BG - Knock knock. Who's there? Betta! Betta who? Betta check your access control edge devices

this next talk is being presented by breaking grounds it's knock knock access control edge by vincenzo chiang caglini so hello everyone and welcome to this presentation about edge computing his architectural weaknesses and how we can exploit them to sneak into your offices undetected i am vincenzo chancellini i'm a senior threat researcher at trim micros forward-looking threat research team and this research was carried on with me philippe zelene at nyhowski on twitter royale reyes at insoniak and both will be available at the q a session and joy custodian morton swimmer now our team just to give you context is tasked with internet micro to do technology scouting three to five years into the future looking at how the technology is going

to evolve how this would impact user behaviors and how it will impact criminal opportunities and criminal activities so with that in mind we started looking not long ago into edge computing being the new huge buzzword you know in the market and just so that everybody's on the same page with edge computing it's basically a new we can consider it as a new computational paradigm where uh in contrast with the more canonical cloud computing where you have your swarm of computers and iot devices sort of managed and coordinated by a central cloud service in edge you got part of the if not all of the functionality uh moved to the edge of the network on-premise nearby your devices

if not in some cases even on the devices themselves uh so this basically means that your usual processing cycle you know of data acquisition data processing and decision making and actuation happens almost all in the same place or very close this bears several advantages meaning that you have of course lower latency so in all those applications where a response and real-time responses needed like some factory automation applications say that you have a robot in a line in a production line that needs to discard samples those can be taken with a very short delay you have less network traffic because you're not communicating with an external service um you have some resiliency due to that because you are not dependent on an

external network service and of course for all those applications where you have sensitive data you can in fact implement data retention on premises this however means that there are three what we call new architectural assumptions within edge computing there are three key aspects that needs to be taken into careful consideration when deploying edge applications and these are first of all an implicit trust of edge devices because of course they are now charged with more responsibility compared to their iot counterparts for example in the case that would present here of access control cameras you have the con access control cameras were responsible for identifying users rather than just acquiring uh the images there's a higher need for data synchronization

uh ironically enough since we just said that you know there's less network communication with an outside service there's a have a higher need of synchronization between all of the devices because the devices being charged with more functionalities they need to have a consistent data set between each other to function again in the case of cameras they all need to know to have the up-to-date user list so that they can know who to let in or not and uh actuation on-premises which means that every time you need to activate something let it be an industrial robot arm or your door that is not decided by your external service on a data center but it's decided on premise by the device itself

in terms of verticals uh we've seen edge application flourishing in sort of several domains such as you know agriculture and transportation management so with all that is related to smart farming uh real-time collection of data and monitoring of machinery smart fleets you know and the future autonomous fleets for example we've seen factory automations and industrial control systems again the example that they brought of optical inspection of faulty samples in the production lines cameras and surveillance whereas again cameras now are tasked with performing the actual identification of people things and so on with real-time video processing if needed and elevators and building automation so you know connected elevators call building monitoring collection data and so on and that was actually the

first application that we started looking into until we settled on cameras and the reason for that well first of all is the fact that while we were trying to actually acquire um a smart elevator to do some study on it we realized that you know in this huge sort of heat of serendipity we start they actually deployed the h computing access camera into our offices themselves so that was a huge cycle blocked but not only that i mean cameras are in fact you know easier to acquire than an actual elevator for example or you know an industrial controlled robot arm they are the embodiment of a very critical functionality meaning they do user authentication physical user authentication they are

literally the thing that keeps strangers at bay from your offices they are a they implement a very representative set of edge devices functionalities they do data acquisition they do actuation they do image processing so they are fairly representative there and they sort of represent what we call the user experience flaw what do i mean with that basically uh take you know try take a comparison between you know iot access control cameras or you know cameras and edge access control an iot camera is usually a low-power device it's responsible only for doing acquisition uh it sends the data to a central server that takes care of you know making whatever decision object recognition face recognition that's needed so

you have sensitive data that transits outside your premises they are not responsible for the actuation usually and because of that even if you have misconfigured devices or you know faulty deployment the stakes i mean they're not zero but they are fairly low what we've seen the worst that can happen there is that you know you get a camera with the default password that's the same for every model and that gets exposed to the internet well you happen to end up on certain images and the worst that could happen that somebody's gonna snoop on your front porch or on your office entrance i mean i wouldn't wish it to anyone but it's not that big of a deal compared to

