1 00:00:00,000 --> 00:00:04,876 So you are in the the 2 00:00:04,876 --> 00:00:11,501 act or GoPro or get the fuck 3 00:00:11,501 --> 00:00:14,000 in the marketing promotions for this. 4 00:00:14,000 --> 00:00:17,209 This is a fairly short talk. 5 00:00:17,209 --> 00:00:22,751 But Todd and I have basically been 6 00:00:22,751 --> 00:00:24,459 around with these cool awesome 7 00:00:24,459 --> 00:00:27,459 TODD MANNING: For 20 minutes. 8 00:00:27,459 --> 00:00:30,751 ZACH LANIER: For 20 minutes 9 00:00:30,751 --> 00:00:33,250 TODD MANNING: Our entire 10 00:00:33,250 --> 00:00:34,626 including this talk. 11 00:00:34,626 --> 00:00:37,000 ZACH LANIER: Right. 12 00:00:37,000 --> 00:00:41,999 So our agenda, the you know, 13 00:00:41,999 --> 00:00:46,000 will cover Excuse me. 14 00:00:46,000 --> 00:00:47,250 TODD MANNING: Entourage, 15 00:00:47,250 --> 00:00:52,751 Only a 20 minute talk and 16 00:00:52,751 --> 00:00:54,334 That's too bad! 17 00:00:56,459 --> 00:01:03,250 TODD MANNING: This 18 00:01:03,250 --> 00:01:10,083 You should have showed 19 00:01:10,083 --> 00:01:13,083 ZACH LANIER: Shit. 20 00:01:13,083 --> 00:01:15,375 Why are we here? 21 00:01:15,375 --> 00:01:17,999 TODD MANNING: Here here First 22 00:01:17,999 --> 00:01:21,375 We we we figure that 23 00:01:21,375 --> 00:01:22,626 They have shot the n00b. 24 00:01:26,626 --> 00:01:28,584 TODD MANNING: N00b has 25 00:01:28,584 --> 00:01:32,417 of meanings and so there's only one 26 00:01:32,751 --> 00:01:37,999 So we also need somebody 27 00:01:37,999 --> 00:01:38,999 You, sir. 28 00:01:38,999 --> 00:01:40,999 TODD MANNING: Preferably 29 00:01:43,999 --> 00:01:46,334 He's Midway through the change. 30 00:01:46,334 --> 00:01:47,501 Come on up. 31 00:01:47,709 --> 00:01:52,999 TODD MANNING: I will take two. 32 00:01:53,125 --> 00:01:54,167 You know, guys try to act 33 00:01:54,167 --> 00:01:56,918 to make you drink 34 00:01:56,999 --> 00:01:57,999 I don't know. 35 00:01:58,334 --> 00:02:01,999 I guess ticket prices will be 36 00:02:01,999 --> 00:02:04,999 Now you have four minutes left. 37 00:02:04,999 --> 00:02:06,083 ZACH LANIER: Damn it! 38 00:02:06,083 --> 00:02:07,542 TODD MANNING: That's 39 00:02:07,542 --> 00:02:08,999 the material. 40 00:02:08,999 --> 00:02:09,999 (Laughter). 41 00:02:09,999 --> 00:02:12,209 ZACH LANIER: Shut up and drink. 42 00:02:12,209 --> 00:02:14,083 TODD MANNING: GoPro GTFO! 43 00:02:14,083 --> 00:02:15,083 Woo! 44 00:02:15,083 --> 00:02:21,959 TODD MANNING: Thank you, 45 00:02:23,501 --> 00:02:25,667 Do I get a GoPro. 46 00:02:25,667 --> 00:02:29,999 TODD MANNING: You know 47 00:02:31,792 --> 00:02:35,083 The young lady might have gotten 48 00:02:35,083 --> 00:02:37,834 ZACH LANIER: Traffic. 49 00:02:37,876 --> 00:02:41,375 TODD MANNING: Bring more booze 50 00:02:41,375 --> 00:02:44,292 ZACH LANIER: Okay. 51 00:02:44,292 --> 00:02:45,999 So continuing on. 52 00:02:45,999 --> 00:02:48,751 So we'll have you're brief intro, 53 00:02:48,751 --> 00:02:50,501 while drinking. 54 00:02:50,999 --> 00:02:53,083 We'll talk a little bit 55 00:02:53,083 --> 00:02:56,751 to time limitations we will gloss 56 00:02:56,751 --> 00:02:59,209 We will cite previous research 57 00:02:59,209 --> 00:03:01,375 to mess with this but, you know, 58 00:03:01,375 --> 00:03:04,209 to give credit where credit is due. 59 00:03:04,792 --> 00:03:06,999 We will talk 60 00:03:06,999 --> 00:03:10,167 and we are certainly not finished. 