00:00:00.000-->00:00:05.005 >>Let's, er, let's give Zeke a big round of applause. [applause] Rock 'n roll, have a 00:00:08.876-->00:00:14.181 good time. >>Thanks. Okay, er, so I think we're about, er, out of time... [laughter] thank you 00:00:14.181-->00:00:19.186 everybody for coming out. Er, so yeah, so, so my name is, erm, Ricky "HeadlessZeke". Uhm, this 00:00:21.655-->00:00:25.759 was my talk and erm, let's just get right into it. Er, [hums] to-do-do-do. Okay so, er, I'm a 00:00:25.759-->00:00:30.797 security researcher at, er, Tipping Point DB Labs, now er, a Trendmicro Tipping Point, erm 00:00:30.797-->00:00:35.369 until just recently HPE and before that HP, and before that 3com. Erm, I wasn't there during 00:00:35.369-->00:00:40.374 that time that, er, whatever, erm...most of my hacking, erm, involves things that I find 00:00:45.312-->00:00:50.317 lying around the house and things that I have easy access to, which ends up being a lot of 00:00:54.388-->00:01:00.827 I.O.T. things. Erm, this is actually, erm my third time, er, speaking at DefCon. Erm, my 00:01:00.827-->00:01:05.832 first time with an actual Defcon beard. Erm, thank you. [laughs]. Erm, so yeah, but I've spoken at 00:01:09.970-->00:01:15.976 like Ruxcon, ReCon, er, Insomi'hack, erm and I actually used to install physical 00:01:15.976-->00:01:22.482 security systems for a living, er, which is, erm, kind of where part of my motivation came from 00:01:22.482-->00:01:27.454 for doing this talk. Uhm, my first ever talk period was at Defcon. It was a little 00:01:27.454-->00:01:32.459 lightening talk about a super overly complicated attack that I found in HIV card readers. Erm, 00:01:36.630-->00:01:43.236 it was like, er, TCP reader type, where you like capture a remote unlock command and then 00:01:43.236-->00:01:48.275 reinject it into the session later on. And then you can reopen that same door for that 00:01:48.275-->00:01:53.046 same period of time. But I couldn't compose my own unlock commands, so it was really 00:01:53.046-->00:01:59.953 humiliating and I feel like I could do better and er I did, so that's why I'm here. Erm, but I 00:01:59.953-->00:02:06.560 also, erm, had a conversation with a friend or two, er, about how cool it would be able to 00:02:06.560-->00:02:12.499 like mess with video streams and stuff. And erm, so, erm, I started, I started kinda 00:02:12.499-->00:02:17.504 formulating an idea of a talk and here we are. Er, so, erm... I'm trying to decide what all I 00:02:21.341-->00:02:26.346 should skip through since we are all so behind in time. Erm, so physical security, erm, 00:02:29.016-->00:02:34.521 basically, it's, er, just a way to protect yourf valuable assets and your facilities. Erm, er, 00:02:34.521-->00:02:39.526 when I talk about physical security, I'm talking about access control so that the 00:02:42.029-->00:02:47.034 reader stuff, er, surveillance and alarms. Erm, so basically no matter how big your organization 00:02:49.669-->00:02:55.942 is, your got some kind of physical security, erm, whether it's just like, you know a 00:02:55.942-->00:03:00.881 manual, physical lock on a door, or, erm, what-whatever it is, erm, it's in, it's in every 00:03:04.117-->00:03:10.724 single organization. Erm, but the larger the organization, er, the more unattainable the 00:03:10.724-->00:03:17.564 managing of a physical security system becomes. Erm, so piece by piece, erm, people are starting 00:03:17.564-->00:03:23.470 move it to the network, er, to make remote management really easy and really convenient. Erm, 00:03:23.470-->00:03:30.177 but with that convenience, erm, comes the worries of, you know, network attacks and, and things 00:03:30.177-->00:03:35.182 like that. Er ,ssht, ssht, shht,, sshht so what you end up with is: you've got these 00:03:38.518-->00:03:44.324 embedded devices, erm that are accessible via the network. And they are protecting all of your 00:03:44.324-->00:03:49.329 valuable assets. And they're in every single organization out there, erm, so, you should take 00:03:53.333-->00:03:58.338 a look at them. Alright so, access control is er, by far the most complicated piece of this 00:04:02.709-->00:04:07.714 puzzle. Erm, so, it's erm, I'm going to go, go through it in detail, to describe, erm, like 00:04:10.217-->00:04:16.356 the layout of every thing. Erm, but basically you've