that an edge access control camera has a higher computational power it performs the acquisition and processing on the device or on a nearby server it takes the decision autonomously to let people in or out of your office which also means that yes you don't have sensitive data that goes out but if you misconfigure that camera you're basically incurred the risk of letting people in and not only that the main point here is that despite this huge difference they both just look like a camera there is no visual clue between an iot camera and an edge access control camera that the ladder is going to be way more critical to deploy than what you've been used to up until

now and that's a very interesting aspect of the whole technology so with that in mind let's go break us some cameras you know we decided okay let's get some cameras see exactly what the what we can do with them if they're secure and what are the vulnerabilities in there i mean the usual we picked up four models from four major vendors uh to sort of compare the first one being a zktec phase depot 7b whereas zkteco it's actually a big chinese vandoor we had more than 3.58 million us dollars actually in fingerprint readers alone in 2015 for example and it offers now these cameras which are android-based not an up-to-date version of android if i may say

and it even provides a dual camera to do liveliness detection for example so it has some advanced functionalities we then have the vision the ds k1t 606 mf if you want to try to repeat it after that each vision is another it's one of the world's biggest vendors of cameras fairly renowned especially in the western hemisphere uh europe and us it's a brand that's fairly known this camera compared to the other runs a customized linux version and communicates with its central server through a custom binary protocol compared to the usual http apis that are exploited by the other cameras we then have the tps 980 whereas telpo is an actual partner it's another big chinese vendor partner of alibaba for

example and he's official suppliers of facial recognition technologies for their point of point of sales and finally we have the magdi koala now macbe it's another uh one of the big three suppliers of algorithms of facial recognition and for example the official partner of the city of hong zoo of the smart the city brain project so this just goes to show that uh this is not just you know we didn't go for some niche product from some obscure vendors these are big players on the market with that have a huge history of providing access control products uh to the industry and you know these are their latest iterations basically so another word of caution uh what we're

showcasing what we'll be showcasing here are not really we didn't focus on try to attack the facial recognition aspect of the camera i mean if you want to if you want to know that facial recognition cameras are insecure well that's known i mean you can attack the algorithms and it's not when what we're going to show here we're not going to show you that there's a setting that you can set to zero the lightness detection um settings in most of the cameras and just authenticate with a picture you can but it's not the point here the point here is to use the cameras as an example of how the three aforementioned aspects of again device trust um device

synchronization and actuation on premises if when these aspects are not properly implemented they can be exploited to attack your deployments and many of the attacks that you'll see in many of the flaws don't actually just apply to facial recognition cameras this is just a very high stake example but they could very well be applied to pretty much any other edge application so that's a very important point that i wanted to make so focusing on the first one implicit device trust as we said edge computing is designed so that you trust the devices that you put on that you deploy i mean you are going to set some cameras that are going to sit outside of your office and are going to

keep people outside you are going to set some smart farming equipment that's going to monitor data without your direct supervision that's going to be out in the field miles from you for example and there are devices that are charged with more functionalities than their iot counterpart access recognition cameras for example not only let people in but they are also responsible for registering new people uh they are also charged for deleting users like all the user management part can be performed by the camera itself and if you think in other domains you know you've got your smart manufacturing sample analyzers that autonomously checks your uh products and discards the faulty ones without you having a direct supervision on it

and so the question is you know it's straightforward what happens if you own a device or what happens if you can impersonate a device you know given all the trust that's given so we went and checked basically what happens for example for user management uh when you when basically all of those cameras when you're registered when you register a new user uh to your system you do it through the device which you know takes care of taking your picture for both your profile and for the so your your profile picture and your bio picture that will be used and compared for the facial recognition algorithm uh it communicates eventually with the management server that takes care mostly of just

propagating the information and updating the other cameras in the system and that's it so we sat there with our you know trusty wireshark on the network and we figured okay so what happens when you communicate with the server well it so happens that for example in the zk takeo case zkteco communicates through an http api with the management server and use that api to notify it of any new user created user deleted and so on and as you can see here first of all it's absolutely unencrypted and there are two key pieces of information that you can get from the traces there one is the serial number of the device that's used to validate at least partially uh your api call and

the other is a session token that once you grab it it's absolutely reusable which pretty much means that with these two pieces of information all i need i mean it's basically all i need to do a curl request to the same server of which i know the address because i just seen in my wireshark traces and asked the server to you know by impersonating the device as the server to create new users and so on so here's a small video for example showing you what i'm talking about what you see there is the zkteco user management interface running on a local server we've acquired those two pieces of information as i mentioned and now we're making a call

