practices and establishing trust is more important than ever. Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time.
Get $1,000 off Vanta when you go to vanta.com/smashing. That's vanta.com/smashing for $1,000 off.
Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.
So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management.
1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch. Go and check it out for yourself at 1password.com/smashing.
That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.
Support for today's podcast comes from SentinelOne, which secures and protects every aspect of your cloud in real time. Discover all your assets and deploy AI-powered protection to shield your cloud from build time to runtime.
On top of that, SentinelOne offers threat hunting, visibility, and remote administration tools to manage and protect any IoT devices connected to your network. Looking for a cloud-native application protection platform?
SentinelOne is your ultimate CNAPP solution. Go to smashingsecurity.com/sentinelone for more information and a free demo.
See what a flexible, cost-effective, and resilient cloud security platform can do for your organization with SentinelOne. That's smashingsecurity.com/sentinelone.
And welcome back, and you join us at our favorite part of the show, the part of the show that we to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily. Better not be.
Well, my Pick of the Week this week is not security related. Good.
My Pick of the Week is a TV show that I've just recently started watching. I haven't seen all of it yet, but it's quite good.
And I thought, oh, this is quite good. And I might be a couple of years behind the curve.
Maybe other people have been watching it for a while.
CAROLE THERIAULT. You definitely are not that. I would say decades.
Oh, right.
GRAHAM CLULEY. The TV show is called Sherwood. Have you seen Sherwood, Carole?
No. Sherwood.
It's got a galaxy of stars in it. People like David Morrissey, Leslie Manville, Robert Glenister, Stephen Tomkinson.
And it is set in an old mining village in Nottinghamshire. Okay.
Where a couple of murders take place. It's set in the present day, but something which is hanging over like a shadow over the village is the miners' strike, which famously happened in Britain in 1984 and 1985 under Margaret Thatcher.
And this is something which fractured communities, and it was a difficult time.
CAROLE THERIAULT. It was a big deal.
GRAHAM CLULEY. It was a big deal. And there are people who continue to hold a lot of animosity because of that strike.
And in this particular village, there's a split between the people who backed the strike and people who continued to work during the strikes. There's a lot of animosity in this village. And that is the backdrop against a couple of murders and old resentments.
And there's a suggestion that there were some undercover cops embedded inside the community back in the '80s.
CAROLE THERIAULT. Oh, I've read this. I've read that that's true. Yeah, they infiltrated. I think it was a Telegraph podcast all about that. It was really interesting.
GRAHAM CLULEY. That's right. There was a division, I believe, inside the Met Police who were joining different political groups undercover.
Some of these policemen ended up having relationships and even having children. Shocking. And their partners didn't know that they were actually secretly policemen reporting back to HQ what was going on in various movements.
CAROLE THERIAULT. Their wives didn't know. Like, their legit wives. It's awful.
GRAHAM CLULEY. So, it's quite good. Really good acting, some intrigue there. I'm just watching Series 1. There's already a Series 2, which has just come out, I think.
But it's quite good. And so it's called Sherwood, and I am watching it on the BBC iPlayer. And that is my pick of the week.
CAROLE THERIAULT. Very good. I'll add it to my list.
GRAHAM CLULEY. Thank you very much. What's your pick of the week?
CAROLE THERIAULT. My pick of the week, Graham, is cake. It's cake.
GRAHAM CLULEY. Sorry? What, just the concept of cake?
CAROLE THERIAULT. Well, no, not the concept of cake. But are you a cake fan generally? Cake, take it or leave it? Love cake, hate cake?
GRAHAM CLULEY. Cake it or leave it. Well, some cakes are better than others. I like a lemon cake. Coffee cake, I like.
I like an Eccles cake. Does Eccles cake count as cake in your definition?
CAROLE THERIAULT. Oh, I have no idea. I don't even know what that is.
GRAHAM CLULEY. Some crazy animal. Oh, it's delicious.
CAROLE THERIAULT. But you know, there's some cakes that are very sweet and gooey icing, lots of layers, sprinkles, candies. That's not my thing at all.
Some people love that, not so much. That's not for me. I like good old-fashioned cake, like grandma cake, like carrot cake, you know, or banana cake. Yeah, I like that, you know, or chocolate cake, that kind of thing.
And one of the problems — I was just talking to someone on the weekend, they were saying, look, I don't bake very often, she said, but I wanted to bake and I can never tell if a recipe is good or not. And we were talking about how it's like reading sheet music. If you can read music, looking at it makes sense. And if you don't, gibberish.
So I'm happy to report, because I've been making a lot of cakes recently for people's birthdays and neighbors and stuff, and I've made 3 cakes. None for you. And they're not complicated, and they're not super expensive, and they're flipping delicious.
And I kind of followed the recipe exactly, so I can tell you they work. And I'm gonna put 3 of them in the show notes for you.
GRAHAM CLULEY. Oh, are you?
CAROLE THERIAULT. Graham, you could make these. You could make this for your wonderful partner.
GRAHAM CLULEY. Yeah, we're both trying to, well, you know, we're just trying to be a bit healthier at the moment. Are these healthy cakes?
CAROLE THERIAULT. Yes, there's a chocolate Guinness cake. Delicious. There's a banana, chocolate banana bread cake.
GRAHAM CLULEY. Right. Yum. Yeah, that sounds healthy.
CAROLE THERIAULT. And carrot cake.
GRAHAM CLULEY. Oh, well, carrots. There can't be anything— Yeah, carrots must be healthy. Right. Yeah. Okay. All right.
CAROLE THERIAULT. Just have very thin slice. Yeah. Thin slice. Anyway, so cake, 'cause cake is great and sometimes you need cake and I needed cake and I had cake and I loved my cake. So that's my pick of the week.
GRAHAM CLULEY. Cake. Next week, Carole's pick of the week will be something like oxygen. I mean, is the standard of pick of the week deteriorating? I have to wonder.
CAROLE THERIAULT. Ah, how dare you? I have great ones.
GRAHAM CLULEY. Anyway, excellent. Thank you, Carole. I look forward to hearing from listeners how great your cake is. Exactly.
CAROLE THERIAULT. Thank you, listeners. I know you're on my side.
GRAHAM CLULEY. And that just about wraps up the show for this week. You can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G. And don't forget, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
CAROLE THERIAULT. And thank you to our wonderful sponsors, SentinelOne, 1Password, and Vanta. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 387 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye.
CAROLE THERIAULT. Why would they have taken the vacuum and not the lawnmower? Because they didn't want injury. The reporter didn't want to have any injuries.
GRAHAM CLULEY. Maybe they didn't have it. This is downtown Brisbane. Maybe they don't have gardens. Maybe they don't have lawns. It's Australia, it's practically a desert.
CAROLE THERIAULT. Oh, that's true. Maybe it would be hard to find someone with a lawnmower. Okay, maybe they're not available in Australia, the lawnmower one.
GRAHAM CLULEY. Maybe not, maybe not. Have you said bye yet? I said cheerio, bye-bye. Bye! Good.
-- TRANSCRIPT ENDS --