got your, er, locking mechanism...hang on, 00:04:16.356-->00:04:21.361 I'm goon grab a [inaudible]. Er, so you got your, your, er, locking mechanism, erm, which is 00:04:23.497-->00:04:28.502 is what keeps the door from being able to open. I.D. mechanism: which lets you open 00:04:30.637-->00:04:35.642 the door. Erm, and then you going to have various, er, sensors and, erm, [beeping 00:04:37.944-->00:04:42.949 noise] erm, oh, sorry. I just [laughs] that was the equivalent of me forcing open the door. Er, 00:04:42.949-->00:04:48.355 so I'm going to have to acknowledge that alarm. Maybe, I'll just power cycle it. Hang 00:04:48.355-->00:04:53.360 on. [laughs]. Sorry door. Okay, and then of course you've got some management software, erm, 00:04:56.463-->00:05:00.400 on a remote terminal somewhere, er, that when somebody says like: "Hey, I forgot my I.D." 00:05:00.400-->00:05:05.405 erm, you can buzz them in, or can push down, schedule changes and things like that. Alright, 00:05:09.409-->00:05:15.682 so a little bit, a little bit more detail about, about the door, erm. When I'm talking, 00:05:15.682-->00:05:21.621 when I'm talking about the I.D. reader, erm that covers the entire span of like, of like, 00:05:21.621-->00:05:28.161 you know, from the low end like pin pad and mag stripe readers to the high end like biometric 00:05:28.161-->00:05:33.800 retinal scanners and things like that. Erm, then got what's called the request to exit, 00:05:33.800-->00:05:38.972 which's what lets the door know that somebody is leaving from the secured side, so even though 00:05:38.972-->00:05:45.278 you don't see, erm like a, erm, a card read or anything like that, it's okay for them to open 00:05:45.278-->00:05:50.884 the door because they were already inside. Erm, the door contact is the magnet that shows 00:05:50.884-->00:05:55.889 whether the door is open or closed. Erm, the lock or strike is, er, the locking mechanism. 00:05:58.491-->00:06:03.430 Blah, blah, blah. Erm, most important part is, er, the door controller. Are you guys 00:06:05.799-->00:06:10.804 following along well with this slides with the way I'm doing 'em? Okay. Erm, so the most 00:06:10.804-->00:06:15.809 important part for my purposes, erm was the door controller, erm, which is, is the part that, 00:06:17.877-->00:06:24.451 erm, holds a local copy of the database. Erm, all the other pieces of the door wire into it 00:06:24.451-->00:06:29.456 and that's what's connected to the network. Er, so here's a a diagram of how that all wires 00:06:32.492-->00:06:38.565 together. Erm, you see above, above the door, in the middle you've got a passive infrared, 00:06:38.565-->00:06:44.037 that's your request to exit or rex. Erm that's just a motion sensor that says say somebody's 00:06:44.037-->00:06:48.608 walkin' up to the door and you got a little magnet on top of the door, you got a lock on the 00:06:48.608-->00:06:53.613 side of the door, reader on the side of the door. Erm, hang on...[some clapping] [laughs] 00:06:56.216-->00:07:01.154 erm, all of that is what's wired into the door controller, which then goes out into the cloud. 00:07:03.790-->00:07:08.795 Or, you know, the, er, LAN or whatever. Alright, so let's cover some attack factors. Erm, 00:07:13.533-->00:07:20.540 first I'll start by talking about some existing things in, erm things that aren't really 00:07:20.540-->00:07:27.480 network based, erm, so like, I'm sure you all heard a lot about RFID spoofing and er, brute 00:07:27.480-->00:07:32.352 forcing pin numbers, and even like pulling the reader off the wall and tapping into the 00:07:32.352-->00:07:37.357 wegman's data lines, and brute forcing the pulses, erm, for a valid I.D. Erm, so there are a 00:07:40.360-->00:07:45.365 lot of attack factors there. Most of them, er, seem, erm, I guess RFID spoofing isn't that, 00:07:50.070-->00:07:55.208 erm , like cloning cards, erm isn't that hard to pull off. But like, if you're talking about 00:07:55.208-->00:07:59.979 yanking a reader off a wall, it's kind of destructive and obvious. Erm, so there's some 00:07:59.979-->00:08:04.918 funny attacks on request to exits. So, erm, erm have any of you guys seen, er, I think it's 00:08:07.053-->00:08:13.693 rift recon, they got that like loop on a stick thing? Where you like reach underneath the door 00:08:13.693-->00:08:20.367 and hook