we've done the api call with curl and all of a sudden we just created a new user just right there without really anybody noticing in the system with a bogus name you know no picture for now and it's a ordinary user now you might have noticed that i marked this sorry about that you might have noticed that i marked this privilege equal to seven parameters that sets the left the privilege level for the user and it was sort of a crappy foreshadowing of what comes next because of course once you created your user if you increase that parameter to 14 not only you are creating the user but you're creating an admin just by changing one parameter with the

two same pieces of information that will be allowed to enter your premises and alter your database and perform administrative tasks over there you can also do many other things like updating user and facial recognition pictures to the system just with the exact same api call unencrypted and authenticated with that reusable token so for example here and again this would have been much more much more interesting if it was done live but you know we have to deal with what we have we are doing the same api call passing some binary data with the user picture and all of a sudden you can see that the little panda in the bogus user that we created which

could be really any user in the system has become myself so why creating a new user basically uh when you can even just change the the the facial features of an existing one and not only that in the profile you have some biological template uh quantity so you have fingerprints you have uh face templates that will be used so we can even change those with the exact same command on this you know bogus user that i just decided to impersonate by uploading my profile picture on uh i can now perform another api call whereas i will not upload my profile picture but i will upload my bio picture which is the one that will be used for

the authentication so you don't even need to actually create the user there you can just take an existing one and just change his biometrics to match yours which basically gives you all the permission and all the access to that very user to enter the premises so we just run thing we now should be opening the profile for that user now you see that there's a new face picture and the face picture is myself so i now basically just got access under the name of mr bogus to whatever department he's allowed to get in now let's talk about the device synchronization aspect again edge devices need to keep a consistent knowledge base to perform their tasks autonomously and

coordinated in the case of cameras it's the user base but in case of farming smart farming might be information related to the fields and to the activities i mean there could be many other cases in order to support this as we've seen there usually is some management server that's either a centralized cloud service or it's an on-premise machine that you keep there that's responsible for you know getting information from one device and spreading it to the others so that they can be consistent and of course as you saw there are apis to do that and of course just like we saw the question is what else can we do if the api's endpoints are not authenticated and the

connection is not encrypted so not just we can we cannot just create users as we just showed but there are also other interesting things that you can do for the zk tech for example you know the fact that the api is unauthenticated unchecked and absolutely not rate limited allows us also to just do a brute force and harvest all of the user profile pictures or the user bio pictures on the system pretty much for every one of your employee because the user pictures are available at this url with you know the only identifier being the pin of your user and so you can just brute force and go from zero to a million and get all the pictures that are there

uh not only that if you're really lazy actually you don't even need to bother doing a call because the way the system propagates the information is by device polling so sorry every periodically the system will just send the updated database of new users or actually not of new users of every user in the system the full updated database will be sent to every device in the network so if by instead you're sitting on the same network of the edge devices you don't really even need to do anything there just sit there with a wireshark open and eventually you're going to get the full information containing user id passwords which are not encrypted user pictures bio pictures time zones information you

can see their holidays you know all sorts of information about when the user is supposed to be there or not there's a whole bunch of information that basically just exfiltrates itself other other cameras fortunately have more sophisticated system for authenticated so the telpo camera here uh pro also provides a centralized cloud service uh to do the device administration it's a subscription service it costs more or less ten dollars per device per year if you're not interested in using it you can actually just license the facial recognition algorithm and sort of develop the management application yourself that's doable but as you can imagine you know small medium businesses might prefer relying on the application because i mean it's there it's available so why

not now this application has some apis that are somewhat authenticated meaning that to access those apis you need a session token that fortunately expires after a while but that can be retrieved through an additional api call that only requires a device serial number and by that i mean the serial number of any of the devices in your deployment where is the serial number you ask where if you take your camera and you flip it you can find first of all you can find some exposed wires that should not be there because two of those wires actually will open the door the camera is attached to but most importantly you find your serial number right there so

let's see how that actually works we got the serial number because well we walked by your office and there was a camera there and somebody didn't really screw that in the wall very well so now with that serial number i can just go on face api.helpercloud.com which is something i don't even need to sniff because it's the default cloud service domain name i do a first api call to get the secret and device password the client secret with the client secret i can get the access token with an additional call over there the access token as you see will expire in you know one hour or so after which i can just get the new device token