61 00:03:10,667 --> 00:03:12,999 As well as some 62 00:03:12,999 --> 00:03:15,834 out of this research up to this point. 63 00:03:15,918 --> 00:03:19,083 We'll talk a little bit 64 00:03:19,083 --> 00:03:22,584 will conclude with a bunch 65 00:03:22,751 --> 00:03:24,209 So first, Todd. 66 00:03:24,209 --> 00:03:29,417 TODD MANNING: What's up? 67 00:03:29,876 --> 00:03:31,083 I'm Todd Manning. 68 00:03:31,083 --> 00:03:34,083 Senior research consultant 69 00:03:34,626 --> 00:03:36,834 Horror for hire, you know. 70 00:03:36,999 --> 00:03:39,083 I used to work 71 00:03:39,083 --> 00:03:43,792 security research team and now I turn it 72 00:03:43,792 --> 00:03:48,083 ZACH LANIER: Hi, I'm Zach Lanier 73 00:03:48,334 --> 00:03:50,999 I'm also a senior research consultant. 74 00:03:50,999 --> 00:03:52,125 Did I get a whistle? 75 00:03:52,292 --> 00:03:54,417 That's awesome. 76 00:03:54,417 --> 00:03:56,292 I'm not even wearing a dress this year. 77 00:03:56,292 --> 00:03:58,876 TODD MANNING: He 78 00:03:58,876 --> 00:04:00,083 ZACH LANIER: Backwards. 79 00:04:00,125 --> 00:04:03,918 I'm also a senior research consultant 80 00:04:03,999 --> 00:04:09,083 Just old timey net web app mobile app 81 00:04:10,334 --> 00:04:12,375 Why did we pick the GoPro. 82 00:04:12,959 --> 00:04:14,334 Because Todd wanted to. 83 00:04:14,334 --> 00:04:16,751 TODD MANNING: Because I had one 84 00:04:16,751 --> 00:04:19,999 ZACH LANIER: It's 85 00:04:19,999 --> 00:04:22,083 I'm sure you have seen it 86 00:04:22,083 --> 00:04:27,334 featuring scantily clad men and women, 87 00:04:27,334 --> 00:04:30,999 on their skateboards and fall a lot. 88 00:04:31,250 --> 00:04:34,167 It is Wi Fi enabled. 89 00:04:34,375 --> 00:04:38,501 It's got all of these cool features that 90 00:04:38,501 --> 00:04:40,999 to control the camera. 91 00:04:41,375 --> 00:04:43,999 One of the more interesting facts 92 00:04:43,999 --> 00:04:47,999 a company called Amberella who 93 00:04:47,999 --> 00:04:51,999 not only in the GoPro 94 00:04:51,999 --> 00:04:54,999 we found to be intriguing, and so, 95 00:04:54,999 --> 00:04:57,999 another future research thing. 96 00:04:58,167 --> 00:05:01,292 We focused 97 00:05:01,292 --> 00:05:04,542 which is what we have up here. 98 00:05:04,999 --> 00:05:07,584 So a lot of details that will be 99 00:05:07,584 --> 00:05:10,959 of the hardware is a little bit different 100 00:05:10,959 --> 00:05:14,334 a little bit later and plus it's really 101 00:05:14,334 --> 00:05:16,459 I can't say that 102 00:05:16,459 --> 00:05:17,709 TODD MANNING: I can. 103 00:05:17,709 --> 00:05:18,999 It's fucking extreme! 104 00:05:18,999 --> 00:05:20,751 ZACH LANIER: Mountain Dew. 105 00:05:32,667 --> 00:05:39,584 It featured an Amberella, it's 106 00:05:39,584 --> 00:05:44,999 JTAG and blah, blah, blah, blah, 107 00:05:44,999 --> 00:05:50,083 for their light sensors 108 00:05:50,083 --> 00:05:56,250 on this Atheros controller, 109 00:05:56,250 --> 00:06:04,083 of stuff that's not relevant to security 110 00:06:04,083 --> 00:06:08,876 it has a lot of stuff that's not used. 111 00:06:08,999 --> 00:06:11,209 All packed 112 00:06:11,209 --> 00:06:12,375 TODD MANNING: Okay. 113 00:06:12,375 --> 00:06:13,375 I will do this one. 114 00:06:18,626 --> 00:06:21,417 I figured it was my turn to talk. 115 00:06:21,667 --> 00:06:24,417 One interesting thing, 116 00:06:24,417 --> 00:06:29,167 of found when we busted this camera 117 00:06:29,167 --> 00:06:31,083 not just one. 118 00:06:31,125 --> 00:06:33,792 So two for the price of one. 119 00:06:33,792 --> 00:06:37,792 One is the iTRON embedded operating 120 00:06:37,959 --> 00:06:41,542 It's like this open source sort 121 00:06:41,542 --> 00:06:43,667 standard really. 122 00:06:43,667 --> 00:06:46,626 So the version that runs on here 123 00:06:46,626 --> 00:06:50,876 to the standard developed 124 00:06:50,876 --> 00:06:52,334 I guess. 125 00:06:52,751 --> 00:06:57,999 So it's primarily responsible 126 00:06:57,999 --> 00:07:01,751 So capturing images, doing encoding 127 00:07:01,999 --> 00:07:04,459 And then it runs Linux kernel version 128 00:07:05,834 --> 00:07:09,250 So the realtime the ox S system works, 129 00:07:09,250 --> 00:07:12,959 of threads that are 130 00:07:13,083 --> 00:07:17,459 One thread is dedicated 131 00:07:17,459 --> 00:07:22,709 the Linux operating system 132 00:07:22,709 --> 00:07:28,999 of higher order functions that deal 133 00:07:28,999 --> 00:07:33,667 like, mobile application that kind 134 00:07:33,667 --> 00:07:37,375 And so yeah. 135 00:07:37,375 --> 00:07:38,959 Two operating systems. 136 00:07:38,999 --> 00:07:41,834 There's a private network that runs 137 00:07:41,834 --> 00:07:44,334 The networking address is given here, 138 00:07:46,999 --> 00:07:52,501 The the realtime operating system side 139 00:07:52,501 --> 00:07:57,959 of handles certain requests, 140 00:07:57,959 --> 00:08:02,876 of the, like, preview mode files 141 00:08:02,876 --> 00:08:06,250 the version 142 00:08:06,250 --> 00:08:09,959 server that handles actually taking 143 00:08:09,959 --> 00:08:14,999 from the mobile remote control 144 00:08:14,999 --> 00:08:20,209 from that on to the realtime operating 145 00:08:20,209 --> 00:08:22,667 describe shortly. 146 00:08:27,999 --> 00:08:30,834 One second, I need some water. 147 00:08:30,834 --> 00:08:31,834 Okay. 148 00:08:31,834 --> 00:08:33,375 ZACH LANIER: This is your boy. 149 00:08:33,375 --> 00:08:35,999 TODD MANNING: So some previous 150 00:08:35,999 --> 00:08:35,999 Looking into this camera, it's like, oh, 151 00:08:35,999 --> 00:08:38,876 to know something about it, 152 00:08:38,876 --> 00:08:41,876 So the OG of like, you know, 153 00:08:41,876 --> 00:08:48,250 is this cat called evil wombat 154 00:08:50,999 --> 00:08:54,375 Likes to give information. 155 00:08:56,125 --> 00:08:58,459 He's developed a number 156 00:08:58,459 --> 00:09:00,209 on GitHub/evilwombat. 157 00:09:04,125 --> 00:09:09,083 He's an ARM firmware developer 158 00:09:09,083 --> 00:09:10,876 I know he lives on the West Coast. 159 00:09:10,876 --> 00:09:12,999 Other than that, you know, 160 00:09:12,999 --> 00:09:15,792 for more than just a few hours. 