[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.15,0:00:14.10,Default,,0000,0000,0000,,{\i1}prerol music{\i0}
Dialogue: 0,0:00:14.10,0:00:23.60,Default,,0000,0000,0000,,Herald: So a very warm welcome to Thomas\NRoth. He is a security researcher and his
Dialogue: 0,0:00:23.60,0:00:28.98,Default,,0000,0000,0000,,specialty is exploiting techniques and\Nreverse engineering and industrial
Dialogue: 0,0:00:28.98,0:00:37.59,Default,,0000,0000,0000,,security. And the talk today will be\Nabout out SCADA the gateway to shell.
Dialogue: 0,0:00:37.59,0:00:45.36,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:00:45.36,0:00:50.39,Default,,0000,0000,0000,,And just one little notice: this talk\Nwill be in English and will be translated
Dialogue: 0,0:00:50.39,0:00:53.58,Default,,0000,0000,0000,,in German as well.\NThomas Roth: Thank you.
Dialogue: 0,0:00:53.58,0:00:55.09,Default,,0000,0000,0000,,Herald: Yes.
Dialogue: 0,0:00:55.09,0:00:59.29,Default,,0000,0000,0000,,Thomas Roth: Awesome, thank you. OK, yeah.\NWelcome to my talk gateway to shell. Who
Dialogue: 0,0:00:59.29,0:01:03.85,Default,,0000,0000,0000,,am I? He already introduced me, but still\Nmy name is Thomas Roth. I'm a security
Dialogue: 0,0:01:03.85,0:01:08.85,Default,,0000,0000,0000,,researcher. I do a lot of low level\Nsecurity, so a lot of ARM reverse
Dialogue: 0,0:01:08.85,0:01:13.32,Default,,0000,0000,0000,,engineering, Coldfire and so on. And\Nyeah, you can find me on Twitter or if you
Dialogue: 0,0:01:13.32,0:01:20.73,Default,,0000,0000,0000,,want to write me an email. Feel free to\Nsend me one to thomas@stacksmashing.net.
Dialogue: 0,0:01:20.73,0:01:25.72,Default,,0000,0000,0000,,Before we start a short introduction to\Nthe background of this talk, so, this year
Dialogue: 0,0:01:25.72,0:01:30.83,Default,,0000,0000,0000,,I did some SCADA penetration tests and I\Nfound that while the PLC sensors
Dialogue: 0,0:01:30.83,0:01:35.21,Default,,0000,0000,0000,,are pretty well covered in the security\Nresearch area, I found that all the small
Dialogue: 0,0:01:35.21,0:01:39.81,Default,,0000,0000,0000,,devices that surround SCADA environments\Nare not really well covered. So basically
Dialogue: 0,0:01:39.81,0:01:44.06,Default,,0000,0000,0000,,we have the big Siemens PLCs and so on,\Nand there's a lot of research going on
Dialogue: 0,0:01:44.06,0:01:48.76,Default,,0000,0000,0000,,about them. But there are also a ton of\Nother small Ethernet devices involved in
Dialogue: 0,0:01:48.76,0:01:56.70,Default,,0000,0000,0000,,industrial networks that are not really\Nresearched very well yet. And all devices
Dialogue: 0,0:01:56.70,0:02:00.57,Default,,0000,0000,0000,,that we're going to talk about are running\Ntheir latest respective firmware.
Dialogue: 0,0:02:00.57,0:02:07.31,Default,,0000,0000,0000,,Unfortunately, there will be zero days and\Nthese are not theoretical attacks. Like if
Dialogue: 0,0:02:07.31,0:02:12.49,Default,,0000,0000,0000,,you go to Shodan or similar search engine,\Nyou can find tens of thousands of these
Dialogue: 0,0:02:12.49,0:02:18.36,Default,,0000,0000,0000,,devices vulnerable and open in the\NInternet. So let me give you a quick
Dialogue: 0,0:02:18.36,0:02:24.78,Default,,0000,0000,0000,,introduction into the terminology in\NSCADA, because I know in the title I say
Dialogue: 0,0:02:24.78,0:02:29.08,Default,,0000,0000,0000,,SCADA, but actually it should be ICS,\Nwhich stands for industrial control
Dialogue: 0,0:02:29.08,0:02:36.90,Default,,0000,0000,0000,,systems, because basically ICS describes\Nthe whole system from your supervision,
Dialogue: 0,0:02:36.90,0:02:42.07,Default,,0000,0000,0000,,the big room with all the big screens up\Nto your PLCs the sensors, the actors and
