0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/219 Thanks! 1 00:00:09,280 --> 00:00:11,109 So welcome everybody. 2 00:00:12,250 --> 00:00:14,349 This talk for today is by 3 00:00:14,350 --> 00:00:15,999 Sasha and Malia. 4 00:00:16,000 --> 00:00:18,099 They have looked at the security, or 5 00:00:18,100 --> 00:00:20,229 maybe you could say, insecurity of 6 00:00:20,230 --> 00:00:21,819 home automation systems. 7 00:00:21,820 --> 00:00:23,199 In this case, the home network 8 00:00:24,550 --> 00:00:26,679 and I won't waste your time, so 9 00:00:26,680 --> 00:00:28,769 please give them a big round of applause. 10 00:00:28,770 --> 00:00:29,770 Satya. 11 00:00:39,520 --> 00:00:41,619 Yes, hello, my name 12 00:00:41,620 --> 00:00:42,399 is Satya 13 00:00:42,400 --> 00:00:43,809 and I'm Molly. 14 00:00:43,810 --> 00:00:45,969 And in the next 45 minutes, we 15 00:00:45,970 --> 00:00:48,129 are going to tell and show you how 16 00:00:48,130 --> 00:00:50,919 to sniff automatic device traffic. 17 00:00:50,920 --> 00:00:53,649 How to emulate hermetic devices 18 00:00:53,650 --> 00:00:55,990 and how to attack automatic system. 19 00:00:57,400 --> 00:00:59,619 This talk only focuses on the wireless 20 00:00:59,620 --> 00:01:01,749 traffic, so we are not talking 21 00:01:01,750 --> 00:01:04,268 about the wired components at all, 22 00:01:04,269 --> 00:01:06,549 and we are also not covering 23 00:01:06,550 --> 00:01:08,769 the numerous security issues of the LAN 24 00:01:08,770 --> 00:01:09,770 interface. 25 00:01:11,170 --> 00:01:13,449 So who of your does already 26 00:01:13,450 --> 00:01:15,459 use a home automation system? 27 00:01:17,920 --> 00:01:19,749 Oh OK. 28 00:01:19,750 --> 00:01:22,059 And who of you 29 00:01:22,060 --> 00:01:23,769 does already use home network? 30 00:01:25,590 --> 00:01:27,040 OK, a few. 31 00:01:28,390 --> 00:01:30,729 And who plans to 32 00:01:30,730 --> 00:01:32,649 install the home automation system in the 33 00:01:32,650 --> 00:01:33,650 future? 34 00:01:35,980 --> 00:01:36,980 OK. 35 00:01:42,130 --> 00:01:43,359 This is great. 36 00:01:45,910 --> 00:01:47,949 This is the outline of our talk. 37 00:01:47,950 --> 00:01:50,169 First, we are talking a little bit about 38 00:01:50,170 --> 00:01:51,999 hermetic and general, 39 00:01:52,000 --> 00:01:52,959 then 40 00:01:52,960 --> 00:01:54,909 we have to we have to borrow you with a 41 00:01:54,910 --> 00:01:57,549 little theory about the wireless 42 00:01:57,550 --> 00:01:59,799 packets of hermetic and 43 00:01:59,800 --> 00:02:02,739 then we will demonstrate your life 44 00:02:02,740 --> 00:02:05,049 three possible different 45 00:02:05,050 --> 00:02:06,050 attacks. 46 00:02:07,390 --> 00:02:09,758 These three attacks cover 47 00:02:09,759 --> 00:02:12,129 pretty much everything means meaning. 48 00:02:12,130 --> 00:02:14,409 After these attacks, you can, as 49 00:02:14,410 --> 00:02:16,539 an attacker, control pretty much 50 00:02:16,540 --> 00:02:18,939 all the hermetic devices, except 51 00:02:20,380 --> 00:02:22,569 when you're not using the default 52 00:02:22,570 --> 00:02:24,639 as key when you changed it. 53 00:02:30,260 --> 00:02:31,939 OK. Traumatic in general, 54 00:02:33,890 --> 00:02:36,229 our original motivation 55 00:02:36,230 --> 00:02:38,419 was we wanted to control 56 00:02:38,420 --> 00:02:39,949 valve drives directly. 57 00:02:39,950 --> 00:02:42,259 We were not satisfied with 58 00:02:42,260 --> 00:02:44,059 the built in temperature control 59 00:02:44,060 --> 00:02:46,429 algorithms of the 60 00:02:46,430 --> 00:02:47,989 thermal control devices. 61 00:02:49,070 --> 00:02:52,159 And yeah, soon found out 62 00:02:52,160 --> 00:02:54,349 that it is not possible to control valve 63 00:02:54,350 --> 00:02:55,350 drives directly. 64 00:02:56,390 --> 00:02:59,119 Yeah. Initially, we just wanted to write 65 00:02:59,120 --> 00:03:01,159 a new firmware for the valve drive 66 00:03:01,160 --> 00:03:02,149 device, 67 00:03:02,150 --> 00:03:04,579 but that soon exacerbated 68 00:03:04,580 --> 00:03:06,469 into developing our own interface 69 00:03:06,470 --> 00:03:08,569 software to control magic 70 00:03:08,570 --> 00:03:10,879 devices, which we later named home 71 00:03:10,880 --> 00:03:11,880 gear. 72 00:03:12,740 --> 00:03:14,959 So let us show us an 73 00:03:14,960 --> 00:03:16,639 example configuration. 74 00:03:16,640 --> 00:03:18,919 Maybe you want to start with some 75 00:03:18,920 --> 00:03:20,780 kind of starter kit. 76 00:03:22,160 --> 00:03:24,589 Maybe you want to unlock 77 00:03:24,590 --> 00:03:26,839 your door and switch on the light 78 00:03:26,840 --> 00:03:28,009 with a remote controller. 79 00:03:29,480 --> 00:03:31,549 And if you are satisfied, maybe you want 80 00:03:31,550 --> 00:03:34,549 to add further components to the system 81 00:03:34,550 --> 00:03:36,889 and therefore you may want to have 82 00:03:38,210 --> 00:03:39,889 a control center. 83 00:03:39,890 --> 00:03:42,769 This may consist of a LAN configuration 84 00:03:42,770 --> 00:03:45,019 adapter in combination 85 00:03:45,020 --> 00:03:47,269 with a server running, but costs server 86 00:03:47,270 --> 00:03:49,669 software and a 87 00:03:49,670 --> 00:03:52,130 home met home automation 88 00:03:54,800 --> 00:03:57,049 administration software. 89 00:03:57,050 --> 00:03:59,299 Or you may use 90 00:03:59,300 --> 00:04:02,029 a standalone control center unit 91 00:04:02,030 --> 00:04:04,609 with a firmware doing 92 00:04:04,610 --> 00:04:07,039 as well as the job 93 00:04:07,040 --> 00:04:10,099 as well. The job of the cost of us 94 00:04:10,100 --> 00:04:13,039 as further functions 95 00:04:13,040 --> 00:04:14,040 and 96 00:04:16,490 --> 00:04:18,679 all. You may use Best Buy 97 00:04:18,680 --> 00:04:20,778 reply with a 98 00:04:20,779 --> 00:04:22,909 wireless adapter 99 00:04:22,910 --> 00:04:25,339 extension running 100 00:04:25,340 --> 00:04:26,369 home gear software. 101 00:04:27,800 --> 00:04:30,139 Then you can add devices 102 00:04:30,140 --> 00:04:32,809 like a smoke detector team 103 00:04:32,810 --> 00:04:34,879 thermal controls to 104 00:04:34,880 --> 00:04:36,619 regulate how your room temperature. 105 00:04:46,200 --> 00:04:48,509 Yes. And the very beginning 106 00:04:48,510 --> 00:04:50,609 we started by opening 107 00:04:50,610 --> 00:04:52,799 Valve Drive device and 108 00:04:52,800 --> 00:04:54,119 inside we found 109 00:04:55,920 --> 00:04:57,779 an atmo microcontroller 110 00:04:58,950 --> 00:05:01,289 wireless transceiver module 111 00:05:01,290 --> 00:05:03,419 hidden in the back. 112 00:05:03,420 --> 00:05:05,519 And of course, a motor and 113 00:05:05,520 --> 00:05:06,520 the gear. 114 00:05:07,050 --> 00:05:09,269 This device is provided and a very 115 00:05:09,270 --> 00:05:10,709 tempah friendlier and faster, 116 00:05:11,970 --> 00:05:14,399 providing the communication 117 00:05:14,400 --> 00:05:17,039 interface between the microcontroller 118 00:05:17,040 --> 00:05:19,619 and a transceiver module 119 00:05:19,620 --> 00:05:20,620 as a pin. 120 00:05:28,360 --> 00:05:30,639 So, well, we sniffed 121 00:05:30,640 --> 00:05:32,259 the traffic on this 122 00:05:33,400 --> 00:05:35,469 communication interface with 123 00:05:35,470 --> 00:05:37,539 the Logic Analyzer 124 00:05:37,540 --> 00:05:38,540 and 125 00:05:39,850 --> 00:05:42,699 yeah, and soon understood 126 00:05:42,700 --> 00:05:45,040 how the device works, and 127 00:05:46,720 --> 00:05:49,029 we could soon emulate this valve 128 00:05:49,030 --> 00:05:51,789 drive actually on this fast drive, 129 00:05:51,790 --> 00:05:54,129 as you can see here, probably 130 00:05:54,130 --> 00:05:55,130 maybe 131 00:05:56,620 --> 00:05:58,719 is already running our own firmware, 132 00:05:58,720 --> 00:06:01,029 which we later did not develop 133 00:06:01,030 --> 00:06:02,829 anymore because it was not necessary. 134 00:06:05,140 --> 00:06:06,140 OK? 135 00:06:06,490 --> 00:06:08,979 The wireless packets the protocol 136 00:06:08,980 --> 00:06:11,289 used by the hermetic devices is called 137 00:06:11,290 --> 00:06:13,149 a bit costs, which stands for bi 138 00:06:13,150 --> 00:06:15,549 directional communication standards 139 00:06:15,550 --> 00:06:17,769 and works on a frequency 140 00:06:17,770 --> 00:06:20,289 of eight hundred sixty eight megahertz as 141 00:06:20,290 --> 00:06:22,809 a lot of wireless home automation 142 00:06:22,810 --> 00:06:23,810 system 143 00:06:24,580 --> 00:06:25,359 and 144 00:06:25,360 --> 00:06:27,579 all the bit cost packets 145 00:06:27,580 --> 00:06:28,580 look like this. 146 00:06:31,390 --> 00:06:34,119 First, you see that packet length, 147 00:06:34,120 --> 00:06:37,059 which does not include itself, so 148 00:06:37,060 --> 00:06:39,219 the length counts only 149 00:06:39,220 --> 00:06:41,679 the bytes 150 00:06:41,680 --> 00:06:43,809 after have the length, 151 00:06:45,430 --> 00:06:46,430 then 152 00:06:47,170 --> 00:06:49,689 the first byte is a message counter, 153 00:06:49,690 --> 00:06:51,909 which increments by 154 00:06:51,910 --> 00:06:54,669 one with each message exchange 155 00:06:54,670 --> 00:06:55,689 or packet exchange. 156 00:06:57,640 --> 00:06:59,739 Byte one is the control byte, 157 00:06:59,740 --> 00:07:01,839 which, for example, and 158 00:07:01,840 --> 00:07:03,970 quotes the information here at Bit five 159 00:07:05,140 --> 00:07:06,459 that the 160 00:07:07,930 --> 00:07:09,759 communication is bidirectional. 161 00:07:09,760 --> 00:07:11,859 This bit, for example, means that 162 00:07:11,860 --> 00:07:14,349 there is a response 163 00:07:14,350 --> 00:07:15,939 expected for this packet 164 00:07:17,320 --> 00:07:17,609 by 165 00:07:17,610 --> 00:07:19,479 two is the type off the message 166 00:07:20,500 --> 00:07:22,869 by three to five, the sender address six 167 00:07:22,870 --> 00:07:24,849 to eight the destination address and 168 00:07:24,850 --> 00:07:26,319 after that, the payload. 169 00:07:29,200 --> 00:07:31,869 There is one special destination address. 170 00:07:31,870 --> 00:07:34,419 Zero three bytes zero, 171 00:07:34,420 --> 00:07:36,489 which is the broadcast address. 172 00:07:39,840 --> 00:07:42,179 Since most of the home medical 173 00:07:42,180 --> 00:07:44,459 devices are battery 174 00:07:44,460 --> 00:07:46,709 powered, you will need 175 00:07:46,710 --> 00:07:49,019 some kind of power saving 176 00:07:49,020 --> 00:07:50,669 strategy. 