161 00:09:16,250 --> 00:09:18,626 Stop dropping Docs. 162 00:09:18,626 --> 00:09:22,542 Hey, wait, sorry about that. 163 00:09:23,751 --> 00:09:27,626 So, yeah, in his repository, 164 00:09:27,626 --> 00:09:31,209 the firmware updates that come 165 00:09:31,209 --> 00:09:37,167 of do some further analysis yourself, 166 00:09:37,167 --> 00:09:39,375 He's got a tool that 167 00:09:39,375 --> 00:09:44,375 to USB and then boot your own custom 168 00:09:44,375 --> 00:09:47,999 brick your camera like I have done, 169 00:09:47,999 --> 00:09:50,459 ostensibly unbrick it. 170 00:09:50,459 --> 00:09:54,083 There are some there's some cases 171 00:09:54,083 --> 00:09:57,999 yeah, real nice guy that has made some 172 00:09:57,999 --> 00:10:02,876 has we have stood on the shoulders 173 00:10:02,876 --> 00:10:04,626 Evil Wombat. 174 00:10:04,626 --> 00:10:07,999 If you are here, I will buy you 175 00:10:07,999 --> 00:10:09,751 to a movie. 176 00:10:09,751 --> 00:10:10,999 You are a real sweet person. 177 00:10:10,999 --> 00:10:11,999 (Laughter). 178 00:10:12,125 --> 00:10:16,501 ZACH LANIER: So one 179 00:10:16,501 --> 00:10:19,125 was this ambsh script. 180 00:10:22,751 --> 00:10:26,709 So if you put that on to the SD card 181 00:10:26,709 --> 00:10:30,167 it will basically auto exec what you put 182 00:10:30,167 --> 00:10:34,375 TODD MANNING: It wasn't that 183 00:10:34,375 --> 00:10:37,042 It's rather he discovered that 184 00:10:37,042 --> 00:10:41,999 a script called autoexec.ash that's 185 00:10:41,999 --> 00:10:45,626 a number of commands and 186 00:10:45,626 --> 00:10:50,375 into understanding what it was that we 187 00:10:50,375 --> 00:10:52,250 by doing that. 188 00:10:52,250 --> 00:10:53,542 ZACH LANIER: Right. 189 00:10:53,542 --> 00:10:54,542 That's better. 190 00:10:54,876 --> 00:10:59,459 And so one of the things 191 00:10:59,459 --> 00:11:04,125 in the Amberella shell called T 192 00:11:04,125 --> 00:11:09,459 of the low level control 193 00:11:09,459 --> 00:11:16,876 the T app test, USB231, it 194 00:11:17,083 --> 00:11:20,834 So it gives enthusiasm access 195 00:11:22,083 --> 00:11:24,999 There's a slew 196 00:11:24,999 --> 00:11:27,999 through even in 30 minutes. 197 00:11:27,999 --> 00:11:31,209 One of the things you shouldn't do 198 00:11:32,709 --> 00:11:35,999 Because it officially bricks your camera. 199 00:11:37,125 --> 00:11:38,751 Don't do that. 200 00:11:39,083 --> 00:11:41,876 TODD MANNING: I would say, 201 00:11:41,999 --> 00:11:44,250 When you run that command 202 00:11:44,250 --> 00:11:47,626 all the NANDs comes up, 203 00:11:47,626 --> 00:11:51,250 but when you reboot, 204 00:11:51,250 --> 00:11:52,334 Let me put it that way. 205 00:11:52,334 --> 00:11:54,459 ZACH LANIER: One 206 00:11:54,459 --> 00:11:55,999 at shared. 207 00:11:58,918 --> 00:12:03,626 It allows the Arthos to talk 208 00:12:03,626 --> 00:12:10,375 over an RTS channel and that allows 209 00:12:10,375 --> 00:12:15,999 to execute any command, as root 210 00:12:16,125 --> 00:12:21,584 So in this case, these snippets here, 211 00:12:21,584 --> 00:12:27,999 by evil wombat chilled 212 00:12:30,209 --> 00:12:32,292 80D goes to 80. 213 00:12:35,083 --> 00:12:39,083 That's one of the external ports that you 214 00:12:39,250 --> 00:12:45,834 So it kills Cherokee and has telnet 215 00:12:46,876 --> 00:12:51,375 Hey, here, we got root on a camera, 216 00:12:53,334 --> 00:12:56,999 Todd is a bad ass. 217 00:12:58,501 --> 00:13:03,542 One of the first things we actually 218 00:13:03,542 --> 00:13:08,083 was looking at the GoPro app mode 219 00:13:08,083 --> 00:13:09,584 So it runs if one of two modes. 