basically and now with the device token i can do a whole bunch of things such as you know tell the backend that the device is going online or offline there it is i can dump guest users which is very useful if you're doing social engineering you're trying to infiltrate your premises because you know why would you create an additional user that nobody knows when you can just impersonate a guest which by definition is somebody that's going to walk out after the day you even have this qr code right there that you know you can use to generate a badge you can list the deleted users which is also something very useful when you're doing social engineering

uh you know knowing who just got fired from the company you can download employees pictures of course because why not just establishing the full database with all the faces of your employees in your company i mean that's not gonna create any problem right and that's just the wget command you can have the fake attendance record so you can tell say that somebody was there at the given time and date you can create a new users so like this joe uh kazanayan that's been created there you can list the employees in the db and get their numbers again because why just getting their pictures when i can get their mobile number and their name and whatever other

employee information is there and of course i can add the user so there we just issued the command this is the telpo cloud interface which sort of performs the same task as the zkt echo interface that we just seen we are now logging in the interface and all of a sudden our mister joy kazanayan with the face of our colleague philip lin appears in the access record of course uh there's an absolute lack of anything related to server pinning from the device uh client certificates like any sort of verification it's absolutely missing which means that doing a server impersonation can take no more than 30 lines of code here is an example you can write a

simple server like that because you're basically just uh you're basically just running rest apis and then through our poisoning you can just instruct all the devices to connect that one instead of the real server and that allows you you know to again send arbitrary updates to your cameras update new user pictures in case you needed yet another way to just change user picture harvest camera logs which could be very useful in case you want to sort of learn the behavior your employee patterns and behaviors of a company you can even impeach and delay auditing i mean there are of course you know systems where you have a centralized server or an external service that can do anomaly detection

for example and analyze your patterns and see if there's something unusual but what happens if you just stop sending them logs or if you delay them you know you can actually delay finding any anomalies in that axis so with that being said moving to the third assumption architectural aspect of edge the unsupervised actuators in device proximity we've said it we'll say it again edge devices are the one in control of the actuator directly they don't usually require supervision from whatever centralized service they act autonomously and uh if they are not directly involved with you know opening your door they are controlling whatever actuator is there which then begs the question why am i even bothering with the camera itself

if i can just attack the actuator you know in the case of uh optical inspection on a production line why would i bother tricking the camera to think that samples are faulty when when i can just attack the robot arms they're going to discard all of the pieces basically and with that in mind the magni koala provides a very good example maybe koala sort of has a different architecture compared to the other three cameras um compared to the others is not just a one device system it's a three-tier system where in your premise you will have usually a edge node you know dell server and so on uh to which you would connect either your macbi koala which is in fact just a

samsung tablet or external cameras that you might already have deployed you know and it will use them to actually do the image acquisition and the facial recognition in that case and you have a third component which is the network relay who is the component that actually controls the door so your edge node gets the imaging fact from the camera makes the decision the server is on the premise so it's your edge node over there and if you're authenticated tells the network relay to open the door how does it tell it you say well it just used a tcp command on a port with no authentication no encryption and nothing of sorts which means that if you know the ip address of your

network relay which you can very easily know because if you remove the samsung tablet from the wall for example you're left with a usbc port that connects you directly to the network which means that you can then do network discovery right there or talk to the network relay directly and once you know that ip all it takes is your netcat command with on1 and you're opening the door just like that and that is without even bothering and tampering with adding user or tempering with the camera or changing its settings and so on you're literally just controlling the network that the network relay to open the door so with that in mind what do we make of

all of this uh first of all this is a sort of a summary table now we showcase some of the attacks this is a more comprehensive table of all that we really checked i mean we even checked for uh you know the the the hardware security of the cameras because again those are devices that will be left unattended on-premises uh you know do they have exposed pores do they have exposed cables do they run a hardened version of the platform turns out they don't again all of the four cameras have an exposed usb port either type a or usbc in the case of magni koala as i mentioned uh most of the cameras like three out of

four cameras are running a version of android which is not a recent version and is no hardening in particular the heat vision is running a custom version of linux at least other notable thing well of course with the usb port and running an android version it's very likely and for some cameras it's in fact possible to do side loading of applications which opens the door of way more new attacks it's very possible to do many in the middle attacks and most of the cameras because again they are not running encryption or certificate checking and so on of all of this and again what sort of stooled out a little bit was the heat vision uh that again at least it's using a