177 00:07:50,670 --> 00:07:52,829 The first power saving 178 00:07:52,830 --> 00:07:56,099 strategy is called awake on radio. 179 00:07:56,100 --> 00:07:57,100 And as 180 00:07:59,730 --> 00:08:01,859 it works, the following 181 00:08:01,860 --> 00:08:04,169 the device wakes up 182 00:08:04,170 --> 00:08:06,299 to receive ready mode 183 00:08:06,300 --> 00:08:09,029 for two point four milliseconds, 184 00:08:09,030 --> 00:08:11,159 and after that, 185 00:08:11,160 --> 00:08:13,499 it falls asleep for three hundred 186 00:08:13,500 --> 00:08:15,599 and fifty milliseconds 187 00:08:15,600 --> 00:08:17,699 repeatedly, so it can 188 00:08:20,550 --> 00:08:21,899 react on 189 00:08:23,190 --> 00:08:25,590 packages almost immediately. 190 00:08:27,030 --> 00:08:29,369 The second type of power saving 191 00:08:29,370 --> 00:08:31,649 strategy is the Wake 192 00:08:31,650 --> 00:08:33,719 Me Up mode, and this 193 00:08:33,720 --> 00:08:36,119 mode the device sends 194 00:08:36,120 --> 00:08:38,189 Wake Me Up packet 195 00:08:38,190 --> 00:08:40,408 then is and receive ready 196 00:08:40,409 --> 00:08:42,599 mode for two hundred and fifty 197 00:08:42,600 --> 00:08:44,969 milliseconds and then 198 00:08:44,970 --> 00:08:47,549 falls asleep for a variable 199 00:08:47,550 --> 00:08:49,889 but deterministic amount 200 00:08:49,890 --> 00:08:50,890 of time. 201 00:08:51,900 --> 00:08:54,059 This mode is used by 202 00:08:54,060 --> 00:08:56,549 some devices 203 00:08:56,550 --> 00:08:58,739 for which do not 204 00:08:58,740 --> 00:09:00,660 have to be reachable 205 00:09:01,710 --> 00:09:04,139 all the time when they want 206 00:09:04,140 --> 00:09:06,299 to exchange information 207 00:09:06,300 --> 00:09:08,149 with the center. 208 00:09:09,990 --> 00:09:12,179 They send a wake 209 00:09:12,180 --> 00:09:14,369 me up packets and broadcast 210 00:09:14,370 --> 00:09:16,769 mode, and the central can react 211 00:09:16,770 --> 00:09:18,839 and initiate data 212 00:09:18,840 --> 00:09:19,840 transfer. 213 00:09:20,850 --> 00:09:23,099 Um, the third power 214 00:09:23,100 --> 00:09:25,709 saving strategy is almost 215 00:09:25,710 --> 00:09:27,809 the same as 216 00:09:27,810 --> 00:09:30,599 the mode above, but without 217 00:09:30,600 --> 00:09:31,919 a wake me up package. 218 00:09:33,030 --> 00:09:35,549 This mode is used by 219 00:09:35,550 --> 00:09:37,620 thermal control device and 220 00:09:39,240 --> 00:09:40,379 if drive device. 221 00:09:45,710 --> 00:09:47,230 One slide back this, 222 00:09:48,750 --> 00:09:51,229 though, received ready motor draws 223 00:09:51,230 --> 00:09:53,329 about 14 million 224 00:09:53,330 --> 00:09:55,369 pairs of current. 225 00:09:55,370 --> 00:09:58,159 So that's very what be empty 226 00:09:58,160 --> 00:10:00,709 and about one week. 227 00:10:00,710 --> 00:10:03,109 So if you use a wake on radio 228 00:10:03,110 --> 00:10:05,509 mode, the average current 229 00:10:05,510 --> 00:10:08,299 draw is reduced to about 230 00:10:08,300 --> 00:10:10,339 100 micrograms. 231 00:10:10,340 --> 00:10:13,159 And the other modes 232 00:10:13,160 --> 00:10:15,350 reduce the current draw to about 233 00:10:16,850 --> 00:10:18,949 20 micrograms. 234 00:10:18,950 --> 00:10:22,129 Plus, additionally, the power 235 00:10:22,130 --> 00:10:24,109 the current of the motor and the 236 00:10:24,110 --> 00:10:26,269 microcontroller so that the batteries 237 00:10:26,270 --> 00:10:28,459 can last one year or 238 00:10:28,460 --> 00:10:29,460 even longer. 239 00:10:32,480 --> 00:10:33,480 OK. 240 00:10:34,340 --> 00:10:37,279 One important thing about 241 00:10:37,280 --> 00:10:39,469 the Bitcoin protocol is that 242 00:10:39,470 --> 00:10:40,939 the communication is completely 243 00:10:40,940 --> 00:10:41,940 unencrypted. 244 00:10:45,590 --> 00:10:47,839 But for some devices like, for example, 245 00:10:47,840 --> 00:10:49,969 the key metric which opens which 246 00:10:49,970 --> 00:10:51,289 locks and unlocks your door. 247 00:10:52,430 --> 00:10:54,199 Of course, you need some kind of 248 00:10:54,200 --> 00:10:56,569 authentication so that not anybody 249 00:10:56,570 --> 00:10:58,759 can unlock your door to your 250 00:10:58,760 --> 00:10:59,809 apartment or house 251 00:11:02,660 --> 00:11:04,339 for this authentication. 252 00:11:04,340 --> 00:11:07,189 And as challenge 253 00:11:07,190 --> 00:11:09,919 challenge response handshake is used, 254 00:11:09,920 --> 00:11:12,259 meaning, for example, 255 00:11:12,260 --> 00:11:14,719 the central sense the command 256 00:11:14,720 --> 00:11:16,519 open door to the schematic. 257 00:11:16,520 --> 00:11:18,449 This is the command. 258 00:11:18,450 --> 00:11:20,899 And then the key metric 259 00:11:20,900 --> 00:11:22,999 metric generates a random 260 00:11:23,000 --> 00:11:25,249 challenge since this challenge 261 00:11:25,250 --> 00:11:28,009 back to the central, the central 262 00:11:28,010 --> 00:11:29,179 and crypts. 263 00:11:29,180 --> 00:11:31,999 This challenge with 264 00:11:32,000 --> 00:11:34,159 the ASCII known by both 265 00:11:34,160 --> 00:11:37,039 devices meaning 266 00:11:37,040 --> 00:11:39,259 and creates this challenge 267 00:11:39,260 --> 00:11:41,719 with the known shared secret. 268 00:11:41,720 --> 00:11:44,779 And since this encrypted 269 00:11:44,780 --> 00:11:46,879 message back to the key metric, the key 270 00:11:46,880 --> 00:11:48,229 metric decrypt 271 00:11:49,820 --> 00:11:52,039 the payload and then 272 00:11:52,040 --> 00:11:54,709 knows, OK, the central is 273 00:11:54,710 --> 00:11:56,809 my central and I am allowed to 274 00:11:56,810 --> 00:11:57,810 unlock the door. 275 00:12:01,130 --> 00:12:03,559 In the past, there were numerous 276 00:12:03,560 --> 00:12:04,560 problems 277 00:12:06,230 --> 00:12:08,449 with the ace handshake when 278 00:12:08,450 --> 00:12:10,549 you changed the default ace 279 00:12:10,550 --> 00:12:12,649 key. So still, some 280 00:12:12,650 --> 00:12:14,779 people say that you should not 281 00:12:14,780 --> 00:12:16,939 change the default, a 282 00:12:16,940 --> 00:12:19,219 key and use and use the default 283 00:12:19,220 --> 00:12:21,589 one to avoid problems. 284 00:12:21,590 --> 00:12:23,899 And one other advantage of the ace 285 00:12:23,900 --> 00:12:25,999 handshake is it has a 286 00:12:26,000 --> 00:12:27,319 very high latency. 287 00:12:27,320 --> 00:12:29,689 So, for example, you can't really use 288 00:12:29,690 --> 00:12:31,759 it if you want to switch 289 00:12:31,760 --> 00:12:33,499 flat floor lights, for example. 290 00:12:36,320 --> 00:12:37,320 Yeah. 291 00:12:38,810 --> 00:12:41,169 OK, yes. 292 00:12:41,170 --> 00:12:42,999 Before showing our first attack, 293 00:12:45,250 --> 00:12:45,669 I'd 294 00:12:45,670 --> 00:12:48,099 like to mention the most simple attack, 295 00:12:48,100 --> 00:12:50,829 the most simple attack is 296 00:12:50,830 --> 00:12:52,989 a burglar who wears a 297 00:12:52,990 --> 00:12:55,419 jamming device, which jams 298 00:12:55,420 --> 00:12:56,889 the air traffic. 299 00:12:56,890 --> 00:12:59,409 That means it sends a carrier 300 00:12:59,410 --> 00:13:01,659 louder than the motion sensor so 301 00:13:01,660 --> 00:13:03,999 that the alarm system cannot 302 00:13:04,000 --> 00:13:05,079 hear the 303 00:13:06,850 --> 00:13:09,189 motion detected from the motion 304 00:13:09,190 --> 00:13:10,190 detector. 305 00:13:11,350 --> 00:13:14,529 So now let's 306 00:13:14,530 --> 00:13:15,940 start our first attack. 307 00:13:23,350 --> 00:13:26,049 What are the requirements for the attack? 308 00:13:26,050 --> 00:13:27,699 It's actually not a lot. 309 00:13:27,700 --> 00:13:29,379 We are using a Raspberry Pi. 310 00:13:30,940 --> 00:13:33,399 Then we need some kind of wireless 311 00:13:33,400 --> 00:13:35,199 transceiver module for the rest. 312 00:13:35,200 --> 00:13:37,179 Barry Pay in order to. 313 00:13:37,180 --> 00:13:39,279 Yeah, being able to send and 314 00:13:39,280 --> 00:13:40,960 receive bid cost packets, 315 00:13:42,100 --> 00:13:44,019 you could use 316 00:13:44,020 --> 00:13:45,020 the 317 00:13:46,060 --> 00:13:48,129 so-called call, which 318 00:13:48,130 --> 00:13:50,259 you can buy at password not to 319 00:13:50,260 --> 00:13:51,260 eat. 320 00:13:51,760 --> 00:13:54,309 But we are using 321 00:13:55,570 --> 00:13:58,510 a self-made device we named CRC. 322 00:13:59,680 --> 00:14:01,749 Yeah, which you can see. 323 00:14:01,750 --> 00:14:04,839 Let me switch to them either there or 324 00:14:04,840 --> 00:14:05,919 on our next slide. 325 00:14:07,780 --> 00:14:08,709 Yeah, right. 326 00:14:08,710 --> 00:14:09,710 We have a picture of it. 327 00:14:10,840 --> 00:14:12,129 Uh, there's the webcam. 328 00:14:19,920 --> 00:14:20,920 There it is. 329 00:14:23,190 --> 00:14:24,450 This is the CRC 330 00:14:26,520 --> 00:14:27,570 on the Westbury Pay. 331 00:14:32,810 --> 00:14:34,879 And third, we need some kind 332 00:14:34,880 --> 00:14:37,579 of software to interpret 333 00:14:37,580 --> 00:14:39,709 the signals 334 00:14:39,710 --> 00:14:41,659 of the wireless transceiver module. 335 00:14:41,660 --> 00:14:43,340 And of course, we are using home gear. 336 00:14:44,840 --> 00:14:47,059 That's again the 337 00:14:47,060 --> 00:14:48,349 CRC here. 338 00:14:48,350 --> 00:14:49,519 It's still named Cox. 339 00:14:51,080 --> 00:14:52,080 Yeah. 340 00:14:55,050 --> 00:14:57,179 Yes, our 341 00:14:57,180 --> 00:14:58,980 first attack has 342 00:15:00,750 --> 00:15:03,089 only and it's 343 00:15:03,090 --> 00:15:05,279 not much more than copying a copy, 344 00:15:05,280 --> 00:15:07,349 pasting it, most detect a 345 00:15:07,350 --> 00:15:09,599 packet. For this, we need to 346 00:15:09,600 --> 00:15:10,769 informations. 347 00:15:10,770 --> 00:15:13,109 The first information is 348 00:15:13,110 --> 00:15:15,449 the address of the 349 00:15:15,450 --> 00:15:17,729 motion sensor used and 350 00:15:17,730 --> 00:15:19,530 the second information is. 351 00:15:22,240 --> 00:15:23,669 No, sorry. 352 00:15:23,670 --> 00:15:25,809 We only need the address of 353 00:15:25,810 --> 00:15:27,429 the motion detector. 354 00:15:27,430 --> 00:15:29,949 The address of the switch and 355 00:15:29,950 --> 00:15:31,539 A. address off the switch, of course. 356 00:15:31,540 --> 00:15:32,540 Oh, I'm sorry 357 00:15:34,240 --> 00:15:36,370 for that. We need to sniff 358 00:15:37,810 --> 00:15:39,999 one packet containing 359 00:15:40,000 --> 00:15:42,189 both information and 360 00:15:42,190 --> 00:15:43,190 then 361 00:15:44,710 --> 00:15:47,139 more or less copy pasting this packet 362 00:15:47,140 --> 00:15:49,389 and sending it to the switch and 363 00:15:49,390 --> 00:15:51,189 the light goes on without the motion 364 00:15:51,190 --> 00:15:52,929 detector and detecting any motion. 