220 00:13:09,584 --> 00:13:10,999 Wi Fi remote or GoPro app. 221 00:13:10,999 --> 00:13:13,125 The first one is the GoPro app mode. 222 00:13:13,125 --> 00:13:16,083 It allows you to install a Linux or IOS. 223 00:13:17,167 --> 00:13:19,751 It acts as an access point. 224 00:13:20,083 --> 00:13:23,125 You associate with it, 225 00:13:23,125 --> 00:13:26,334 and it connects 226 00:13:26,709 --> 00:13:30,959 The web server that it talks on 80 227 00:13:30,959 --> 00:13:35,542 for a control channel 228 00:13:35,542 --> 00:13:40,250 and on 8080 it receives it streaming 229 00:13:40,250 --> 00:13:42,250 What is interesting about this and 230 00:13:42,250 --> 00:13:44,999 Wi Fi backpack uses 10.5.5.9. 231 00:13:47,459 --> 00:13:50,167 It uses MDS for discovery. 232 00:13:50,999 --> 00:13:55,542 But it connects to 10.5.5.9, 233 00:13:55,542 --> 00:13:57,083 I don't know if it's a fallback. 234 00:13:57,999 --> 00:14:00,083 And it uses MPEG TS. 235 00:14:02,334 --> 00:14:07,167 It continually receives this play list 236 00:14:07,667 --> 00:14:12,999 And then that file, 237 00:14:12,999 --> 00:14:15,709 that it retrieves. 238 00:14:15,709 --> 00:14:17,250 So it's not really streaming 239 00:14:17,250 --> 00:14:21,125 but it's receiving these .3 second files 240 00:14:21,125 --> 00:14:25,709 the next one and playing it retrieving 241 00:14:25,709 --> 00:14:29,459 a new set of files and this just rotates 242 00:14:29,542 --> 00:14:33,999 You can actually just point Quicktime 243 00:14:33,999 --> 00:14:37,792 player you like at the MUA file 244 00:14:37,792 --> 00:14:40,959 the preview video from the camera. 245 00:14:40,959 --> 00:14:42,999 Kind of turning it into a, you know, 246 00:14:42,999 --> 00:14:47,125 if you so actually were able 247 00:14:47,125 --> 00:14:50,918 TODD MANNING: We asked that 248 00:14:50,918 --> 00:14:54,751 of that offensive technology, please. 249 00:14:54,751 --> 00:14:55,959 ZACH LANIER: Right. 250 00:14:55,959 --> 00:14:58,792 So the other mode that's notable 251 00:14:58,792 --> 00:14:59,834 And this one we find 252 00:14:59,834 --> 00:15:02,999 which we can discuss 253 00:15:03,250 --> 00:15:04,667 In this case, 254 00:15:04,667 --> 00:15:06,209 if we have with us, it's 255 00:15:06,209 --> 00:15:08,250 the little key chain device. 256 00:15:08,334 --> 00:15:11,167 It acts as a mobile device, 257 00:15:11,167 --> 00:15:13,792 with the smaller device. 258 00:15:17,999 --> 00:15:29,292 It goes to here rc xxxx which are 259 00:15:29,667 --> 00:15:31,083 Once it's paired, it 260 00:15:31,083 --> 00:15:32,999 and prefer that, 261 00:15:32,999 --> 00:15:34,584 to a new remote. 262 00:15:34,709 --> 00:15:36,999 So you can draw your own conclusions 263 00:15:36,999 --> 00:15:38,834 possible there. 264 00:15:38,834 --> 00:15:39,999 It's also totally open. 265 00:15:39,999 --> 00:15:42,083 There's no security whatsoever. 266 00:15:42,083 --> 00:15:45,125 So you can just associate 267 00:15:45,751 --> 00:15:47,999 We're still sort of exploring what 268 00:15:47,999 --> 00:15:50,542 about attacking the remotes. 269 00:15:50,542 --> 00:15:51,999 But anyway. 270 00:15:53,083 --> 00:15:55,083 Network attack surface. 