Dialogue: 0,0:02:42.07,0:02:46.93,Default,,0000,0000,0000,,so on that you will find in your\Ninstallation. And the term SCADA just
Dialogue: 0,0:02:46.93,0:02:50.96,Default,,0000,0000,0000,,describes the supervision and control\Ncenters. So the big screens that you might
Dialogue: 0,0:02:50.96,0:02:55.04,Default,,0000,0000,0000,,know from movies and so on, where when the\Nbad guy comes, suddenly all the lights
Dialogue: 0,0:02:55.04,0:03:02.40,Default,,0000,0000,0000,,turn red. Then there's something called a\NPLC, which is programable logic
Dialogue: 0,0:03:02.40,0:03:06.89,Default,,0000,0000,0000,,controller. It's basically like an\NArduino, just for industrial applications
Dialogue: 0,0:03:06.89,0:03:11.91,Default,,0000,0000,0000,,and they are really easy to program and\Nyou can get them from Siemens or Schneider
Dialogue: 0,0:03:11.91,0:03:17.61,Default,,0000,0000,0000,,and so on and so forth. Then there is\Nsomething called an RTU, a remote terminal
Dialogue: 0,0:03:17.61,0:03:22.28,Default,,0000,0000,0000,,unit, which is a small device that\Ngenerally are, well, back in the day, was
Dialogue: 0,0:03:22.28,0:03:27.03,Default,,0000,0000,0000,,only used for monitoring. But today you\Ncan actually program a lot of RTUs. So
Dialogue: 0,0:03:27.03,0:03:33.28,Default,,0000,0000,0000,,it's kind of a mix between a PLC and an\NRTU. So it's basically a PLC in a remote
Dialogue: 0,0:03:33.28,0:03:41.27,Default,,0000,0000,0000,,location. Alrighty, to the actual topic,\Nindustrial control gateways. So when you
Dialogue: 0,0:03:41.27,0:03:45.87,Default,,0000,0000,0000,,look at industrial control network, you'll\Nfind that there are a lot of different
Dialogue: 0,0:03:45.87,0:03:50.28,Default,,0000,0000,0000,,sensors and actors and a lot of them speak\Ndifferent protocols. So, for example, some
Dialogue: 0,0:03:50.28,0:03:56.47,Default,,0000,0000,0000,,might be serial, some might be IP, some\Nmight be Modbus and so on. And so you can
Dialogue: 0,0:03:56.47,0:04:01.46,Default,,0000,0000,0000,,buy these small gateways that connect all\Nthese different protocols to an IP
Dialogue: 0,0:04:01.46,0:04:06.54,Default,,0000,0000,0000,,network. So, for example, via Ethernet or\Neven via GPRS or Wi-Fi and so on. And I've
Dialogue: 0,0:04:06.54,0:04:11.83,Default,,0000,0000,0000,,seen them in almost any industrial\Ninstallation that I've seen. So, for
Dialogue: 0,0:04:11.83,0:04:16.44,Default,,0000,0000,0000,,example, they're used in power plants.\NThey are used in water dam control
Dialogue: 0,0:04:16.44,0:04:22.88,Default,,0000,0000,0000,,systems. They are used to control the\Npower grid and so on. And the security
Dialogue: 0,0:04:22.88,0:04:27.08,Default,,0000,0000,0000,,concept is, "Hey, but these devices are\Nairgapped!", so it doesn't matter really
Dialogue: 0,0:04:27.08,0:04:31.60,Default,,0000,0000,0000,,if they are vulnerable or not fully up to\Ndate and so on, but that's not really true
Dialogue: 0,0:04:31.60,0:04:34.92,Default,,0000,0000,0000,,because a lot of these devices, while they\Nmight be airgapped, they also have
Dialogue: 0,0:04:34.92,0:04:42.65,Default,,0000,0000,0000,,antennas and they are interconnected by a\Nton of different wireless protocols such
Dialogue: 0,0:04:42.65,0:04:50.97,Default,,0000,0000,0000,,as Wi-Fi, LoRa or GSM or even proprietary\Nradio links. So, yeah, and even the
Dialogue: 0,0:04:50.97,0:04:54.94,Default,,0000,0000,0000,,case studies show that basically in this\Ncase, you would have a monitoring network
Dialogue: 0,0:04:54.94,0:04:59.65,Default,,0000,0000,0000,,that's connected via the cellular network\Nto control the water mains and so on and
Dialogue: 0,0:04:59.65,0:05:04.89,Default,,0000,0000,0000,,check the pressure. Or even worse, they\Neven recommend that you connect the actors