365 00:15:56,230 --> 00:15:58,809 The important question now is 366 00:15:58,810 --> 00:15:59,109 when 367 00:15:59,110 --> 00:16:01,089 we snuff packets. 368 00:16:01,090 --> 00:16:03,129 Of course, there are a lot of packets and 369 00:16:03,130 --> 00:16:05,289 the ether, especially when it's a 370 00:16:05,290 --> 00:16:07,509 large automation system or 371 00:16:07,510 --> 00:16:09,579 when there are a lot of devices. 372 00:16:09,580 --> 00:16:11,769 So we need a way to 373 00:16:11,770 --> 00:16:14,259 detect motion detector packets. 374 00:16:14,260 --> 00:16:16,359 So how does a motion detector packet 375 00:16:16,360 --> 00:16:17,360 look like? 376 00:16:18,550 --> 00:16:20,799 The easiest way to get this information 377 00:16:20,800 --> 00:16:22,929 is to look at 378 00:16:22,930 --> 00:16:26,109 the at the device ExxonMobil files, 379 00:16:26,110 --> 00:16:28,059 which you can find in the file system off 380 00:16:28,060 --> 00:16:30,309 the CCU, or which was also 381 00:16:30,310 --> 00:16:31,839 provided with a bit cost service 382 00:16:31,840 --> 00:16:33,489 software, which you can download from the 383 00:16:33,490 --> 00:16:34,490 hermetic website. 384 00:16:35,470 --> 00:16:37,569 And then in this XML file, there is a 385 00:16:37,570 --> 00:16:39,849 section called Frames, 386 00:16:39,850 --> 00:16:40,870 which contains 387 00:16:42,040 --> 00:16:44,439 most of the packets known 388 00:16:44,440 --> 00:16:46,299 by this device. 389 00:16:46,300 --> 00:16:48,429 And in 390 00:16:48,430 --> 00:16:50,979 the end, this frame frames section. 391 00:16:50,980 --> 00:16:52,629 You can find this frame, 392 00:16:55,000 --> 00:16:57,159 which has a packet the message type 393 00:16:57,160 --> 00:16:58,160 of one 394 00:16:58,990 --> 00:17:00,069 x 10000 395 00:17:00,070 --> 00:17:00,759 hexadecimal. 396 00:17:00,760 --> 00:17:02,979 Yeah, and 397 00:17:02,980 --> 00:17:05,318 that's a payload of 398 00:17:05,319 --> 00:17:07,689 the payload size of four bytes 399 00:17:07,690 --> 00:17:10,209 which encode it and byte two 400 00:17:10,210 --> 00:17:11,229 of the packet. 401 00:17:11,230 --> 00:17:13,358 Yeah, and has 402 00:17:13,359 --> 00:17:15,818 a payload size of four bytes, 403 00:17:15,819 --> 00:17:16,149 as you 404 00:17:16,150 --> 00:17:17,379 can see here. 405 00:17:17,380 --> 00:17:20,379 And with the last 406 00:17:20,380 --> 00:17:22,629 NYBO being zero, this packet 407 00:17:22,630 --> 00:17:26,019 really a specific for motion detectors. 408 00:17:26,020 --> 00:17:28,118 So this is the 409 00:17:28,119 --> 00:17:30,129 packet we are looking for and we are 410 00:17:30,130 --> 00:17:31,130 sniffing for 411 00:17:35,950 --> 00:17:37,299 after this packet. 412 00:17:37,300 --> 00:17:38,979 I'm just telling you in advance because 413 00:17:38,980 --> 00:17:40,449 you will you will see it in a few 414 00:17:40,450 --> 00:17:41,450 seconds. 415 00:17:42,550 --> 00:17:44,169 This is the packet from the motion 416 00:17:44,170 --> 00:17:46,659 detector to the switch, and the switch 417 00:17:46,660 --> 00:17:49,089 will respond with an acknowledged 418 00:17:49,090 --> 00:17:50,090 packet. 419 00:17:51,430 --> 00:17:53,440 OK, let's do the attack. 420 00:17:54,820 --> 00:17:56,279 But of course, that I. 421 00:18:00,820 --> 00:18:02,619 Some short information. 422 00:18:02,620 --> 00:18:04,749 This is the system of 423 00:18:04,750 --> 00:18:05,769 the victim. 424 00:18:05,770 --> 00:18:08,050 And this is the hardware of the attacker. 425 00:18:11,270 --> 00:18:13,609 OK, here 426 00:18:13,610 --> 00:18:15,679 we are locked in 427 00:18:15,680 --> 00:18:17,929 two times over 428 00:18:17,930 --> 00:18:19,009 as h. 429 00:18:19,010 --> 00:18:20,450 Into our referee pay. 430 00:18:26,720 --> 00:18:28,909 And the first question is how do we 431 00:18:28,910 --> 00:18:30,169 snuff packets? 432 00:18:30,170 --> 00:18:31,579 It's nothing. Actually, it's pretty easy 433 00:18:33,290 --> 00:18:35,359 because all the 434 00:18:35,360 --> 00:18:37,429 packets are locked into 435 00:18:37,430 --> 00:18:39,709 the home gear lock files, so we just use 436 00:18:39,710 --> 00:18:40,710 tail. 437 00:18:43,190 --> 00:18:44,779 It's a little hard to read from here. 438 00:18:45,860 --> 00:18:47,929 Usually we do not lock in this route. 439 00:18:50,780 --> 00:18:52,969 And here you can see all 440 00:18:52,970 --> 00:18:55,549 the bit cross packets received 441 00:18:55,550 --> 00:18:57,739 by home gear or by off by all wireless 442 00:18:57,740 --> 00:18:59,329 transceiver module. 443 00:18:59,330 --> 00:19:01,699 Now, Molly 444 00:19:01,700 --> 00:19:03,949 inserts the battery into our 445 00:19:03,950 --> 00:19:05,369 victim's motion detector. 446 00:19:05,370 --> 00:19:07,549 We just removed it because otherwise 447 00:19:07,550 --> 00:19:09,229 the light port would switch on and off 448 00:19:09,230 --> 00:19:10,230 all the time. 449 00:19:10,910 --> 00:19:13,099 And now we wait a little 450 00:19:13,100 --> 00:19:14,599 bit, hopefully. 451 00:19:14,600 --> 00:19:15,600 Mm-Hmm. 452 00:19:18,590 --> 00:19:20,149 I think it's crashed. 453 00:19:20,150 --> 00:19:21,150 No. 454 00:19:22,830 --> 00:19:23,830 Yes. 455 00:19:26,420 --> 00:19:27,420 It's crashed. 456 00:19:38,960 --> 00:19:41,150 Hmm. As you can see, it works perfectly. 457 00:19:44,550 --> 00:19:46,109 This is not part of the attack, by the 458 00:19:46,110 --> 00:19:48,209 way. We just want to switch on 459 00:19:48,210 --> 00:19:49,210 the light. 460 00:20:02,360 --> 00:20:03,360 OK, 461 00:20:04,940 --> 00:20:06,289 maybe we shouldn't have to remove the 462 00:20:06,290 --> 00:20:07,290 batteries. 463 00:20:14,640 --> 00:20:15,750 It is receiving some. 464 00:20:17,100 --> 00:20:19,259 Yeah, it detects when the batteries are 465 00:20:19,260 --> 00:20:20,339 inserted. 466 00:20:20,340 --> 00:20:21,689 OK, now we know that's the motion 467 00:20:21,690 --> 00:20:22,690 detector. 468 00:20:25,710 --> 00:20:27,029 OK. 469 00:20:27,030 --> 00:20:29,219 We can show you what we 470 00:20:29,220 --> 00:20:32,219 wanted to show you, but we can use 471 00:20:32,220 --> 00:20:32,399 a 472 00:20:32,400 --> 00:20:34,289 little, we can generate our own packet. 473 00:20:34,290 --> 00:20:36,359 We can construct our own packet. 474 00:20:36,360 --> 00:20:38,669 We'll use the back up of our sniffing 475 00:20:38,670 --> 00:20:39,409 before. 476 00:20:39,410 --> 00:20:41,549 Yeah, OK. 477 00:20:41,550 --> 00:20:42,629 I mean, only 478 00:20:42,630 --> 00:20:44,579 we can sniff the two addresses 479 00:20:44,580 --> 00:20:46,829 the anomaly. We wanted to sniff 480 00:20:46,830 --> 00:20:49,739 the motion detector packet and 481 00:20:49,740 --> 00:20:52,139 copy paste that to the right side. 482 00:20:52,140 --> 00:20:54,299 But as that is not possible 483 00:20:54,300 --> 00:20:55,300 now, 484 00:20:56,490 --> 00:20:58,799 let's just connect 485 00:20:58,800 --> 00:21:00,960 to our home gear daemon. 486 00:21:02,220 --> 00:21:02,519 Now we 487 00:21:02,520 --> 00:21:03,699 are connected. 488 00:21:03,700 --> 00:21:04,700 Ah yeah. 489 00:21:05,820 --> 00:21:07,619 Now we are within the command line 490 00:21:07,620 --> 00:21:08,780 interface of hunger. 491 00:21:12,850 --> 00:21:15,699 By default, home your nose 492 00:21:15,700 --> 00:21:18,039 to virtual devices. 493 00:21:18,040 --> 00:21:20,019 The second one we don't need now. 494 00:21:20,020 --> 00:21:22,149 That's the virtual central 495 00:21:22,150 --> 00:21:24,849 and the first one is 496 00:21:24,850 --> 00:21:27,789 a device we call spy device, 497 00:21:27,790 --> 00:21:29,919 which is actually the one the device 498 00:21:29,920 --> 00:21:32,259 which locks all all these packets 499 00:21:32,260 --> 00:21:33,789 to the lock file. 500 00:21:33,790 --> 00:21:35,050 And we need the first one. 501 00:21:38,750 --> 00:21:41,029 You know, no, it looks 502 00:21:41,030 --> 00:21:42,849 perfect, needed some time for booting. 503 00:21:44,270 --> 00:21:44,689 OK. 504 00:21:44,690 --> 00:21:46,670 OK, let's show it once again. 505 00:21:48,820 --> 00:21:50,959 Oh, we have to wait 506 00:21:50,960 --> 00:21:53,149 some seconds until the lights turn 507 00:21:53,150 --> 00:21:54,259 off again. 508 00:21:54,260 --> 00:21:55,179 You can use it now. 509 00:21:55,180 --> 00:21:57,499 Yeah, yeah. 510 00:21:57,500 --> 00:21:59,779 But you can see already here 511 00:21:59,780 --> 00:22:01,969 is the packet we just talked about 512 00:22:01,970 --> 00:22:04,279 with a message type forty one. 513 00:22:04,280 --> 00:22:07,099 Once get this, that is the 514 00:22:07,100 --> 00:22:08,629 sender address. You can see the sender 515 00:22:08,630 --> 00:22:12,019 address and the destination address 516 00:22:12,020 --> 00:22:13,999 being the address off the switch. 517 00:22:14,000 --> 00:22:15,859 Once again, yeah. Once again, OK, once 518 00:22:15,860 --> 00:22:16,860 again. 519 00:22:17,870 --> 00:22:19,819 OK, there it is again, and there is 520 00:22:20,930 --> 00:22:22,129 the packet after that. Remove the 521 00:22:22,130 --> 00:22:24,109 battery. OK, good after that. 522 00:22:25,850 --> 00:22:28,159 Is that the acknowledged packet 523 00:22:28,160 --> 00:22:29,229 from the switch? 524 00:22:29,230 --> 00:22:31,369 OK. OK, now 525 00:22:31,370 --> 00:22:32,159 we are really not. 526 00:22:32,160 --> 00:22:33,529 We can't cheat anymore. 527 00:22:33,530 --> 00:22:34,669 No, there is no. 528 00:22:34,670 --> 00:22:36,049 If there are no batteries anymore in the 529 00:22:36,050 --> 00:22:37,649 motion detector. 530 00:22:37,650 --> 00:22:40,489 And now 531 00:22:40,490 --> 00:22:40,729 when 532 00:22:40,730 --> 00:22:43,069 we type up, you can see 533 00:22:43,070 --> 00:22:45,169 the spy device supports a 534 00:22:45,170 --> 00:22:47,479 command called scent with 535 00:22:47,480 --> 00:22:49,639 which we can send arbitrary 536 00:22:49,640 --> 00:22:50,539 but cost package. 537 00:22:50,540 --> 00:22:53,149 And we are using this command 538 00:22:53,150 --> 00:22:55,369 and just copying and just copy 539 00:22:55,370 --> 00:22:56,689 the packet from the right side to the 540 00:22:56,690 --> 00:22:57,629 left. 541 00:22:57,630 --> 00:23:00,229 I press enter and nothing happens. 