on to the inside handle? And then you pull down and it opens the door? Erm, 00:08:20.367-->00:08:25.939 hilarious things like that and tripping motion sensors and stuff. Erm, of course you could 00:08:25.939-->00:08:31.711 attack the management software if it's running on a vulnerable host or if it's an unsecured 00:08:31.711-->00:08:38.318 database. Erm, a little, a little unpredictable. Erm, or: we could go after the door 00:08:38.318-->00:08:42.455 controller because it's a network connected embedded device which is notoriously bad 00:08:42.455-->00:08:48.561 with security. And every single piece of the door is wired into it, so it has, it's basically 00:08:48.561-->00:08:54.868 like an embedded device that has a bunch of software controlled relays on it. So, if you can 00:08:54.868-->00:08:59.873 control the device, you can control the relays. Erm, so let's focus on the door 00:09:03.176-->00:09:08.181 controller now. Erm, basically the way I see it, there are er, two main ways that we could 00:09:10.850-->00:09:16.389 after this thing. Erm, you guys can probably think of way more, but, erm...so the first, erm, 00:09:16.389-->00:09:21.394 and probably most obvious is, er, API exposure. Erm, so if you can see, kind of like what I did 00:09:24.464-->00:09:29.469 with, with my er, little rinky dink Defcon talk, erm, where if you can see an unlock command go 00:09:32.205-->00:09:37.210 into the door, erm, and you can replay it later on, erm, but, er, so, I do wanna talk a little 00:09:42.515-->00:09:47.520 bit about this PSIA. Which is, er, a an inter- operability standard that, erm, is starting 00:09:50.323-->00:09:55.328 to take off a little bit. Erm, I should say that this, this is strictly speculation. I don't 00:09:58.364-->00:10:02.836 have, access, er, to a controller that implements this standard, but just reading 00:10:02.836-->00:10:07.574 through the spec, it looks like something I'd like to take a look at. Erm, because it's based 00:10:07.574-->00:10:12.579 on, erm, HTTP requests to URIs. I saw this one, er, access override URI, that erm, its used 00:10:17.784-->00:10:22.789 for like, er, like if there's an incident at a facility and you need to like either unlock all 00:10:24.824-->00:10:29.829 the doors or lock, lock off some areas. Erm you can override the access schedule by er, sending a 00:10:32.365-->00:10:37.370 port request to the access override URI and, erm set the access override state to unlatch 00:10:40.206-->00:10:45.211 and then would unlock all of the doors just like that. Erm, it had mentioned erm, something 00:10:48.248-->00:10:53.186 about having like er, I'm starting to run out of breath [laughing] going through this so 00:10:53.186-->00:10:58.191 fast. Erm, so it had, it had mentioned having like I.D. number in the request, erm, to 00:11:02.428-->00:11:08.034 use as an authentication mechanism. Erm, but that was just in the spec and, you know, 00:11:08.034-->00:11:13.039 individual implementations may vary. Okay, on the other hand, erm, you could look for running 00:11:16.910-->00:11:21.915 services since it's a network device. Erm, so they usually have like an on-board management 00:11:25.418-->00:11:30.423 system. Erm, if I had my display working I would show what this, what the on-board management 00:11:32.659-->00:11:37.664 system looked like on this guy. Erm, but, erm so that's one thing, you know, usual web app 00:11:41.234-->00:11:48.141 attacks. Erm, or you could look for er, like standard Unix services and lynix services that 00:11:48.141-->00:11:52.378 are just out of date because they have haven't been keeping up with patching and other 00:11:52.378-->00:11:58.651 services that are running on their device. Erm and also they are a great place for, er 00:11:58.651-->00:12:03.590 fuzzing proprietary services that haven't been examined very closely. Which is what I did. 00:12:06.526-->00:12:11.531 Erm, so, erm, this is a HID door controller. Erm every single one of HID's door controllers across 00:12:15.468-->00:12:21.574 their entire product line was running a service called "discoveryd" which is a way to 00:12:21.574-->00:12:28.081 send out, erm a UDP packet to the broadcaster address and every door controller on the 00:12:28.081-->00:12:33.019 network would then send a packet back to you that said like: yeah, like here I am, here's all 00:12:33.019-->00:12:38.024 my info, er blah, blah, blah, blah. Erm, but that, that was the only, that was the only 00:12:41.494-->00:12:47.166 purpose of the service from what I could tell, but it wasn't the only function of the service. 