271 00:15:55,501 --> 00:15:58,375 The Cleroux key web server runs this 272 00:15:58,375 --> 00:16:01,792 on an unprivileged port 273 00:16:01,999 --> 00:16:05,083 We noticed there's absolutely no 274 00:16:05,167 --> 00:16:07,626 The compiler options and 275 00:16:07,626 --> 00:16:10,501 like on the file system of the camera. 276 00:16:10,876 --> 00:16:12,501 So you can totally have fun there. 277 00:16:12,918 --> 00:16:16,626 The executable base itself not 278 00:16:16,626 --> 00:16:20,209 of the payload is not really difficult. 279 00:16:20,209 --> 00:16:24,792 If you find 280 00:16:24,999 --> 00:16:26,999 So we're like at five minutes. 281 00:16:26,999 --> 00:16:30,417 So iTRON side TODD MANNING: 282 00:16:31,792 --> 00:16:32,999 Okay. 283 00:16:32,999 --> 00:16:34,584 So like we said, two web servers. 284 00:16:34,626 --> 00:16:37,876 On the realtime OS side, 285 00:16:37,876 --> 00:16:41,999 there were these URLs that 286 00:16:41,999 --> 00:16:47,334 to engage different behavior 287 00:16:47,876 --> 00:16:51,834 Some are configuration type commands 288 00:16:51,834 --> 00:16:56,876 reconfigure capture settings 289 00:16:56,876 --> 00:17:01,959 start recording, stop recording, 290 00:17:02,250 --> 00:17:04,250 Basically, you know, 291 00:17:04,250 --> 00:17:07,999 to the Wi Fi axis point, 292 00:17:07,999 --> 00:17:12,083 and kind of reconfigure 293 00:17:12,083 --> 00:17:15,999 We are working 294 00:17:15,999 --> 00:17:18,751 acts as the control. 295 00:17:19,083 --> 00:17:22,709 Let's see, and it actually passes 296 00:17:22,709 --> 00:17:26,334 and I haven't found 297 00:17:26,334 --> 00:17:31,542 and I'm not sure why that happens, 298 00:17:31,542 --> 00:17:35,083 I mean, I guess it's the key 299 00:17:35,083 --> 00:17:38,375 yeah, it seems kind of strange. 300 00:17:38,834 --> 00:17:43,083 And basically once you you know, 301 00:17:43,083 --> 00:17:47,626 in either the realtime OS or 302 00:17:47,626 --> 00:17:51,459 from the realtime OS side, 303 00:17:51,459 --> 00:17:55,250 If you find like a Cherokee bug, 304 00:17:55,250 --> 00:18:00,542 to do there too to bridge the gap 305 00:18:00,999 --> 00:18:05,999 So in terms of local attack surface, 306 00:18:05,999 --> 00:18:09,999 and so there's to privilege exception. 307 00:18:10,999 --> 00:18:14,125 Everything 308 00:18:14,125 --> 00:18:19,334 all the libraries are loaded 309 00:18:19,959 --> 00:18:23,999 The web server itself, so Cherokee 310 00:18:23,999 --> 00:18:26,999 images at hex 8000 and there's actual 311 00:18:26,999 --> 00:18:29,999 of sections that get mapped there. 312 00:18:30,250 --> 00:18:34,083 Sorry, 8000 and then like hex 8300. 313 00:18:34,334 --> 00:18:39,083 Let's see, it runs busybox 314 00:18:39,083 --> 00:18:47,083 you know, busybox utilities there, 315 00:18:47,083 --> 00:18:51,083 You know, sometimes you see that 316 00:18:51,083 --> 00:18:53,626 I feel like you want to break in there, 317 00:18:53,626 --> 00:18:56,918 ZACH LANIER: So basically it's just 318 00:18:56,918 --> 00:19:00,999 but pretty much every executable base 319 00:19:00,999 --> 00:19:04,083 or always mapped 320 00:19:04,083 --> 00:19:07,709 terribly difficult to get reliable codex. 