542 00:23:00,230 --> 00:23:01,230 Hmm. 543 00:23:01,850 --> 00:23:03,079 We did something wrong. 544 00:23:03,080 --> 00:23:05,239 I think we'll try it again. 545 00:23:05,240 --> 00:23:05,839 Try it again. 546 00:23:05,840 --> 00:23:06,769 Yeah, we will. 547 00:23:06,770 --> 00:23:07,770 We will. 548 00:23:08,690 --> 00:23:10,999 Um, when you remember this, like 549 00:23:12,050 --> 00:23:14,299 maybe you saw that part 550 00:23:14,300 --> 00:23:17,359 of the payload is the counter 551 00:23:17,360 --> 00:23:19,519 at Byte ten 552 00:23:19,520 --> 00:23:20,520 here. 553 00:23:21,080 --> 00:23:23,929 And when you sniff more packets 554 00:23:23,930 --> 00:23:26,029 and you're as we sniffed more 555 00:23:26,030 --> 00:23:27,030 than one packet, 556 00:23:28,520 --> 00:23:29,599 you can see here. 557 00:23:29,600 --> 00:23:30,979 For me, it's hard to see right now from 558 00:23:30,980 --> 00:23:32,989 this angle. But if you look through all 559 00:23:32,990 --> 00:23:34,729 these packets, you will see that the 560 00:23:34,730 --> 00:23:36,859 counter increments by 561 00:23:36,860 --> 00:23:38,529 one with each motion event. 562 00:23:38,530 --> 00:23:40,789 So maybe let's just 563 00:23:40,790 --> 00:23:42,109 try to do the same 564 00:23:44,720 --> 00:23:47,779 and increment the counter by one 565 00:23:47,780 --> 00:23:48,499 and 566 00:23:48,500 --> 00:23:49,500 da. 567 00:23:57,810 --> 00:23:59,519 That was the first attack. 568 00:23:59,520 --> 00:24:02,009 You see, it's quite simple to emulate 569 00:24:02,010 --> 00:24:03,180 hermetic devices. 570 00:24:05,760 --> 00:24:06,959 And now the second attack. 571 00:24:09,750 --> 00:24:12,000 OK, and how to annoy your neighbor? 572 00:24:13,750 --> 00:24:15,989 Only one way to 573 00:24:15,990 --> 00:24:16,990 know your neighbor. 574 00:24:17,700 --> 00:24:18,700 You have a 575 00:24:20,340 --> 00:24:23,309 thumb, a control device and 576 00:24:23,310 --> 00:24:25,379 go mounted on on 577 00:24:25,380 --> 00:24:27,479 the wall of your room and 578 00:24:28,950 --> 00:24:30,959 therefore drive device mounted to the 579 00:24:30,960 --> 00:24:33,659 valve of your radiator. 580 00:24:33,660 --> 00:24:35,909 These two devices appear into each 581 00:24:35,910 --> 00:24:38,279 other, and each one of them 582 00:24:38,280 --> 00:24:39,720 is prepared to a. 583 00:24:42,180 --> 00:24:44,339 So our next attack is not that 584 00:24:44,340 --> 00:24:46,409 simple, but still, we 585 00:24:46,410 --> 00:24:47,609 can manage to 586 00:24:48,810 --> 00:24:51,029 change the set point temperature to 587 00:24:51,030 --> 00:24:53,460 obvious on so that the vef drive 588 00:24:54,900 --> 00:24:56,939 position is fully opened. 589 00:24:56,940 --> 00:24:58,140 And no, 590 00:24:59,580 --> 00:24:59,699 you 591 00:24:59,700 --> 00:25:02,069 can imagine we can have some fun or 592 00:25:02,070 --> 00:25:03,659 maybe a burglar can use it to. 593 00:25:06,470 --> 00:25:08,869 First, also hacking to make the victim 594 00:25:08,870 --> 00:25:09,870 open the window. 595 00:25:12,470 --> 00:25:13,520 OK. And 596 00:25:15,320 --> 00:25:16,320 that's. 597 00:25:17,570 --> 00:25:18,570 Yeah. 598 00:25:19,340 --> 00:25:21,079 Explaining how the attack moves. 599 00:25:21,080 --> 00:25:22,080 Let's 600 00:25:23,180 --> 00:25:25,579 hear. Maybe if you remember this slide, 601 00:25:25,580 --> 00:25:28,039 we have a problem now because we can't 602 00:25:28,040 --> 00:25:30,259 just send the new set point 603 00:25:30,260 --> 00:25:32,419 temperature to the 604 00:25:32,420 --> 00:25:34,429 thermal control device. 605 00:25:34,430 --> 00:25:35,539 Why is that? 606 00:25:35,540 --> 00:25:37,939 And our first example, the switch 607 00:25:37,940 --> 00:25:40,549 we used to 608 00:25:40,550 --> 00:25:42,859 turn on and off the light was 609 00:25:42,860 --> 00:25:44,989 always receiving. 610 00:25:44,990 --> 00:25:46,640 It was always and received ready mode. 611 00:25:47,690 --> 00:25:49,999 The Thunder control now is 612 00:25:50,000 --> 00:25:52,099 a device of this kind, meaning 613 00:25:52,100 --> 00:25:54,439 it sends wake me up packets 614 00:25:54,440 --> 00:25:56,599 every few minutes and then goes to 615 00:25:56,600 --> 00:25:57,619 sleep again. 616 00:25:57,620 --> 00:26:00,049 That means if we would use 617 00:26:00,050 --> 00:26:02,420 the command send we used 618 00:26:03,500 --> 00:26:05,689 it in the last attack, we would 619 00:26:05,690 --> 00:26:07,969 need to send within this 620 00:26:07,970 --> 00:26:10,219 window of 250 milliseconds. 621 00:26:10,220 --> 00:26:12,649 That's kind of hard to do 622 00:26:12,650 --> 00:26:14,749 manually, manually. 623 00:26:14,750 --> 00:26:16,879 So we need a different kind 624 00:26:16,880 --> 00:26:17,880 of approach. 625 00:26:20,530 --> 00:26:21,530 Huh, huh. 626 00:26:25,160 --> 00:26:26,609 Yeah, OK. 627 00:26:26,610 --> 00:26:28,679 The first step is we 628 00:26:28,680 --> 00:26:31,379 need to Information's 629 00:26:31,380 --> 00:26:33,869 first information is the address 630 00:26:33,870 --> 00:26:36,629 of the thermal control device, 631 00:26:36,630 --> 00:26:38,819 and the second information we need 632 00:26:38,820 --> 00:26:41,339 is the address of the victims, 633 00:26:41,340 --> 00:26:42,340 etcetera. 634 00:26:43,080 --> 00:26:45,869 And in the attack, we have to 635 00:26:45,870 --> 00:26:48,449 change home a central address 636 00:26:48,450 --> 00:26:50,819 to the victim centric address because 637 00:26:50,820 --> 00:26:52,980 otherwise the victim's 638 00:26:55,230 --> 00:26:57,749 thermal control device, which is part 639 00:26:57,750 --> 00:26:59,909 of the victim's etc., would not 640 00:26:59,910 --> 00:27:02,099 accept packets from our 641 00:27:04,050 --> 00:27:06,509 home gear device because 642 00:27:06,510 --> 00:27:08,820 it has the wrong address. 643 00:27:09,870 --> 00:27:10,870 Then 644 00:27:12,030 --> 00:27:14,369 we have to manually at 645 00:27:14,370 --> 00:27:16,019 the victim's thermal controller, at our 646 00:27:16,020 --> 00:27:18,779 home gear in order to make 647 00:27:18,780 --> 00:27:20,849 home gear, manage the timing of the 648 00:27:20,850 --> 00:27:23,039 attack because manually, 649 00:27:23,040 --> 00:27:25,409 you can hardly hit 650 00:27:25,410 --> 00:27:27,689 the two hundred and fifty milliseconds 651 00:27:27,690 --> 00:27:28,690 window. 652 00:27:30,150 --> 00:27:32,279 The third step is to change the 653 00:27:32,280 --> 00:27:33,329 set point temperature, 654 00:27:35,250 --> 00:27:37,319 and the 655 00:27:37,320 --> 00:27:39,569 fourth step 656 00:27:39,570 --> 00:27:42,059 is to switch to the thermal control 657 00:27:42,060 --> 00:27:44,159 mode and central mode. 658 00:27:44,160 --> 00:27:45,690 Because if the 659 00:27:47,280 --> 00:27:49,349 time a controlled device is in a 660 00:27:49,350 --> 00:27:51,629 non sentry mode, it would 661 00:27:51,630 --> 00:27:53,130 not use this 662 00:27:55,050 --> 00:27:57,479 temperature a set before by us 663 00:27:57,480 --> 00:27:59,909 for the actual 664 00:27:59,910 --> 00:28:00,910 first drive device. 665 00:28:03,030 --> 00:28:05,339 Both the easiest way to 666 00:28:05,340 --> 00:28:08,039 do both steps is using IPC 667 00:28:08,040 --> 00:28:10,289 functions, set value and 668 00:28:10,290 --> 00:28:11,290 thought perram set. 669 00:28:13,870 --> 00:28:16,079 I saw a slide 670 00:28:16,080 --> 00:28:17,249 before. Sorry. 671 00:28:20,180 --> 00:28:21,799 Yeah, now 672 00:28:21,800 --> 00:28:23,989 our first step is are we need 673 00:28:23,990 --> 00:28:26,629 to identify the address 674 00:28:26,630 --> 00:28:28,279 of it's under control 675 00:28:29,330 --> 00:28:31,669 and to do that, we need a package 676 00:28:31,670 --> 00:28:33,829 that is specific for Thelma 677 00:28:33,830 --> 00:28:35,689 controls again. 678 00:28:35,690 --> 00:28:37,939 And yeah, the 679 00:28:37,940 --> 00:28:39,739 XML files are our friend. 680 00:28:39,740 --> 00:28:42,229 So we just look into the example 681 00:28:42,230 --> 00:28:44,449 file off the thermal control device 682 00:28:44,450 --> 00:28:47,839 and there find a packet 683 00:28:47,840 --> 00:28:50,179 with a message type of 58, 684 00:28:50,180 --> 00:28:52,159 which is specific for some of the 685 00:28:52,160 --> 00:28:54,709 controls. So we just need to sniff 686 00:28:54,710 --> 00:28:57,259 for a packet of this message 687 00:28:57,260 --> 00:28:58,970 type, which we are doing now. 688 00:29:02,210 --> 00:29:04,429 While we talked home 689 00:29:04,430 --> 00:29:06,679 there, of course, was regarding 690 00:29:06,680 --> 00:29:07,680 all the pickups 691 00:29:08,900 --> 00:29:10,159 received. 692 00:29:10,160 --> 00:29:11,539 And as you can see here, 693 00:29:13,430 --> 00:29:15,679 there is a packet with message 694 00:29:15,680 --> 00:29:17,269 type fifty eight. 695 00:29:17,270 --> 00:29:19,609 So this most definitely as a thermal 696 00:29:19,610 --> 00:29:21,229 control device. 697 00:29:21,230 --> 00:29:23,269 And this is 698 00:29:23,270 --> 00:29:25,009 the address 699 00:29:25,010 --> 00:29:25,819 of 700 00:29:25,820 --> 00:29:28,069 our summer control one 701 00:29:28,070 --> 00:29:29,719 d e seven nine zero. 702 00:29:29,720 --> 00:29:31,639 The second address here, the destination 703 00:29:31,640 --> 00:29:33,289 address, is the address of the Gulf 704 00:29:33,290 --> 00:29:35,269 drive. So this is the packet sent from 705 00:29:35,270 --> 00:29:36,739 the Thunder control to the Gulf drive. 706 00:29:37,850 --> 00:29:40,099 And yeah, then the 707 00:29:40,100 --> 00:29:43,099 second information we need is 708 00:29:43,100 --> 00:29:45,170 the address of the central 709 00:29:46,850 --> 00:29:49,219 to identify the central address 710 00:29:49,220 --> 00:29:51,979 you need and just to look for 711 00:29:51,980 --> 00:29:54,169 different kinds of status packets 712 00:29:54,170 --> 00:29:56,239 sent to the centrist center to 713 00:29:56,240 --> 00:29:58,279 the central. We are not. 714 00:29:58,280 --> 00:30:01,069 Yeah, I'm not going to show you are. 715 00:30:01,070 --> 00:30:03,259 Yeah, what the status packets are, 716 00:30:03,260 --> 00:30:05,329 but there should be one here 717 00:30:05,330 --> 00:30:06,330 and this list. 718 00:30:08,600 --> 00:30:11,179 But before doing the attack, 719 00:30:11,180 --> 00:30:13,160 please switch to the webcam to prove 720 00:30:14,780 --> 00:30:16,939 the Oh yeah, that's right, we it's 721 00:30:16,940 --> 00:30:17,809 almost close 722 00:30:17,810 --> 00:30:19,309 here, for example. 