00:12:47.166-->00:12:52.171 Erm, there was also, er, an undocumented command called: command, command "Blink On" erm, 00:12:54.474-->00:12:59.479 that, er, excuse me. So the command "Blink On" erm it took a number of times as an argument 00:13:06.552-->00:13:13.259 and, and that, that number of times was, er, how many times to blink the LED on the door 00:13:13.259-->00:13:19.399 controller. And the way that worked was that they would build up a path to the blink binary 00:13:19.399-->00:13:24.404 and then send, erm, send that path and that number you just gave it, erm, and call system on 00:13:28.441-->00:13:33.446 it when no sanitation at all on the, on the er user attacker supplied information. Erm, so it 00:13:37.550-->00:13:43.523 was vulnerable to a command injection and, erm, in the discoveryd service was running 00:13:43.523-->00:13:48.528 that room. So this was, erm across the entire product line like the: verdex, Edge, Ebo. 00:13:51.364-->00:13:57.503 Their entire product line was vulnerable to this. But, erm, it has been patched, er, since I 00:13:57.503-->00:14:02.442 think like late March or April. Erm, you can actually, er find these door controllers erm on 00:14:04.977-->00:14:11.317 Show Down, er I don't know why anybody would ever put their doors, erm, on the internet, but 00:14:11.317-->00:14:17.023 they're there and there's like over 300 hundred – last time I checked. And erm, the patch 00:14:17.023-->00:14:22.028 rate, erm, is really low... [laughs] even though the patch has been available for a while. 00:14:24.964-->00:14:29.969 Erm, so there's that. Er, surveillance is a lot simpler. Er, so you usually have, er, a 00:14:33.606-->00:14:38.811 video camera inside there's gonna be an IP camera all hardwired erm. And then you 00:14:38.811-->00:14:44.717 gonna have some recording device like a VCR / DVR and then again some kind of management 00:14:44.717-->00:14:50.690 software. So, same deal as before with the management software. As far as attack 00:14:50.690-->00:14:55.695 factors go, erm, the DVR gets a little more interesting erm there have been some attacks 00:14:59.198-->00:15:04.137 recently about erm, being able to dump, erm, creds to login to DVRs and and things like that. 00:15:07.306-->00:15:13.412 Er, you could also maybe try DOS-ing the DVR so the camera can't reach it. If it's an IP 00:15:13.412-->00:15:18.417 camera and avoid, er, recording. Erm you can also do the same thing with DOS-ing the camera. 00:15:21.454-->00:15:28.094 Erm, but, erm what would be way cooler is if you could man-in the-middle the video stream, er, 00:15:28.094-->00:15:33.099 since it's a, since it's a IP camera and it's just streaming across the network. Erm, so, 00:15:36.235-->00:15:41.607 let's take a look at that, erm. This demo I'm definitely not going to be able to show you 00:15:41.607-->00:15:46.078 with my display not working. Which is a shame because that's the one I was really proud of. 00:15:46.078-->00:15:51.083 Erm, but so, so most of them, most video streams are going to be either RTP or motion jpeg. 00:15:54.654-->00:15:59.091 Erm, haven't seen a lot of encryption although it's starting to catch on a little 00:15:59.091-->00:16:04.030 bit. Erm the basic idea here is, er, when you see a frame you er, you grab it, you modify it in 00:16:08.968-->00:16:14.407 whatever way you want and then you forward it on. Erm, and that allows you to do things like, 00:16:14.407-->00:16:19.412 er, like, you would see in the movies, like, you know, loop X number of playback seconds, you 00:16:21.981-->00:16:27.386 know. So, you like record, record like 3 seconds of playback and then like jump and 00:16:27.386-->00:16:32.391 just replaying it over and over again. Erm, or you could, er, cut the feed by just replacing 00:16:35.628-->00:16:40.633 all the images you see with the fuzzy static. Erm, one, one cool thing that I did, er, er, are 00:16:42.835-->00:16:47.840 there any fans of 'Ghost in the shell' in the audience? Yeah, so I used erm, I used open CV to do 00:16:56.015-->00:17:00.953 face, face detection, erm on the images I was, that were going