Dialogue: 0,0:05:04.89,0:05:10.43,Default,,0000,0000,0000,,like valves and water level gotchas and so\Non over GPS, which we know is not a secure
Dialogue: 0,0:05:10.43,0:05:17.83,Default,,0000,0000,0000,,protocol to do anything that could \Nbe critical. Or you have stuff like
Dialogue: 0,0:05:17.83,0:05:24.16,Default,,0000,0000,0000,,water storage tanks that are controlled\Nvia Wi-Fi and so on or even public in the
Dialogue: 0,0:05:24.16,0:05:33.35,Default,,0000,0000,0000,,Internet. So, yeah, these devices are\Nairgapped? Nope. So attacking in the field
Dialogue: 0,0:05:33.35,0:05:37.89,Default,,0000,0000,0000,,I already mentioned, if you go to \NShodan, you will find a ton of different
Dialogue: 0,0:05:37.89,0:05:42.97,Default,,0000,0000,0000,,devices reachable via the Internet \Nand even via GPS. So if you live
Dialogue: 0,0:05:42.97,0:05:49.09,Default,,0000,0000,0000,,close to, for example, a dam or something,\Nit's kind of interesting to look at an SDR
Dialogue: 0,0:05:49.09,0:05:52.29,Default,,0000,0000,0000,,or similar radio equipment to see what's\Ngoing over the airwaves, because you will
Dialogue: 0,0:05:52.29,0:05:59.09,Default,,0000,0000,0000,,find a ton of interesting stuff and\Nsometimes, you can even very trivially get
Dialogue: 0,0:05:59.09,0:06:03.93,Default,,0000,0000,0000,,a physical access to the in field devices\Nbecause they might just be in a white box
Dialogue: 0,0:06:03.93,0:06:07.57,Default,,0000,0000,0000,,somewhere hidden. And if you break into\Nit, you can pull out the SIM card and it
Dialogue: 0,0:06:07.57,0:06:12.42,Default,,0000,0000,0000,,will put you directly into the SCADA\Nnetwork, if you're lucky. Don't do that,
Dialogue: 0,0:06:12.42,0:06:13.76,Default,,0000,0000,0000,,by the way.
Dialogue: 0,0:06:13.76,0:06:17.17,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:06:17.17,0:06:24.54,Default,,0000,0000,0000,,So, yeah, let's let's hack some gateways.\NSo the equipment you will need to and
Dialogue: 0,0:06:24.54,0:06:29.04,Default,,0000,0000,0000,,everything in this talk was done on this\Ndesk, just using these devices here, you
Dialogue: 0,0:06:29.04,0:06:33.00,Default,,0000,0000,0000,,really just need a laptop, you need an\Noscilloscope or similar measurement
Dialogue: 0,0:06:33.00,0:06:37.32,Default,,0000,0000,0000,,equipment just to ensure that you don't\Nburn out your logic analyzer. You need a
Dialogue: 0,0:06:37.32,0:06:43.23,Default,,0000,0000,0000,,logic analyzer, a soldering iron, a\Nmultimeter and a power supply. And that's
Dialogue: 0,0:06:43.23,0:06:48.36,Default,,0000,0000,0000,,really basically it, because you can hack\Nalmost any embedded device that's using
Dialogue: 0,0:06:48.36,0:06:56.53,Default,,0000,0000,0000,,these devices and to find potential\Ntargets. I have this kind of map where
Dialogue: 0,0:06:56.53,0:07:02.14,Default,,0000,0000,0000,,first try to understand, can I get the\Nfirmware of the device or do I have to
Dialogue: 0,0:07:02.14,0:07:07.25,Default,,0000,0000,0000,,somehow, for example, use J-Tech to get it\Nout of the device? Can I actually buy the
Dialogue: 0,0:07:07.25,0:07:12.46,Default,,0000,0000,0000,,devices at a sensible price? Because some\Nof these devices cost like 600 € or so,
Dialogue: 0,0:07:12.46,0:07:18.36,Default,,0000,0000,0000,,and if you buy ten of them, that gets\Nexpensive very quickly. And so, uh, I need
Dialogue: 0,0:07:18.36,0:07:24.36,Default,,0000,0000,0000,,to check eBay and see what devices can I\Nactually buy. And they should be half what
Dialogue: 0,0:07:24.36,0:07:29.45,Default,,0000,0000,0000,,current, because if you look at all the\Ndevices, like 10 years old or so, they are
Dialogue: 0,0:07:29.45,0:07:33.94,Default,,0000,0000,0000,,completely broken. You don't even have to\Nlook to start to look at their security.