723 00:30:19,310 --> 00:30:21,409 That's one 724 00:30:21,410 --> 00:30:22,489 C six nine four three. 725 00:30:22,490 --> 00:30:23,749 That's the central address. 726 00:30:23,750 --> 00:30:25,369 That's a status Typekit center for the 727 00:30:25,370 --> 00:30:26,899 center. OK, yeah. 728 00:30:26,900 --> 00:30:27,369 What's this? 729 00:30:27,370 --> 00:30:28,370 What's 730 00:30:29,630 --> 00:30:30,889 one second there? 731 00:30:30,890 --> 00:30:33,139 OK, as you can see, 732 00:30:33,140 --> 00:30:35,299 the left is opened 733 00:30:35,300 --> 00:30:37,880 by only 17 percent. 734 00:30:40,870 --> 00:30:42,849 Maybe show the shoulder, the control to 735 00:30:44,170 --> 00:30:45,670 some control has the 736 00:30:48,040 --> 00:30:50,169 actual temperature of 737 00:30:50,170 --> 00:30:52,089 twenty one point eight degrees doesn't 738 00:30:52,090 --> 00:30:53,349 matter and 739 00:30:53,350 --> 00:30:54,350 what's 740 00:30:56,070 --> 00:30:57,579 OK and 741 00:30:58,840 --> 00:30:59,840 oh. 742 00:31:02,470 --> 00:31:04,839 You have to release the button and 743 00:31:04,840 --> 00:31:07,089 a set point temperature of nineteen point 744 00:31:07,090 --> 00:31:08,139 five degrees. 745 00:31:08,140 --> 00:31:10,269 And the mode is manual. 746 00:31:10,270 --> 00:31:12,459 Uh, yeah, 747 00:31:12,460 --> 00:31:13,460 that's OK. 748 00:31:14,310 --> 00:31:15,310 OK, 749 00:31:18,220 --> 00:31:19,509 now 750 00:31:19,510 --> 00:31:21,040 let's do the actual attack 751 00:31:23,440 --> 00:31:24,440 first. 752 00:31:25,810 --> 00:31:26,810 You remember 753 00:31:27,970 --> 00:31:30,129 the second device was the central. 754 00:31:30,130 --> 00:31:31,809 This is the central address and this 755 00:31:31,810 --> 00:31:32,979 address is wrong. 756 00:31:32,980 --> 00:31:35,169 So we need to change it in order to 757 00:31:35,170 --> 00:31:35,739 that. To do 758 00:31:35,740 --> 00:31:36,740 that. 759 00:31:37,030 --> 00:31:38,200 We remove the central. 760 00:31:44,620 --> 00:31:46,239 And create a new one. 761 00:31:59,330 --> 00:32:01,159 With a correct address with our victim 762 00:32:01,160 --> 00:32:03,319 center address, one C six, 763 00:32:03,320 --> 00:32:05,059 nine four zero, 764 00:32:05,060 --> 00:32:05,779 then 765 00:32:05,780 --> 00:32:08,029 we need ban completely arbitrary 766 00:32:08,030 --> 00:32:10,069 serial number and really be anything. 767 00:32:10,070 --> 00:32:12,139 We use the serial number 768 00:32:12,140 --> 00:32:13,249 v central zero 769 00:32:13,250 --> 00:32:14,269 one 770 00:32:14,270 --> 00:32:16,019 and the device type. 771 00:32:16,020 --> 00:32:18,229 As you can see here, the device type 772 00:32:18,230 --> 00:32:19,609 off the central device of f 773 00:32:19,610 --> 00:32:22,489 f f f f f d 774 00:32:22,490 --> 00:32:22,789 i know 775 00:32:22,790 --> 00:32:23,790 we have a new central. 776 00:32:27,150 --> 00:32:28,150 There it is. 777 00:32:32,380 --> 00:32:34,449 Now we select the Central. 778 00:32:37,650 --> 00:32:40,109 And here you can see there is a command 779 00:32:40,110 --> 00:32:42,509 called Trippier's Ed to 780 00:32:42,510 --> 00:32:44,759 manually at Pierce without 781 00:32:44,760 --> 00:32:46,829 pairing them with of the 782 00:32:46,830 --> 00:32:47,830 central. 783 00:32:50,890 --> 00:32:52,269 And we are doing exactly 784 00:32:52,270 --> 00:32:54,979 that, Piers. 785 00:32:54,980 --> 00:32:57,099 Ed, now we need the 786 00:32:57,100 --> 00:32:59,169 device type first, the 787 00:32:59,170 --> 00:33:01,269 device type you can find in 788 00:33:01,270 --> 00:33:03,429 the X and L file, the device type off 789 00:33:03,430 --> 00:33:05,649 the summer control is 790 00:33:05,650 --> 00:33:06,650 three nine. 791 00:33:07,450 --> 00:33:08,889 Then we need the address, 792 00:33:10,210 --> 00:33:12,549 which was one seven 793 00:33:12,550 --> 00:33:13,550 nine zero. 794 00:33:16,760 --> 00:33:19,039 Then we need, again, an arbitrary serial 795 00:33:19,040 --> 00:33:20,119 number. 796 00:33:20,120 --> 00:33:22,339 We call it virtual thermal control 797 00:33:23,810 --> 00:33:26,239 one and 798 00:33:26,240 --> 00:33:27,799 the firmware version. 799 00:33:27,800 --> 00:33:29,869 The most current firmware version is 800 00:33:29,870 --> 00:33:31,129 2.1. 801 00:33:31,130 --> 00:33:32,989 And this information you can also get out 802 00:33:32,990 --> 00:33:34,819 of the box and all file or by just 803 00:33:34,820 --> 00:33:36,379 inserting a battery in the summer 804 00:33:36,380 --> 00:33:38,059 control, then will display the film. 805 00:33:38,060 --> 00:33:39,060 The firmware version 806 00:33:40,730 --> 00:33:41,659 and now 807 00:33:41,660 --> 00:33:44,149 home gear knows the thermal control 808 00:33:44,150 --> 00:33:45,619 of our of our victim. 809 00:33:47,660 --> 00:33:48,739 We are logging out. 810 00:33:48,740 --> 00:33:50,509 We don't need the command line interface 811 00:33:50,510 --> 00:33:50,959 anymore, and 812 00:33:50,960 --> 00:33:51,960 now 813 00:33:52,580 --> 00:33:54,709 we need to tell home gear 814 00:33:54,710 --> 00:33:57,169 to set the new set point temperature 815 00:33:57,170 --> 00:33:58,170 for us 816 00:33:58,670 --> 00:33:58,969 to do 817 00:33:58,970 --> 00:34:01,039 that. As Marley already 818 00:34:01,040 --> 00:34:02,599 told you, we are using our privacy 819 00:34:02,600 --> 00:34:04,309 function. One way to do 820 00:34:04,310 --> 00:34:06,529 that is 821 00:34:06,530 --> 00:34:07,939 to use 822 00:34:07,940 --> 00:34:09,679 a simple script. 823 00:34:10,969 --> 00:34:13,279 I call that set point 824 00:34:13,280 --> 00:34:14,359 the PSP 825 00:34:14,360 --> 00:34:15,800 looks sorry, 826 00:34:17,060 --> 00:34:18,738 and this script actually is pretty 827 00:34:18,739 --> 00:34:20,600 simple. The class I'm using 828 00:34:21,620 --> 00:34:23,928 pretty much only uses 829 00:34:23,929 --> 00:34:26,329 the LRP C functions provided 830 00:34:26,330 --> 00:34:28,488 by itself, so it's really nothing 831 00:34:28,489 --> 00:34:30,349 special, and you can download it from the 832 00:34:30,350 --> 00:34:31,968 Home Gear website. 833 00:34:31,969 --> 00:34:34,129 And as you can see, 834 00:34:34,130 --> 00:34:36,309 we are sending to our C function. 835 00:34:36,310 --> 00:34:38,809 The first one is set value 836 00:34:38,810 --> 00:34:40,488 to the 837 00:34:40,489 --> 00:34:42,468 thermal controller we just created and 838 00:34:42,469 --> 00:34:43,488 home gear. 839 00:34:43,489 --> 00:34:45,738 You remember we named it 840 00:34:45,739 --> 00:34:47,209 BTCS 841 00:34:47,210 --> 00:34:49,039 one, the 842 00:34:49,040 --> 00:34:51,289 very own. The variable name is set 843 00:34:51,290 --> 00:34:53,419 point. Again, this information is out of 844 00:34:53,420 --> 00:34:55,638 the XOM L file and 845 00:34:55,639 --> 00:34:58,129 we set set point to 100 846 00:34:58,130 --> 00:35:00,229 100 as a special value, meaning 847 00:35:00,230 --> 00:35:01,230 always on 848 00:35:02,660 --> 00:35:03,199 and 849 00:35:03,200 --> 00:35:05,269 the second R B C function we are using is 850 00:35:05,270 --> 00:35:07,039 put, Perram said. Put Perram said it was 851 00:35:07,040 --> 00:35:09,620 used to set configuration parameters 852 00:35:10,820 --> 00:35:11,779 and 853 00:35:11,780 --> 00:35:13,939 so we are using put paramjeet 854 00:35:13,940 --> 00:35:16,249 to change 855 00:35:16,250 --> 00:35:17,869 the mode of the thermal control to a 856 00:35:17,870 --> 00:35:19,939 central mode in case it is not in 857 00:35:19,940 --> 00:35:20,940 sentry mode. 858 00:35:21,680 --> 00:35:23,749 And again, this information 859 00:35:23,750 --> 00:35:25,340 is out of the X and L file. 860 00:35:26,780 --> 00:35:29,329 We change 861 00:35:29,330 --> 00:35:32,059 the variable mode temperature regulator 862 00:35:32,060 --> 00:35:34,219 to the value two and 863 00:35:34,220 --> 00:35:36,349 two is the central 864 00:35:36,350 --> 00:35:37,350 mode. 865 00:35:38,450 --> 00:35:41,539 OK, now 866 00:35:41,540 --> 00:35:43,789 we are just executing our script 867 00:35:45,230 --> 00:35:47,059 on the right side, on the left side and 868 00:35:47,060 --> 00:35:49,459 the lock. You can see that home 869 00:35:49,460 --> 00:35:51,649 received both both our policy 870 00:35:51,650 --> 00:35:53,719 packets. Now we need to wait a little 871 00:35:53,720 --> 00:35:56,449 bit because, 872 00:35:56,450 --> 00:35:58,999 yeah, it takes two to three minutes for 873 00:35:59,000 --> 00:36:01,099 the thermal control to send a 874 00:36:01,100 --> 00:36:02,569 wake me up Typekit. 875 00:36:02,570 --> 00:36:04,939 And yeah, then home you start sending. 876 00:36:04,940 --> 00:36:05,940 In the meantime, 877 00:36:06,860 --> 00:36:08,839 I am showing you 878 00:36:08,840 --> 00:36:10,459 what you will see. 879 00:36:10,460 --> 00:36:11,460 There will be 880 00:36:12,590 --> 00:36:14,299 a little more pickups than you saw in the 881 00:36:14,300 --> 00:36:15,300 last example. 882 00:36:16,730 --> 00:36:18,679 This is the wake me up packet. 883 00:36:18,680 --> 00:36:21,049 And in response to the wake me up 884 00:36:21,050 --> 00:36:23,479 at home gear will send a wake 885 00:36:23,480 --> 00:36:26,089 up packet the time the control will 886 00:36:26,090 --> 00:36:27,770 send and acknowledge, and then 887 00:36:28,790 --> 00:36:30,799 home gear will send the new set point 888 00:36:30,800 --> 00:36:32,929 temperature and this packet and 889 00:36:32,930 --> 00:36:35,419 coat it in the payload bay side. 890 00:36:35,420 --> 00:36:37,879 C eight being one hundred dot zero 891 00:36:37,880 --> 00:36:40,099 are the special value always on 892 00:36:40,100 --> 00:36:42,079 and and acknowledge again 893 00:36:42,080 --> 00:36:44,239 and coded as two hundred 894 00:36:44,240 --> 00:36:46,309 and decimal so that you can 895 00:36:46,310 --> 00:36:48,409 encode values 896 00:36:48,410 --> 00:36:50,809 between zero and 100 897 00:36:50,810 --> 00:36:53,149 and 0.5 percent steps. 898 00:36:53,150 --> 00:36:54,700 Yeah, OK. 899 00:36:57,770 --> 00:36:59,989 And the second RBC 900 00:36:59,990 --> 00:37:02,509 function put parents that calls 901 00:37:02,510 --> 00:37:04,879 us home gear to do this directly after 902 00:37:04,880 --> 00:37:06,260 setting the set point temperature 903 00:37:07,580 --> 00:37:10,069 as the central 904 00:37:10,070 --> 00:37:11,869 mode as a configuration parameter. 