through and then I would replace 00:17:03.089-->00:17:09.595 that face with laughing man logo, erm so I could actually like get him in frame and my 00:17:09.595-->00:17:14.600 face would be covered with the laughing man thing, erm, if you guys wanna, you know, whenever, 00:17:17.403-->00:17:22.909 if you see me out there somewhere, erm I can run through these, er, demos for you then. 00:17:22.909-->00:17:27.914 Erm, I guess I could, I could still show you the card reader attack. I'll do that. Erm. Okay 00:17:31.417-->00:17:36.989 so yeah, the the camera that I was working with was a Ubiquiti coding cam. It's a couple 00:17:36.989-->00:17:40.226 generations old but my friend let me borrow it, erm, and erm, the latest firmware, they 00:17:40.226-->00:17:42.228 actually got rid of RTP, erm, which made things a lot easier. They were just doing motion jpeg 00:17:42.228-->00:17:44.230 so like all I had to do was write some custom plug-ins for erm, for man-in-the-middle 00:17:44.230-->00:17:49.235 proxy, erm to handle the images and it was super duper easy. Er, oh, also I should mention, I'm 00:18:02.148-->00:18:07.853 not, I'm not calling out Ubiquiti there's not like a valm in their camera this is them 00:18:07.853-->00:18:12.858 they're agnostic erm , so don't, don't sue me. And then alarms, of course. Erm, so we got like 00:18:18.230-->00:18:23.235 fire, fire alarms, er tamper sensors, motion sensors, bah, bah, bah. I'm starting to run 00:18:27.206-->00:18:32.211 out of time. Erm, so one cool thing that you could do with erm, with the, erm, networked, 00:18:36.248-->00:18:41.253 er, fire panel, is erm, you could cause a, a false positive. Or a false alarm in one area as 00:18:45.458-->00:18:52.331 like a distraction for what like you are trying to do in another area. Something like that. Erm, 00:18:52.331-->00:18:57.336 motion sensor is probably the easiest thing you would have to deal with. Erm, because if they 00:19:00.673-->00:19:06.879 can't send their alarms, erm, then they're useless. Erm, so if you can either, erm, just 00:19:06.879-->00:19:13.819 straight up DOS, straight up DOS the, erm, motion sensor and then like if its sending out a 00:19:13.819-->00:19:19.725 heartbeat to say like I'm still alive, then you have to spoof the heartbeat or you could like 00:19:19.725-->00:19:24.897 just selectively DOS if they're not using any encryption and you can recognise the alarms, just 00:19:24.897-->00:19:30.202 selectively not let those alarms through. And the that's all there is to it. Erm, this 00:19:30.202-->00:19:35.207 doesn't make any sense since I'm not able to do any of my demos, but erm I, I ran out of time 00:19:38.978-->00:19:43.983 trying to configure my erm, so I got erm, I got an IOT motion sensor, erm, that just was not 00:19:47.620-->00:19:52.625 pairing with its management software. Erm, so I ran out of time trying to get that demo 00:19:52.625-->00:19:57.630 working. Okay, so here was the hypothetical scenario that I had set up, that I was going to pull 00:20:00.599-->00:20:06.539 off for my demo section. Erm, typical, typical office, they've got a card reader on the 00:20:06.539-->00:20:11.410 unsecured side and a door controller on the secured side. They've got a video camera 00:20:11.410-->00:20:16.415 watching the entire office and then like, like you do, you've got the, the Hope diamond in all 00:20:18.617-->00:20:25.524 of the CEOs credit card info laying out on your desk. Erm, because you can, you're, you're 00:20:25.524-->00:20:30.930 totally secured. Erm, so I'm gonna, I'm gonna hop over to this machine real quick, I don't 00:20:30.930-->00:20:37.636 know if those mics are on or not. Erm, but erm, so I won't be able to show you the video 00:20:37.636-->00:20:42.808 camera stuff because don't have a display, erm, but I will be able to show you, show you, er, 00:20:42.808-->00:20:47.813 sending my exploit to permanently unlock, unlock the door, so bear with me. [taps 00:20:59.525-->00:21:04.463 mic] hey, it does work. Okay so, erm, I can't show you the code, but erm, basically there, there 00:21:09.101-->00:21:14.140 was a er a CGI script that was running on this thing, or it was a complied binary, erm, that 00:21:14.140-->00:21:16.142 handled sending, sending all of the settings to the relays to control their state. Erm, and 00:21:16.142-->00:21:18.144 so, I, I