binary protocol which adds a layer of obfuscation but it's not encrypted so it really just sort of delays the inevitable because it takes a little more time to do some reversing of the protocol but you know it's not encrypted it's there for the taking at least the vision you know has a three-way binary handshake with the server that's very hard to crack so doing request forgery to add new users and fake user administration it's quite hard the telpo sort of verifies the ssl certificates at server level so you know there's that at least and for example for the actuator attack uh whereas the magni koala it's a really terrible implementation where you just need to have

lan access to the to the network relay in the others you are somewhat secure as long as the cables are you know deployed properly be very careful and not exposing cables there because again opening doors takes just the 12 volt signal on your wires pretty much so this is sort of the situation of course we've done responsible disclosure of all the flaws that we found and everything was communicated with the [Music] manufacturer last year through the zeroth initiative program so at least on that point we've had some fixing of the different issues that we found and you know to conclude i'd like to take a couple of minutes just to rant about the situation because

again edge devices have this sort of double edge aspect that they are devices that put a lot more responsibility in the end of the user without really communicating it visually you take your edge camera and there's really no main difference with the camera you had before the fact that once you had a camera that would take a picture and send it to a server that will then make the decision and now you have a camera that takes the pictures and makes the decision itself i mean they're both you just look like cameras but in one case you are way way more responsible as a customer of what you are doing and as a vendor in one case you were

basically selling a product that if misconfigured would at worst be ended up on show them with some funny pictures in the other would let people in the premises of your customers and the other thing that really stroked me is that we didn't like we by investigating all the device we didn't really found anything that was a new cutting-edge vulnerability linked to some corner case of this new technology i mean is it possible that we're still talking about the lack of https in 2021 i mean how comes it's something that we're dragging on since the 90s and basically what we've seen happening is that every time the media change every time there's a new uh buzzword

that exploits http somehow we seems to forget the best practices i mean we went from world wide web where we finally had encryption there to mobile web you know in the early 2000s and all of a sudden people forgot about https back then we we strove to put https in mobile web and all of a sudden we had mobile applications which were not mobile web anymore except that they were written in html and they would communicate with servers through rest apis and all of a sudden the rest apis were not encrypted anymore so we worked on that and there comes iot with devices communicated in an encrypted way with the exact same servers and now that we're sort of fixing iot

there comes edge which drags the exact same problems so this that's why you know this is aims to be really an awareness present an awareness talk uh because again these problems internal communications are not just problems related to facial recognition cameras they're not just problem related to uh letting people in your office they are problems linked with the edge architecture itself you could see that if those cameras were old iot cameras you wouldn't have all these issues of user forgery and user client forger user authentications and so on so there's a huge need of awareness on these three edge assumptions and what it implies to do on deployment of edge applications from both the users and the vendors that

will be that provides the products and they put them to market so possible mitigations we've seen here we try to arrange them you know around these three aspects and some of them really feel so trivial telling them here that really makes you wonder you have you know secure your network connections of course or at least make sure and verify that the connection of your edge device to whatever external service is secure and encrypted and demand your vendor to do that uh even better network isolation for the devices i mean i'm talking about sitting on the same network and you know people might say right but how likely is that that might be more likely than one thing

i mean having critical devices sitting on employees network is nothing so unusual check the hardening make sure that the cables are protected make sure that the platform is up to date because again these devices usually exploit some android version that might not be up to date with the latest patches and of course constant auditing for whatever undetected attack um device synchronization of course api should be authenticated and that goes to the vendors but also to the customer to make sure and demand that the api be authenticated the desert you get certificate pinning in place again it feels like network security 101 but it feels that people forgot about it and of course for all these actuators you know extra auditing

make sure that your cables are carefully deployed and check on those installations every now and then so with this final rant i thank you all for the attention you can find our full paper on the research at the address below and i hope you enjoyed it and thank you we're waiting for questions to come in through the chat if you are watching this please join the discord and ask questions in the breaking ground track um looks to me like vincenzo was doing a lot of the talking so do you mind uh introducing yourself and quickly talking about your role in this this presentation sure thanks phil so um my name is philip lane and i'm

part of this research mainly doing the embedded jobs like tearing things apart and never putting them back etc it's much fun doing this research yeah i wish i could uh do that so you know it sounds to me like you were doing the the hardware side what was what was some of the hardest part of the uh of doing this research um yeah that's a really good question so um since we have four vendors and each vendor have like different implementation of this whole protocols well we have to restart the research process one after another and for example for the telpo thing uh the topo camera that we have torn apart it's server paint which means everything is in https and