905 00:37:13,160 --> 00:37:15,259 It is handled as 906 00:37:15,260 --> 00:37:17,479 setting configuration parameters, which 907 00:37:17,480 --> 00:37:19,150 is done always in the same way. 908 00:37:21,020 --> 00:37:22,939 Setting configuration parameters starts 909 00:37:22,940 --> 00:37:25,279 with a start configuration packet and 910 00:37:25,280 --> 00:37:27,589 ends with an end configuration 911 00:37:27,590 --> 00:37:30,199 packet, and in between 912 00:37:30,200 --> 00:37:32,539 is the packet to actually set 913 00:37:32,540 --> 00:37:34,429 the configuration parameter, which is 914 00:37:34,430 --> 00:37:36,439 encoded here in the last byte. 915 00:37:37,520 --> 00:37:39,709 A lot of information for one byte that 916 00:37:39,710 --> 00:37:42,049 yeah, and in between our acknowledged 917 00:37:42,050 --> 00:37:44,389 packets so that among knows that 918 00:37:44,390 --> 00:37:46,250 the packets were really received. 919 00:37:47,570 --> 00:37:50,029 OK, let's switch 920 00:37:50,030 --> 00:37:51,679 back and 921 00:37:51,680 --> 00:37:52,909 see if something happened. 922 00:37:52,910 --> 00:37:53,910 Yep. 923 00:37:55,110 --> 00:37:56,110 Um, 924 00:37:58,580 --> 00:38:00,469 actually, it did it. 925 00:38:00,470 --> 00:38:01,470 It did. Yeah. 926 00:38:07,030 --> 00:38:08,860 Where's the wake me up picket? 927 00:38:12,710 --> 00:38:14,119 OK. 928 00:38:14,120 --> 00:38:15,770 Wake me up, Typekit 929 00:38:17,090 --> 00:38:18,090 one sec. 930 00:38:19,700 --> 00:38:21,919 OK. We in this case, 931 00:38:21,920 --> 00:38:24,229 we responded to the packet 932 00:38:24,230 --> 00:38:26,419 sent to the message Typekit five 933 00:38:26,420 --> 00:38:28,559 eight, so not actually to the broadcast 934 00:38:28,560 --> 00:38:30,439 packet. This is working too. 935 00:38:30,440 --> 00:38:33,109 This is the packet sent from 936 00:38:33,110 --> 00:38:34,669 the thumb of the controller to the valve 937 00:38:34,670 --> 00:38:35,599 drive. 938 00:38:35,600 --> 00:38:37,699 And after 939 00:38:37,700 --> 00:38:38,700 this packet 940 00:38:39,980 --> 00:38:42,319 here you can see the 941 00:38:42,320 --> 00:38:43,760 set point temperature being set, 942 00:38:44,990 --> 00:38:47,389 the configuration start packet, 943 00:38:47,390 --> 00:38:49,909 the setting of 944 00:38:49,910 --> 00:38:51,859 the mode to a central mode and the 945 00:38:51,860 --> 00:38:53,149 configuration and packet. 946 00:38:54,320 --> 00:38:56,299 OK, now I'm switching to the webcam 947 00:38:56,300 --> 00:38:57,300 again, 948 00:38:58,880 --> 00:38:59,899 and 949 00:38:59,900 --> 00:39:02,179 as we can see, the valve 950 00:39:02,180 --> 00:39:04,819 drive opens the valve. 951 00:39:04,820 --> 00:39:05,809 Step by step. 952 00:39:05,810 --> 00:39:07,250 Eighty eight percent. 953 00:39:10,050 --> 00:39:12,150 OK, from 1998 to a maximum 954 00:39:13,740 --> 00:39:14,969 almost fully opened. 955 00:39:17,060 --> 00:39:19,339 And here to set the temperature, the set 956 00:39:19,340 --> 00:39:21,139 point temperature is on. 957 00:39:21,140 --> 00:39:22,909 And here you can see that the thermal 958 00:39:22,910 --> 00:39:24,440 control is in central mode. 959 00:39:26,210 --> 00:39:27,289 That was the second attack. 960 00:39:34,700 --> 00:39:36,589 OK. Last one. 961 00:39:36,590 --> 00:39:37,590 Time is short. 962 00:39:39,710 --> 00:39:41,620 So, OK. 963 00:39:44,420 --> 00:39:45,349 Yeah. 964 00:39:45,350 --> 00:39:47,449 So that attack, we are going 965 00:39:47,450 --> 00:39:49,819 to show you how to open 966 00:39:49,820 --> 00:39:51,349 a victim's door 967 00:39:52,460 --> 00:39:54,649 if the victim has not 968 00:39:54,650 --> 00:39:57,409 changed the default, a key, 969 00:39:57,410 --> 00:39:59,509 that's probably the case for a lot 970 00:39:59,510 --> 00:40:01,729 of people. And if the reason is 971 00:40:01,730 --> 00:40:02,959 being lazy. 972 00:40:02,960 --> 00:40:05,239 But I think a lot of systems still 973 00:40:05,240 --> 00:40:06,459 use the default as 974 00:40:08,720 --> 00:40:11,449 we might do some while driving to 975 00:40:11,450 --> 00:40:13,639 see how many people a chance 976 00:40:13,640 --> 00:40:15,439 to ask. 977 00:40:15,440 --> 00:40:17,629 So again, we need to 978 00:40:17,630 --> 00:40:18,609 informations. 979 00:40:18,610 --> 00:40:21,229 The first information is 980 00:40:21,230 --> 00:40:23,449 the address of the key metric 981 00:40:23,450 --> 00:40:24,559 device. 982 00:40:24,560 --> 00:40:26,899 And the second information 983 00:40:26,900 --> 00:40:28,789 we need to know is 984 00:40:29,990 --> 00:40:30,990 that. 985 00:40:33,130 --> 00:40:34,869 The kinetic device and the second 986 00:40:34,870 --> 00:40:36,999 information is the address 987 00:40:37,000 --> 00:40:38,739 of the victims Centra. 988 00:40:40,750 --> 00:40:43,119 So we have to sniff both 989 00:40:43,120 --> 00:40:45,189 informations, and 990 00:40:45,190 --> 00:40:47,710 as soon as we got these two informations, 991 00:40:49,330 --> 00:40:49,839 we 992 00:40:49,840 --> 00:40:51,999 can send the command open door 993 00:40:53,290 --> 00:40:54,849 together with the 994 00:40:56,350 --> 00:40:58,449 handshake with a default key. 995 00:40:58,450 --> 00:41:00,729 For that sniffing, we 996 00:41:00,730 --> 00:41:02,919 might use the rest 997 00:41:02,920 --> 00:41:06,549 verify and CRC, 998 00:41:06,550 --> 00:41:08,769 but before using for sending 999 00:41:08,770 --> 00:41:11,019 the ace handshake, we 1000 00:41:11,020 --> 00:41:12,020 need 1001 00:41:13,720 --> 00:41:16,089 land configuration adapter 1002 00:41:16,090 --> 00:41:18,219 together with a bit service running 1003 00:41:18,220 --> 00:41:20,199 on our computer. 1004 00:41:22,390 --> 00:41:23,359 OK. 1005 00:41:23,360 --> 00:41:25,539 Yes. Sadly, Home Gear Kent 1006 00:41:25,540 --> 00:41:27,669 doesn't know the default keys, so 1007 00:41:27,670 --> 00:41:29,799 we can't generate the ace 1008 00:41:29,800 --> 00:41:30,800 handshake. 1009 00:41:32,290 --> 00:41:33,789 OK, let's start by sniffing. 1010 00:41:35,440 --> 00:41:37,809 You already know the procedure. 1011 00:41:37,810 --> 00:41:39,279 And yeah, 1012 00:41:39,280 --> 00:41:40,749 Molly, you are the victim. 1013 00:41:40,750 --> 00:41:42,219 Close the door. 1014 00:41:42,220 --> 00:41:43,220 OK. 1015 00:41:45,230 --> 00:41:47,300 Hmm. Oh, yeah, the webcam can be. 1016 00:41:52,590 --> 00:41:54,749 OK, I have the door 1017 00:41:54,750 --> 00:41:55,919 still open. 1018 00:41:55,920 --> 00:41:56,920 No, a closet. 1019 00:42:04,560 --> 00:42:06,090 OK, and there you saw 1020 00:42:07,500 --> 00:42:09,839 here are the packets, 1021 00:42:09,840 --> 00:42:11,670 you know, put away the key. 1022 00:42:18,640 --> 00:42:19,640 OK. 1023 00:42:20,980 --> 00:42:23,619 This is the packet we received. 1024 00:42:23,620 --> 00:42:25,689 So the first the sender address 1025 00:42:25,690 --> 00:42:28,149 is the address of the remote, 1026 00:42:28,150 --> 00:42:30,219 and the second address is 1027 00:42:30,220 --> 00:42:32,379 the address of our key 1028 00:42:32,380 --> 00:42:34,509 metric to three d 1029 00:42:34,510 --> 00:42:35,769 six f. 1030 00:42:35,770 --> 00:42:37,989 So now and from previous from 1031 00:42:37,990 --> 00:42:39,789 the previous attacks you already know or 1032 00:42:39,790 --> 00:42:41,469 from or from the previous attack, you 1033 00:42:41,470 --> 00:42:43,000 already know the sentence address. 1034 00:42:44,290 --> 00:42:46,449 So now let's do 1035 00:42:46,450 --> 00:42:47,620 the attack 1036 00:42:49,810 --> 00:42:50,810 one sec. 1037 00:42:51,940 --> 00:42:54,189 What we need to do is 1038 00:42:54,190 --> 00:42:55,190 first, 1039 00:42:55,870 --> 00:42:58,599 we need to change the address 1040 00:42:58,600 --> 00:43:00,879 of the land configuration adapter 1041 00:43:00,880 --> 00:43:03,009 to the address of 1042 00:43:03,010 --> 00:43:05,079 the victim central. Otherwise, again, the 1043 00:43:05,080 --> 00:43:08,049 key metric wouldn't accept or packets. 1044 00:43:08,050 --> 00:43:10,359 Then we need to manually 1045 00:43:10,360 --> 00:43:12,669 add the victim schematic 1046 00:43:12,670 --> 00:43:13,900 to the bid cost service. 1047 00:43:15,280 --> 00:43:17,679 And after that, we can just use the RBC 1048 00:43:17,680 --> 00:43:19,749 functions, add value again to set the 1049 00:43:19,750 --> 00:43:21,459 state of the key. 1050 00:43:21,460 --> 00:43:24,009 In this case, the state would be open 1051 00:43:24,010 --> 00:43:26,409 or close the door, no lock or unlock 1052 00:43:26,410 --> 00:43:27,410 the door. 1053 00:43:28,330 --> 00:43:29,330 Oops. 1054 00:43:30,470 --> 00:43:32,320 OK, let's do it. 1055 00:43:33,980 --> 00:43:36,379 First, I don't touch the 1056 00:43:36,380 --> 00:43:37,910 key, the remote control. 1057 00:43:43,130 --> 00:43:45,619 This is the 1058 00:43:45,620 --> 00:43:47,779 configuration folder of 1059 00:43:47,780 --> 00:43:50,009 the Bidco service, C ProgramData Medical 1060 00:43:50,010 --> 00:43:51,199 Service, 1061 00:43:51,200 --> 00:43:52,489 and 1062 00:43:52,490 --> 00:43:54,919 you see the there are no devices, 1063 00:43:54,920 --> 00:43:56,449 that's why this folder is empty 1064 00:43:57,680 --> 00:43:58,680 and 1065 00:43:59,570 --> 00:44:01,759 I am copying the template 1066 00:44:01,760 --> 00:44:03,559 file into this folder 1067 00:44:04,820 --> 00:44:05,269 and 1068 00:44:05,270 --> 00:44:06,799 there are no secrets. I'm going to show 1069 00:44:06,800 --> 00:44:08,609 you what is in this template file. 1070 00:44:08,610 --> 00:44:11,389 Actually, we need to modify it to 1071 00:44:11,390 --> 00:44:11,659 and 1072 00:44:11,660 --> 00:44:13,819 to see this template file looks 1073 00:44:13,820 --> 00:44:14,820 pretty empty. 1074 00:44:15,830 --> 00:44:17,509 There are no um. 1075 00:44:17,510 --> 00:44:18,510 Yeah. 1076 00:44:19,220 --> 00:44:21,289 And and this template file, we just need 1077 00:44:21,290 --> 00:44:23,629 to enter to information 1078 00:44:23,630 --> 00:44:25,849 first, the address of the 1079 00:44:25,850 --> 00:44:28,189 schematic to a 336 1080 00:44:28,190 --> 00:44:30,979 F. That's what we just sniffed 1081 00:44:30,980 --> 00:44:32,029 and we need 1082 00:44:33,110 --> 00:44:33,349 two 1083 00:44:33,350 --> 00:44:34,579 three d d six f. 1084 00:44:37,660 --> 00:44:39,849 And we need to enter 1085 00:44:39,850 --> 00:44:41,949 these the serial number of 1086 00:44:41,950 --> 00:44:45,099 our bit interface off our because 1087 00:44:45,100 --> 00:44:47,199 of our land configuration adapter. 