just er, sent it the "unlocked" state and then removed "execute permissions" 00:21:18.144-->00:21:23.149 from that, from that CGI binary. Erm so that it unlocked the door and wouldn't let you relock it. 00:21:36.362-->00:21:41.367 Erm, and since, since this works on, er, you can find all the door controllers erm by sending 00:21:44.403-->00:21:50.309 a packet to broadcast. Erm, I just like send out that broadcast probe and then iterate 00:21:50.309-->00:21:55.781 through al ofl the door controllers that come back. And I can permanently unlock every 00:21:55.781-->00:22:00.719 single door on, in an entire facility. Er, so hang on one second. [beeping sound] Okay, 00:22:03.422-->00:22:08.427 er, hang on that's not the good part. Erm so it's just injecting commands over and over again 00:22:12.598-->00:22:17.603 because there was like a character limit on the, erm, erm, how big the packet...okay, 00:22:24.310-->00:22:29.315 so now, so now the door, now the door is permanently locked, er and this, permanently unlocked, 00:22:31.850-->00:22:37.556 and this is where I would have brought up the management portal, erm to, to click on the 00:22:37.556-->00:22:44.063 re- lock button and show you that it wasn't re- locking. Er, so yeah there's, there's that 00:22:44.063-->00:22:49.068 and it's not as impressive as I had originally planned out, but these things happen. [applause] 00:22:51.937-->00:22:56.942 Thank you. Okay and then that camera thing was gonna be like, like erm, you know, loop, 00:23:02.114-->00:23:06.785 looping the playbacks so that you can like walk in front of the camera without being seen 00:23:06.785-->00:23:13.626 and stuff like that. Erm, so there's that. Okay, so let's talk a little bit quickly about, 00:23:13.626-->00:23:19.898 erm about mitigations. Erm, so first off, most obviously is what segregates these devices 00:23:19.898-->00:23:26.138 erm from your normal network traffic. Make it so that use regular Joe Blows on your 00:23:26.138-->00:23:32.645 network can't reach these devices. Erm, also I, if if the network that you've got them on 00:23:32.645-->00:23:37.650 is very, erm, static and erm, predictable. You can look for anomylous activity pretty 00:23:40.486-->00:23:46.058 easily. Erm, keep on top of firmware updates, which is actually an interesting problem 00:23:46.058-->00:23:51.063 with these kinds of situations, especially with like the, er, the erm, access control system 00:23:54.667-->00:23:59.672 where you know, once upon a time IT handled computers and like facilities or whatever handles, 00:24:02.942-->00:24:07.946 er, locks. Erm, but what do you do when it's both? You know, so you have to clearly define who 00:24:10.282-->00:24:16.188 owns what and who gonna be in charge of updates and things like that. Erm, also think 00:24:16.188-->00:24:21.193 before you link. And erm, as, you know, I think I give this advice in like every single one 00:24:25.664-->00:24:31.503 of my talks, but like hack yourself. That's how you learn what you're vulnerable to and, 00:24:31.503-->00:24:36.508 erm, how your overall security posture looks. Erm, third part resalers, so erm a lot of this 00:24:40.112-->00:24:45.117 stuff is really, erm, closed off to the just the general masses. Erm, but third party resalers, 00:24:47.519-->00:24:52.524 erm are a little looser. Erm like I bought, I bought this entire rig pre-assembled, erm 00:24:54.727-->00:24:59.765 from a company I'm not going to name because I don't know what their opinion of me naming them 00:24:59.765-->00:25:04.803 in a Defcon talk would be, er maybe talk to me afterwards, but yeah, it was like 300 bucks for 00:25:04.803-->00:25:09.808 that entire pre-assembled demo door system. Erm, also, I was able to find some, some firmware 00:25:12.778-->00:25:17.783 images that I wouldn't have been otherwise able to get access to. Erm, I'm a bah bah, okay so 00:25:21.353-->00:25:26.358 yeah, that's basically it. Sorry I had to rush and not show my fantastic demos but erm, if you 00:25:31.964-->00:25:37.002 ever are interested in any of the code or, or have any questions, things that I didn't 00:25:37.002-->00:25:42.674 have time to go over properly or anything like that, I have an email and a Twitter and I'm way 00:25:42.674-->00:25:47.679 more responsive on Twitter than I am on email. Er, so, yeah. Hit me up! [applause]