321 00:19:07,709 --> 00:19:10,083 TODD MANNING: I feel 322 00:19:10,083 --> 00:19:12,334 but, you know, maybe not. 323 00:19:12,709 --> 00:19:15,792 So there are a number of, like, 324 00:19:15,792 --> 00:19:18,999 quote/unquote services that are 325 00:19:18,999 --> 00:19:24,999 A couple of them are listening 326 00:19:25,250 --> 00:19:29,083 They handle JSON well, one 327 00:19:29,083 --> 00:19:34,083 messages from the ISON side, 328 00:19:36,999 --> 00:19:38,999 Basically, their mechanism 329 00:19:38,999 --> 00:19:41,876 across like these two operating 330 00:19:41,876 --> 00:19:43,876 So they share the same memory, 331 00:19:43,876 --> 00:19:47,083 like this queue based message passing 332 00:19:47,083 --> 00:19:49,876 And hey, it's a great time to talk 333 00:19:49,876 --> 00:19:54,167 ZACH LANIER: So the we're 334 00:19:54,334 --> 00:19:56,876 So we will probably breeze 335 00:19:58,083 --> 00:20:01,334 Upping IPS, 336 00:20:01,334 --> 00:20:04,999 are there and they point to the M 337 00:20:04,999 --> 00:20:09,083 is the Amberella which 338 00:20:09,083 --> 00:20:11,999 to iTRON worth exploring. 339 00:20:12,375 --> 00:20:16,334 They are on the Amberella or 340 00:20:16,334 --> 00:20:19,584 shell, you can run PRAG, 341 00:20:19,584 --> 00:20:25,375 out all of these different programs that 342 00:20:25,375 --> 00:20:27,125 It's like son IPC ish. 343 00:20:27,709 --> 00:20:31,459 It maps to I aspecific program that's 344 00:20:31,459 --> 00:20:34,918 and that's basically all we will talk 345 00:20:34,918 --> 00:20:38,042 because we are running out of time. 346 00:20:38,042 --> 00:20:40,709 Future research, remote monitoring, 347 00:20:40,709 --> 00:20:43,334 like the spoke or 348 00:20:43,334 --> 00:20:45,375 the camera to spy. 349 00:20:45,834 --> 00:20:47,167 That sounds really cool. 350 00:20:47,417 --> 00:20:49,792 Next thing would be 351 00:20:49,792 --> 00:20:55,042 from the wire Wi Fi remote and 352 00:20:55,042 --> 00:20:58,918 And it's remarkably similar 353 00:21:03,792 --> 00:21:10,375 Back door persistence, blah, blah, blah, 354 00:21:10,375 --> 00:21:14,125 maybe tomorrow when we are sober. 355 00:21:14,375 --> 00:21:16,083 At GitHub.com/quine/GoProGTFO. 356 00:21:22,999 --> 00:21:26,876 And finally if you want to reach us, 357 00:21:26,876 --> 00:21:29,083 or quine on Twitter. 358 00:21:29,083 --> 00:21:32,999 And these are really cool people 359 00:21:32,999 --> 00:21:36,083 And if you are not 360 00:21:36,083 --> 00:21:38,250 we are sorry. 361 00:21:38,250 --> 00:21:41,334 We will take questions 362 00:21:41,334 --> 00:21:42,459 Thank you for coming. 363 00:21:42,459 --> 00:21:43,459 The lovely Todd. 364 00:21:43,459 --> 00:21:45,792 (Applause) TODD MANNING: I love 365 00:21:45,792 --> 00:21:45,792 ZACH LANIER: And 366 00:21:45,792 --> 00:21:47,626 in the audience, you know where to go. 367 00:21:47,626 --> 00:21:48,626 Outside. 368 00:21:48,626 --> 00:21:50,542 TODD MANNING: I have one 369 00:21:50,542 --> 00:21:51,626 I'm going to flip you. 370 00:21:51,626 --> 00:21:51,626 Did anyone log 371 00:21:51,626 --> 00:21:52,626 Fi password? 372 00:21:52,626 --> 00:21:52,626 Did anybody if you can prove it 373 00:21:52,626 --> 00:21:54,292 will fucking give you this camera. 374 00:21:54,292 --> 00:21:55,292 I take that as a no. 375 00:21:55,292 --> 00:21:56,542 None of you are hackers. 376 00:21:56,542 --> 00:21:57,542 (Laughter).