1088 00:44:47,200 --> 00:44:48,730 Of course, we know that one 1089 00:44:50,140 --> 00:44:52,419 and the address is three one 1090 00:44:52,420 --> 00:44:54,550 four seven eight five. 1091 00:44:57,450 --> 00:44:59,009 Three, one, four, seven eight. 1092 00:44:59,010 --> 00:45:00,390 OK, not for Typekit. 1093 00:45:05,800 --> 00:45:06,900 Close it now. 1094 00:45:18,400 --> 00:45:20,519 OK, now we start the 1095 00:45:20,520 --> 00:45:21,520 medical service 1096 00:45:23,940 --> 00:45:25,170 on our attack, our system. 1097 00:45:27,790 --> 00:45:30,699 It's running and 1098 00:45:30,700 --> 00:45:32,500 we are again using up. 1099 00:45:40,060 --> 00:45:42,189 The script looks the same as the one you 1100 00:45:42,190 --> 00:45:43,509 saw on the Raspberry. 1101 00:45:43,510 --> 00:45:45,520 It's really just sending set value. 1102 00:45:58,380 --> 00:45:59,380 And the door opens. 1103 00:46:11,640 --> 00:46:14,489 OK, now 1104 00:46:14,490 --> 00:46:16,859 how can you detect and prevent 1105 00:46:16,860 --> 00:46:18,389 these kinds of attacks? 1106 00:46:19,680 --> 00:46:22,049 Are the devices using the ace 1107 00:46:22,050 --> 00:46:24,119 handshake? Please change it. 1108 00:46:24,120 --> 00:46:26,939 I think in recent firmware versions, 1109 00:46:26,940 --> 00:46:28,889 most of the problems should have been 1110 00:46:28,890 --> 00:46:31,469 solved and we tried. 1111 00:46:31,470 --> 00:46:33,689 But till now we didn't find a way 1112 00:46:33,690 --> 00:46:34,859 to circumvent 1113 00:46:35,910 --> 00:46:37,650 the ace handshakes in general. 1114 00:46:41,340 --> 00:46:43,889 You can detect attacks 1115 00:46:43,890 --> 00:46:45,929 off the second kind if 1116 00:46:45,930 --> 00:46:47,939 the software supports this function. 1117 00:46:47,940 --> 00:46:50,089 Yeah, if the software supports 1118 00:46:50,090 --> 00:46:51,300 it by 1119 00:46:54,810 --> 00:46:56,969 trying to detect if an other device 1120 00:46:56,970 --> 00:46:59,069 uses your Centrals address, 1121 00:46:59,070 --> 00:47:01,499 of course of yourself, or if the soft 1122 00:47:01,500 --> 00:47:03,299 the software knows its own address. 1123 00:47:03,300 --> 00:47:05,819 So if somebody else uses its own address, 1124 00:47:05,820 --> 00:47:08,129 it's easy to detect that hunger actually 1125 00:47:08,130 --> 00:47:09,130 does that. 1126 00:47:09,810 --> 00:47:12,059 And you can only detect 1127 00:47:12,060 --> 00:47:13,230 an attack, but not 1128 00:47:14,820 --> 00:47:15,689 yeah, 1129 00:47:15,690 --> 00:47:17,279 you cannot prevent it. 1130 00:47:17,280 --> 00:47:17,939 OK. 1131 00:47:17,940 --> 00:47:20,099 And the third thing you can do 1132 00:47:20,100 --> 00:47:23,039 to prevent or not not to detect 1133 00:47:23,040 --> 00:47:25,139 attacks of the first kind is 1134 00:47:25,140 --> 00:47:27,149 to do a plausibility check off the 1135 00:47:27,150 --> 00:47:28,229 message counters. 1136 00:47:28,230 --> 00:47:30,299 Again, it's only 1137 00:47:30,300 --> 00:47:31,769 a detection of 1138 00:47:32,910 --> 00:47:34,199 a possible attack. 1139 00:47:34,200 --> 00:47:37,139 But yeah, there is no way 1140 00:47:37,140 --> 00:47:39,119 to prevent these kinds of attacks. 1141 00:47:40,380 --> 00:47:41,380 Thank you. 1142 00:47:51,340 --> 00:47:53,019 Yes, thank you very much for this 1143 00:47:53,020 --> 00:47:54,519 presentation. 1144 00:47:54,520 --> 00:47:56,439 We have time for a few questions. 1145 00:47:56,440 --> 00:47:58,449 But before if you leave the room, please 1146 00:47:58,450 --> 00:48:00,069 take all your trash with you. 1147 00:48:00,070 --> 00:48:02,289 And if you leave during the Q&A session, 1148 00:48:02,290 --> 00:48:04,089 please do so quietly. 1149 00:48:04,090 --> 00:48:05,019 Thank you. 1150 00:48:05,020 --> 00:48:06,399 Do we have questions from the internet? 1151 00:48:26,470 --> 00:48:29,019 And can we speak of an 1152 00:48:29,020 --> 00:48:30,020 to become? 1153 00:48:30,560 --> 00:48:32,700 Yeah, I'm fine. 1154 00:48:37,720 --> 00:48:40,029 The question is, can you also in a leader 1155 00:48:40,030 --> 00:48:41,199 turmoil control 1156 00:48:43,060 --> 00:48:44,949 so determine control itself cannot be 1157 00:48:44,950 --> 00:48:47,140 emulated by sending commands to it? 1158 00:48:50,570 --> 00:48:52,219 I don't completely understand the 1159 00:48:52,220 --> 00:48:54,439 question we could emulate all 1160 00:48:54,440 --> 00:48:56,539 the function of some control or 1161 00:48:56,540 --> 00:48:58,789 is the question to emulate the thermal 1162 00:48:58,790 --> 00:49:00,050 control in order to 1163 00:49:01,580 --> 00:49:03,409 took control of our drive? 1164 00:49:03,410 --> 00:49:05,689 I know actually home gear does 1165 00:49:05,690 --> 00:49:06,919 exactly that. 1166 00:49:06,920 --> 00:49:09,229 Home Gear is emulating 1167 00:49:09,230 --> 00:49:11,839 thermal control devices in order 1168 00:49:11,840 --> 00:49:13,909 to being 1169 00:49:13,910 --> 00:49:16,279 yeah in order for control of Alpha Drive. 1170 00:49:16,280 --> 00:49:18,529 It's a virtue thermal control 1171 00:49:18,530 --> 00:49:20,540 device running on home gear, 1172 00:49:21,680 --> 00:49:23,959 pretending as if this device 1173 00:49:23,960 --> 00:49:26,659 were physical, 1174 00:49:26,660 --> 00:49:28,759 physical under control. 1175 00:49:28,760 --> 00:49:29,760 Yeah. 1176 00:49:31,870 --> 00:49:34,239 OK, so 1177 00:49:34,240 --> 00:49:36,459 next question from the audience on 1178 00:49:36,460 --> 00:49:37,460 the left to you. 1179 00:49:39,160 --> 00:49:40,160 Oh yeah. 1180 00:49:40,990 --> 00:49:42,849 You basically for the attack, were you, 1181 00:49:42,850 --> 00:49:43,839 you know, you warm up your neighbor's 1182 00:49:43,840 --> 00:49:45,969 house, you're spoofing the central 1183 00:49:45,970 --> 00:49:47,109 control, right? 1184 00:49:47,110 --> 00:49:49,179 Is there not a race condition? 1185 00:49:49,180 --> 00:49:50,379 I mean, how does that work with the 1186 00:49:50,380 --> 00:49:51,699 official? 1187 00:49:51,700 --> 00:49:53,229 The real router, the real central. 1188 00:49:53,230 --> 00:49:54,230 You know, 1189 00:49:55,750 --> 00:49:58,119 what is it that we said, Yeah, we can. 1190 00:49:58,120 --> 00:49:59,259 Oh, you mean when both? 1191 00:49:59,260 --> 00:50:00,909 What? What happens when both devices sent 1192 00:50:00,910 --> 00:50:01,869 messages? 1193 00:50:01,870 --> 00:50:04,169 Yeah, that's a valid question. 1194 00:50:04,170 --> 00:50:06,429 And when the real 1195 00:50:06,430 --> 00:50:08,499 central controls the set 1196 00:50:08,500 --> 00:50:10,659 point temperature, it will not 1197 00:50:10,660 --> 00:50:13,689 set the set point temperature 1198 00:50:13,690 --> 00:50:16,449 every cycle, only every few cycles. 1199 00:50:16,450 --> 00:50:18,640 So in the cycle between that, 1200 00:50:19,690 --> 00:50:21,639 you can set your set point temperature 1201 00:50:21,640 --> 00:50:24,129 and of course, the valve drive will 1202 00:50:24,130 --> 00:50:25,449 open and close constantly. 1203 00:50:25,450 --> 00:50:27,429 But still, you have the same effect. 1204 00:50:30,010 --> 00:50:32,019 Next question from the right. 1205 00:50:32,020 --> 00:50:34,119 Would it be possible to 1206 00:50:34,120 --> 00:50:36,189 sort of while driving and 1207 00:50:36,190 --> 00:50:38,499 map the kinds 1208 00:50:38,500 --> 00:50:40,869 of devices using an ACR 1209 00:50:40,870 --> 00:50:41,870 radio? 1210 00:50:43,900 --> 00:50:46,359 You mean what the hardware requirements 1211 00:50:46,360 --> 00:50:48,009 for war driving would be? 1212 00:50:48,010 --> 00:50:50,259 Is it is it even possible to to 1213 00:50:50,260 --> 00:50:52,449 drive alongside the road and 1214 00:50:52,450 --> 00:50:55,629 map the kinds of devices 1215 00:50:55,630 --> 00:50:58,449 that are used in the buildings 1216 00:50:58,450 --> 00:50:59,769 on the left and right? 1217 00:50:59,770 --> 00:51:01,959 Yeah, it is possible, but 1218 00:51:01,960 --> 00:51:04,179 some devices only very 1219 00:51:04,180 --> 00:51:05,619 rarely send packets. 1220 00:51:05,620 --> 00:51:07,719 So in order to really detect all the 1221 00:51:07,720 --> 00:51:09,999 devices used in the houses 1222 00:51:10,000 --> 00:51:12,309 around you, you would have to wait a long 1223 00:51:12,310 --> 00:51:14,199 time in front of each house. 1224 00:51:14,200 --> 00:51:17,319 And have you tried that using an SDR? 1225 00:51:17,320 --> 00:51:18,999 No, only that. 1226 00:51:19,000 --> 00:51:21,219 Special hardware? 1227 00:51:21,220 --> 00:51:23,409 No, we did not use a software 1228 00:51:23,410 --> 00:51:25,029 defined radio. 1229 00:51:25,030 --> 00:51:26,859 It's not necessary. 1230 00:51:26,860 --> 00:51:29,259 We simply need a Raspberry Pi, 1231 00:51:29,260 --> 00:51:31,359 costing about 1232 00:51:31,360 --> 00:51:32,889 40 euros and 1233 00:51:34,090 --> 00:51:37,209 wireless adapter costing between 1234 00:51:37,210 --> 00:51:39,309 50 and 100 1235 00:51:39,310 --> 00:51:40,389 bucks. 1236 00:51:40,390 --> 00:51:42,609 I'm asking because you could simply 1237 00:51:42,610 --> 00:51:45,159 use a real tech modified. 1238 00:51:47,290 --> 00:51:49,839 So it's only 21 euros. 1239 00:51:49,840 --> 00:51:50,840 OK. 1240 00:51:51,490 --> 00:51:54,039 If you want to, possibly 1241 00:51:54,040 --> 00:51:55,809 you might use one as 1242 00:51:57,160 --> 00:51:58,719 it would work. 1243 00:51:58,720 --> 00:52:01,300 That would work if it supports 1244 00:52:02,380 --> 00:52:03,380 the 1245 00:52:04,840 --> 00:52:06,370 frequency eight hundred 1246 00:52:07,900 --> 00:52:10,939 sixty eight megahertz and 1247 00:52:10,940 --> 00:52:11,940 the. 1248 00:52:15,280 --> 00:52:17,439 The shifting mode, which was 1249 00:52:17,440 --> 00:52:18,929 actually used, the 1250 00:52:20,020 --> 00:52:22,269 CCU one 1251 00:52:22,270 --> 00:52:24,489 thousand one hundred a chip 1252 00:52:24,490 --> 00:52:26,739 does support several 1253 00:52:26,740 --> 00:52:27,740 transmission modes, 1254 00:52:29,320 --> 00:52:31,779 but I don't know exactly which 1255 00:52:31,780 --> 00:52:33,999 mode is used because 1256 00:52:34,000 --> 00:52:35,559 we don't need to know. 1257 00:52:37,090 --> 00:52:38,349 Thank you. 1258 00:52:38,350 --> 00:52:40,629 OK, next question from the left. 1259 00:52:40,630 --> 00:52:41,559 I'm. 1260 00:52:41,560 --> 00:52:43,629 This was exactly what I also would 1261 00:52:43,630 --> 00:52:46,479 have asked the frequency because 1262 00:52:46,480 --> 00:52:48,969 automated systems usually uses 1263 00:52:48,970 --> 00:52:51,819 800 megahertz and not 2.4GHz 1264 00:52:51,820 --> 00:52:52,820 rf because of 1265 00:52:54,020 --> 00:52:56,099 the the distance they 1266 00:52:56,100 --> 00:52:57,389 can play. 1267 00:52:57,390 --> 00:52:59,649 Um, so it is a standard 1268 00:52:59,650 --> 00:53:01,509 protocol. It was used in other popular 1269 00:53:01,510 --> 00:53:03,369 tablet protocol, so it was a standard 1270 00:53:03,370 --> 00:53:05,439 chip on the devices which 1271 00:53:05,440 --> 00:53:07,389 everybody abides by. 1272 00:53:07,390 --> 00:53:08,259 Yes. 1273 00:53:08,260 --> 00:53:10,479 The chip is standard, but the bit 1274 00:53:10,480 --> 00:53:12,639 cost protocol is the protocol 1275 00:53:12,640 --> 00:53:14,379 used is not standard. 