The Internet of Things (IoT) can make for some wacky weird headlines. In addition, the rise of global data centres and clouds, breaches and general security “faux pas” can make for some interesting news. Here is a brief synopsis of some weird and wacky news.
IoT: Hackable Sex Toys
According to a Zdnet article in February, as many as 100,00 people had their private sexual activities exposed by a data leak. The Vibratissimo "panty buster" is a smart toy that connects through Bluetooth to a phone. It's designed to allow the user's partner to remotely control the vibrator -- "from home or from the other end of the world." Several security vulnerabilities related to this vibrator have been found. Of those vulnerabilities, one of those found showed that their back-end cloud service for storing customer data was left “wide open” exposing user data such as usernames, plaintext passwords, chat histories, and explicit image galleries. If that isn’t frightening enough, there is another vulnerability by which anyone could take control over this device over the internet. The vibrator features a "quick control" feature, which allows a user to send a link by text or email to their partner to take control of the vibrator. Each link is a global counter that "just gets incremented by one every time a new quick control link is created… An attacker can guess this ID easily and therefore control the victim's sex toy directly over the internet." Which leads to an interesting question: If your sex toy gets hacked, does that mean you have been sexually assaulted? Maybe this is one type of the device that really shouldn’t be “hooked up” to the internet.
Hacking Through Fish Tanks (no, this is not the same as a Phishing Scam)
If hackable vibrators aren’t a strange enough story for you, how about hacking a fish tank? In this case, the sophisticated fish tank’s thermostat was connected to the Internet. According to a 2017 report by Dark Trace, a hacker “was able to exfiltrate data from a smart fish tank that was connected to an isolated VPN, and then send that data to a device in Finland.” The victim of the fish tank attack was an unnamed U.S. Casino. According to Business Insider: "The attackers used (the fish tank thermostat) to get a foothold in the network… They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud."
The U.S. Authorities Can Access Your Banking Information-Deny Canadians Entry into U.S.
While this doesn’t have anything to do with a breach or lack of security, it can make many Canadians wonder about their privacy, especially when Canadian companies store their data in other global data centres. With Canada set to legalize marijuana very soon, many Canadians are worried, and justifiable so it would seem, that buying legal marijuana in the future could lead to being denied entry into the United States. Most of Canada’s major banks store some or all of their data on U.S. servers. It’s just part of globalization. “Those who buy legal recreational marijuana at licensed stores or online using credit cards will start to accumulate marijuana transaction histories, as organizations begin to collect consumer data” states Narcity. With that data being stored on U.S. servers, “U.S. authorities can obtain Canadian credit card data under the PATRIOT Act, which was passed as an anti-terrorism law after September 11.” In addition, this data can make its way to customs officials who have the right to ban anyone they deem to be “an abuser of marijuana.” While many Canadians don’t think of marijuana as an issue, that is not so at the border. Take this case as an example: “three senior executives in an agricultural equipment company, who were banned for life when they tried to cross the border to do a sales demonstration of a marijuana bud trimming machine.” According to their lawyer, “All three admitted that they were selling this legal product to the marijuana industry. All were banned from the U.S. on the basis of reason to believe that they are involved in the drug trade. That’s how low the threshold is. They weren’t even involved with the product (the marijuana itself).”
It goes to show that as we increasingly globalize business, our data privacy may be subject to laws and enforcement of different governments around the world. Canadian consumers would be wise to ask the question of their banks, and any other company that houses their personal data, where that data is stored, who has access to that data, and understand how it could potentially be used against them.
Breaching GDPR in an effort to be Compliant with GDPR
GDPR, the General Data Protection Regulation that just came into effect in the European Union, is a regulation that addresses data privacy for all EU citizens. Ghostery is a privacy-focused browser and an ad-blocking browser extension. In an attempt to notify its users about GDPR and their efforts to protect user privacy, Ghostery unwittingly exposed the email addresses of its users in the process. “The incident caused Ghostery to break GDPR, [since it came into effect on] Friday, May 25, 2018.” Ghostery promptly issued an apology and stopped sending the emails when they realized the error. The error “was caused by an operator's mistake working with their new self-hosted email delivery platform for the first time.” While it was only email addresses that were exposed, Ghostery plans to report the incident to EU authorities, as the new GDPR directive mandates, possibly making Ghostery the first company that reports a breach under the new GDPR rules.
If you've heard of any other bizarre/unconventional hacks, tell us at firstname.lastname@example.org! For more advice on best security practices (to help prevent such hacks), check out our resources.