you can just man in the middle proxy to capture the networking flow so um yeah we we once thought it's one of the most secure products that we have studied but then turns out thanks to the debugging log they have left the very comprehensive debugging log on so once i get into the android which is not locked at all everything's there so i can try to imitate the server and you know grab everything out of it and um for the macv it's quite interesting because actually we have hacked everything on their edge server so they have so along with the camera and the face detection module and the actuator they have shipped to one edge

server which you're supposed to install in the basement of the residential area and we have actually had all vms because uh they have used a hardware key to protect the server but they forgot to protect the to encrypt the the the hard disk at all so i just you know take the hard disk out and connect it to external usb to sell the converter and everything is read out wow great that's very secure um you know you said you did the both of you did multiple different devices uh how did you get your hands on the devices do you just approach the vendors and say you know we'd like to do this research or did you just go buy them off the

shelf like how did you acquire these uh actually we put them out of the shelf and um for maybe because megabit is a little bit more expensive our company asked them for a demo and we really wanted to use it until we find this vulnerability oh um actually that leads me into a nice follow-up question um you know obviously you looked at this product before considering to deploy in your environment but how often do other enterprises look at the pro these kind of edge devices before they put them on their networks um i think each enterprise might have their internal procedure to assess the the secure the security of the devices but to my best knowledge probably

that's not there's no open standard or there is an open standard in each and every country but the people are just barely following them word by word which means uh you just have a list and you check check check and that's all awesome yeah so they're not yeah yeah they're not as secure and no one's looking um so so what would you say would be the top three things that vendors should be doing um you know the vendors that push out these devices what are the top three things that you would recommend that they should be doing if they're watching this talk yeah um just like what we have drawn in the in the conclusion

it's like first you have https that's the least thing we can ask about second you have server planning and the client spending server pending is just like telpo it gave us a really hard time trying to read it read the flows and the client panning makes sure that we cannot just uh fake the server and um hardening the device itself so many vendors use android uh actually i don't know why because android is a very complicated system and you can have all sort of vulnerabilities uh wonderful vulnerabilities for phones for other appliances so um it's very very hard to always follow the android updates onto the the latest version i would say avoid android or

you pay much attention to to update the firmwork regularly yeah how often do these products usually get supported for do you know not that often yeah that's why well because i mean i know i have some phones that went out of support so i don't know how often you know door cameras get updates for their android os um okay so so we know we understand enterprises might not be you know evaluating the devices but you know if they have these devices on their network what do you what should they be doing to secure them so that these type of attacks that you talked about could be prevented okay probably the first thing is to have

a wire shark running on the internet and make sure nothing is in clear text if you can read it hackers read it of course and second is to secure the um the entry points of the ethernet internet cables for example as we have seen uh in the example of mega v koala it's super easy you just pull out the usbc adapter no sorry the us usbc and plug it into your macbook and you get access to the internet and something like that is never acceptable that's crazy um what have you reported these to the vendors and what did they say um yes exactly um all of our research undergoes a vulnerab sorry responsible disclosure procedure

uh which goes through the zero day initiative that has been acquired by micro several years ago and um we have a set up procedure like 120 days for the uh the vendors to patch the products and the managers said like zika taco said it's end of line immediately and then all of a sudden they have a next model popped up on the market so yeah hopefully they have fixed the issue and tempo is a better example since we have contact with their rnds they promise to fix the problem uh in the next generation of that products so i simply put the lift them have fixed this issue and the megaview is a little bit interesting

um mcv has has had a very big meeting with us and uh they have their directors managers on board and they released an added an advisory within one month but it really didn't go it really didn't go well when we published the vulnerability to the public because um yeah there's some some thought on us we didn't tell them in advance that hey one month expired so we're going to tell the public what's happening and they're caught unsurprised so if there's something we can do better this is one of them okay um this is a this is more of a personal question uh since i work on a red team but uh do you do you think this is

something that red team should explore as part of their physical security toolkit like going after these type of things i thought red team has been following looking after these kind of devices for quite a long time fair that's fair um so so this research was really interesting to me um where can we find it like uh is there a blog we can go to github like where can we find all the all this research um yeah sure i will post a link on the breaking ground channel so yeah feel free to download the whitepaper and i guess i have to say thank you for having us here and it was great to talk to you and

enjoy the rest of the event great thank you so much thank you