1276 00:53:14,380 --> 00:53:16,239 It's a bit cross protocol document. 1277 00:53:16,240 --> 00:53:18,429 It's just but he knew all 1278 00:53:18,430 --> 00:53:19,519 about the company itself. 1279 00:53:21,270 --> 00:53:23,439 2B I'm not 100 percent sure 1280 00:53:23,440 --> 00:53:25,509 if it's documented, but I don't 1281 00:53:25,510 --> 00:53:26,469 think so. 1282 00:53:26,470 --> 00:53:28,449 We reverse engineered it. 1283 00:53:28,450 --> 00:53:29,450 I think. 1284 00:53:32,100 --> 00:53:33,480 So next question from the left. 1285 00:53:34,800 --> 00:53:37,349 Hi, I was wondering about the 1286 00:53:37,350 --> 00:53:39,599 challenge response messages 1287 00:53:39,600 --> 00:53:42,629 with the climatic exchange, with the 1288 00:53:42,630 --> 00:53:44,279 whole Matic system. 1289 00:53:44,280 --> 00:53:45,809 I was wondering if you could give us any 1290 00:53:45,810 --> 00:53:47,939 more information about how that is. 1291 00:53:47,940 --> 00:53:49,829 So for instance, the challenge that sent, 1292 00:53:49,830 --> 00:53:51,749 how does how does that get 1293 00:53:51,750 --> 00:53:53,339 integrated into the message that's 1294 00:53:53,340 --> 00:53:54,839 encrypted and returned? 1295 00:53:54,840 --> 00:53:57,449 I mean, how the how the payload 1296 00:53:57,450 --> 00:53:59,279 is calculated, right? 1297 00:53:59,280 --> 00:53:59,699 I mean, do you 1298 00:53:59,700 --> 00:54:01,289 just simply, we don't know. 1299 00:54:01,290 --> 00:54:02,219 We don't know exactly. 1300 00:54:02,220 --> 00:54:04,739 We don't know exactly. We can only guess. 1301 00:54:04,740 --> 00:54:06,449 Probably. 1302 00:54:06,450 --> 00:54:09,089 It's on the 1303 00:54:09,090 --> 00:54:10,589 slide. 1304 00:54:10,590 --> 00:54:11,489 Let me just see. 1305 00:54:11,490 --> 00:54:12,749 Let me just open it. 1306 00:54:12,750 --> 00:54:14,789 But where is it? 1307 00:54:18,250 --> 00:54:19,250 One sec. 1308 00:54:26,100 --> 00:54:28,349 And on this slide, you can see 1309 00:54:28,350 --> 00:54:30,719 that here are six 1310 00:54:30,720 --> 00:54:33,029 bites. And here are four bites, 1311 00:54:33,030 --> 00:54:36,059 and both are within 1312 00:54:36,060 --> 00:54:38,789 this and scripted 1313 00:54:38,790 --> 00:54:41,579 response. So this that is 1314 00:54:41,580 --> 00:54:44,189 10 of 16 bites used already. 1315 00:54:44,190 --> 00:54:47,669 So there are six bites left, and 1316 00:54:47,670 --> 00:54:49,739 probably at least three 1317 00:54:49,740 --> 00:54:51,839 of these six bites are one of the 1318 00:54:51,840 --> 00:54:54,059 addresses. Maybe the six bites are the 1319 00:54:54,060 --> 00:54:56,159 sender and the destination address. 1320 00:54:56,160 --> 00:54:58,319 We know that because Edra spoofing 1321 00:54:58,320 --> 00:54:59,459 is not working. 1322 00:54:59,460 --> 00:55:01,139 We tried that already 1323 00:55:01,140 --> 00:55:03,329 and but 1324 00:55:03,330 --> 00:55:05,409 we are not 100 percent sure if it works 1325 00:55:05,410 --> 00:55:07,559 and what 1326 00:55:07,560 --> 00:55:09,299 is also not possible by changing the 1327 00:55:09,300 --> 00:55:12,029 default ESD, probably 1328 00:55:12,030 --> 00:55:13,019 we have to try again. 1329 00:55:13,020 --> 00:55:14,549 We haven't worked on that for quite a 1330 00:55:14,550 --> 00:55:16,079 time, but probably 1331 00:55:17,430 --> 00:55:19,569 not only your 1332 00:55:19,570 --> 00:55:21,809 is used, but a combination, 1333 00:55:21,810 --> 00:55:24,139 maybe zade, whatever of your 1334 00:55:24,140 --> 00:55:27,149 ASCII and the default ASCII. 1335 00:55:27,150 --> 00:55:29,159 So you cannot just change the default 1336 00:55:29,160 --> 00:55:31,469 ASCII with a configuration adapter 1337 00:55:31,470 --> 00:55:33,749 and then implement the challenge 1338 00:55:33,750 --> 00:55:34,739 response. 1339 00:55:34,740 --> 00:55:35,609 Yeah, that's 1340 00:55:35,610 --> 00:55:37,229 that's still a little 1341 00:55:37,230 --> 00:55:39,569 mystery. How exactly the ace handshake 1342 00:55:39,570 --> 00:55:40,829 works. 1343 00:55:40,830 --> 00:55:42,359 OK, next question from the right 1344 00:55:43,740 --> 00:55:44,689 think sort of talk. 1345 00:55:44,690 --> 00:55:46,709 I'm wondering if you have looked into 1346 00:55:46,710 --> 00:55:48,029 other windows like if! 1347 00:55:48,030 --> 00:55:49,169 20? 1348 00:55:49,170 --> 00:55:51,259 Yes. Do we expect similar? 1349 00:55:51,260 --> 00:55:52,859 Uh, yeah. 1350 00:55:52,860 --> 00:55:54,029 Or is it different? 1351 00:55:54,030 --> 00:55:56,129 The first 20 1352 00:55:56,130 --> 00:55:58,259 is pretty stupid. 1353 00:55:58,260 --> 00:56:00,930 It's not. It's that existed 1354 00:56:02,070 --> 00:56:04,779 before dramatic automatic. 1355 00:56:04,780 --> 00:56:07,559 Yeah, they developed memetic after 20. 1356 00:56:07,560 --> 00:56:09,749 And at this 20 1357 00:56:09,750 --> 00:56:11,699 is uni directional. 1358 00:56:11,700 --> 00:56:14,429 The devices don't really have addresses 1359 00:56:14,430 --> 00:56:15,629 you have. 1360 00:56:15,630 --> 00:56:18,389 I don't know. I'm not. 1361 00:56:18,390 --> 00:56:20,279 I think you have master addresses and 1362 00:56:20,280 --> 00:56:21,869 group addresses and something like that, 1363 00:56:21,870 --> 00:56:24,119 but you have not unique device 1364 00:56:24,120 --> 00:56:25,709 addresses and there are not a lot of 1365 00:56:25,710 --> 00:56:26,789 addresses available. 1366 00:56:29,100 --> 00:56:31,229 Yeah, but we 1367 00:56:31,230 --> 00:56:33,389 plan to support other systems, too 1368 00:56:33,390 --> 00:56:35,289 in home gear like F. 1369 00:56:35,290 --> 00:56:37,079 S 20, for example. 1370 00:56:37,080 --> 00:56:38,489 Hermetic wire, of course. 1371 00:56:40,680 --> 00:56:42,899 OK, next question from the left. 1372 00:56:42,900 --> 00:56:43,900 Great work, guys. 1373 00:56:44,820 --> 00:56:47,099 What about the CRC board? 1374 00:56:47,100 --> 00:56:49,589 Did you design it by yourself or 1375 00:56:49,590 --> 00:56:51,599 is it somewhere to buy? 1376 00:56:51,600 --> 00:56:53,729 Why didn't you use the the 1377 00:56:53,730 --> 00:56:54,730 buzzwords stuff? 1378 00:56:56,520 --> 00:56:58,379 Yes, the main reason why we didn't use 1379 00:56:58,380 --> 00:57:00,549 the bus where stuff is, we 1380 00:57:00,550 --> 00:57:03,149 wanted to keep an exact timing. 1381 00:57:03,150 --> 00:57:04,889 This was necessary to 1382 00:57:05,940 --> 00:57:07,679 emulate a thermal controller, 1383 00:57:08,880 --> 00:57:11,769 communicating with the vef drive device 1384 00:57:11,770 --> 00:57:14,069 and the CRC 1385 00:57:14,070 --> 00:57:16,469 device we have designed 1386 00:57:16,470 --> 00:57:17,969 on our own. 1387 00:57:17,970 --> 00:57:20,369 It's a little bit inspired 1388 00:57:20,370 --> 00:57:22,609 by the Buswell's 1389 00:57:22,610 --> 00:57:23,849 C or C device. 1390 00:57:25,230 --> 00:57:27,719 It uses a special 1391 00:57:27,720 --> 00:57:29,819 button entry connector so 1392 00:57:29,820 --> 00:57:32,100 it can fit into a Raspberry Pi case. 1393 00:57:33,750 --> 00:57:36,299 But in contrast to the 1394 00:57:36,300 --> 00:57:37,799 bus, S.O.S. 1395 00:57:37,800 --> 00:57:39,989 device does not communicate 1396 00:57:41,310 --> 00:57:43,379 via you out via 1397 00:57:43,380 --> 00:57:44,880 a microcontroller with a 1398 00:57:46,410 --> 00:57:48,689 CC one one zero 1399 00:57:48,690 --> 00:57:51,179 zero two, but it communicates 1400 00:57:51,180 --> 00:57:54,059 directly via SBI with a 1401 00:57:54,060 --> 00:57:55,060 transceiver chip. 1402 00:57:55,860 --> 00:57:57,749 OK, another question. 1403 00:57:57,750 --> 00:57:59,969 Did you look into the R 1404 00:57:59,970 --> 00:58:02,369 W E stuff for it uses 1405 00:58:02,370 --> 00:58:04,109 exactly the same hardware, just a 1406 00:58:04,110 --> 00:58:05,429 slightly different protocol? 1407 00:58:06,570 --> 00:58:07,570 No, we haven't. 1408 00:58:09,090 --> 00:58:10,090 No, we haven't. 1409 00:58:11,460 --> 00:58:13,559 OK, next question from the right. 1410 00:58:13,560 --> 00:58:15,539 Did you get in touch with Ho Matic? 1411 00:58:15,540 --> 00:58:17,190 And if so, how did they respond? 1412 00:58:18,350 --> 00:58:20,460 Uh, yes, 1413 00:58:21,600 --> 00:58:21,899 I don't 1414 00:58:21,900 --> 00:58:22,799 know, I wrote. 1415 00:58:22,800 --> 00:58:24,029 And they are not. 1416 00:58:24,030 --> 00:58:26,379 We wanted to post home gear on, 1417 00:58:26,380 --> 00:58:27,719 on on the forum. 1418 00:58:27,720 --> 00:58:29,939 Hermetic inside and iQOO three was 1419 00:58:29,940 --> 00:58:32,010 not particularly happy about that. 1420 00:58:33,030 --> 00:58:35,459 And one reason was because 1421 00:58:35,460 --> 00:58:37,619 home gear uses the bid cost 1422 00:58:37,620 --> 00:58:39,779 services essential files, and they were 1423 00:58:39,780 --> 00:58:41,849 directly integrated into the software we 1424 00:58:41,850 --> 00:58:43,499 now remove that is not directly 1425 00:58:43,500 --> 00:58:45,719 integrated into home gear anymore. 1426 00:58:45,720 --> 00:58:47,969 It's it's still used by home gear, but 1427 00:58:47,970 --> 00:58:49,289 now it's being downloaded 1428 00:58:51,030 --> 00:58:52,800 on the client at the client site. 1429 00:58:53,820 --> 00:58:54,820 And 1430 00:58:56,760 --> 00:58:59,009 I wrote iQOO iQOO three because I don't 1431 00:58:59,010 --> 00:59:01,349 want to have any problems with them, but 1432 00:59:01,350 --> 00:59:03,300 until now they still haven't responded. 1433 00:59:06,980 --> 00:59:09,169 OK, then let's give them a 1434 00:59:09,170 --> 00:59:10,219 big round of applause. 1435 00:59:10,220 --> 00:59:10,909 Thank you very much 1436 00:59:10,910 --> 00:59:11,910 for this talk.