Dialogue: 0,0:07:33.94,0:07:40.82,Default,,0000,0000,0000,,So, yeah, the first device that I that I\Nchoose to really look at was the moxa
Dialogue: 0,0:07:40.82,0:07:50.69,Default,,0000,0000,0000,,W2150A, which is this small device, which\Nis also mounted on the board right here,
Dialogue: 0,0:07:50.69,0:07:54.32,Default,,0000,0000,0000,,mainly because I found the phone \Nwas available and it looked like an
Dialogue: 0,0:07:54.32,0:07:58.67,Default,,0000,0000,0000,,interesting device because it has Wi-Fi\Nand so if I managed to break into it, I
Dialogue: 0,0:07:58.67,0:08:07.93,Default,,0000,0000,0000,,can jump an airgap potentially. And the\NW2150A is just a simple device server. So
Dialogue: 0,0:08:07.93,0:08:14.94,Default,,0000,0000,0000,,you can connect any serial device, any\NRS485 device simply to it and it will be
Dialogue: 0,0:08:14.94,0:08:20.67,Default,,0000,0000,0000,,exposed via Ethernet or even via Wi-Fi.\NAnd you can download the firmware publicly
Dialogue: 0,0:08:20.67,0:08:29.27,Default,,0000,0000,0000,,and it's available on eBay relatively\Ncheap. So like 150 bucks or something. So
Dialogue: 0,0:08:29.27,0:08:33.29,Default,,0000,0000,0000,,I downloaded the firmware and I\Nlooked at the entropy of the firmware and
Dialogue: 0,0:08:33.29,0:08:37.09,Default,,0000,0000,0000,,I immediately saw that the entropy is very\Nhigh, which means either it's very
Dialogue: 0,0:08:37.09,0:08:41.59,Default,,0000,0000,0000,,compressed or it's encrypted,\Nunfortunately, using a tool called
Dialogue: 0,0:08:41.59,0:08:46.51,Default,,0000,0000,0000,,binwalk, which is really useful for\Nlooking into firmwares I saw that there's
Dialogue: 0,0:08:46.51,0:08:51.51,Default,,0000,0000,0000,,no compression detected. And so it was\Nvery likely that this firmware image is
Dialogue: 0,0:08:51.51,0:08:59.94,Default,,0000,0000,0000,,encrypted. But I noticed on the Web page\Nthat before you upgrade to version 2.0 or
Dialogue: 0,0:08:59.94,0:09:08.65,Default,,0000,0000,0000,,2.1 of the firmware, you must upgrade to\Nthe firmware version 1.11. And I thought,
Dialogue: 0,0:09:08.65,0:09:13.54,Default,,0000,0000,0000,,that's interesting. Let's look at the\Nrelease notes for version 1.11. And it
Dialogue: 0,0:09:13.54,0:09:22.33,Default,,0000,0000,0000,,turns out that 1.11 adds the support for\Nthe encrypted firmware. So I downloaded
Dialogue: 0,0:09:22.33,0:09:28.09,Default,,0000,0000,0000,,the one point eleven firmware and sure\Nenough, it's unencrypted. And if you've
Dialogue: 0,0:09:28.09,0:09:33.71,Default,,0000,0000,0000,,ever done anything with ARM before, if you\Njust look into a firmware hex dump, you
Dialogue: 0,0:09:33.71,0:09:39.93,Default,,0000,0000,0000,,can immediately recognize whether it's ARM\Nor not, because the first four bits of each
Dialogue: 0,0:09:39.93,0:09:45.58,Default,,0000,0000,0000,,instructions are the conditional bits \Nand those are almost always E. So if
Dialogue: 0,0:09:45.58,0:09:50.32,Default,,0000,0000,0000,,you see a Hexdump and roughly every fourth\Nbyte is an E, you know, this is an ARM
Dialogue: 0,0:09:50.32,0:09:57.55,Default,,0000,0000,0000,,firmware and it's not encrypted or\Nanything else. And so, yeah, sure enough,
Dialogue: 0,0:09:57.55,0:10:02.64,Default,,0000,0000,0000,,I ran binwalk on this image. This time we\Nsee there is a huge drop in entropy, which
Dialogue: 0,0:10:02.64,0:10:08.57,Default,,0000,0000,0000,,is the bootloader and so on, and then a\Nhigh entropy, which is basically the all
Dialogue: 0,0:10:08.57,0:10:15.28,Default,,0000,0000,0000,,the compressed filesystems and so on. And\Nbinwalk was able to detect the SquashFS
Dialogue: 0,0:10:15.28,0:10:22.06,Default,,0000,0000,0000,,filesystem and extract it for me very,\Nvery easy. And so my goal was to extract
Dialogue: 0,0:10:22.06,0:10:27.25,Default,,0000,0000,0000,,the firmware, find the firmware upgrade\Ncode and somehow try to decipher the new
Dialogue: 0,0:10:27.25,0:10:34.25,Default,,0000,0000,0000,,firmware. And so I was browsing through\Nthe files and sure enough, found the file
Dialogue: 0,0:10:34.25,0:10:40.81,Default,,0000,0000,0000,,that was helpfully called\NlibupgradeFirmware.so and if we look into
Dialogue: 0,0:10:40.81,0:10:45.01,Default,,0000,0000,0000,,the symbols, which they luckily didn't\Nremove or anything, there is a beautiful
Dialogue: 0,0:10:45.01,0:10:48.07,Default,,0000,0000,0000,,symbol called firmware decrypt.
Dialogue: 0,0:10:48.07,0:10:51.15,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:10:51.15,0:10:56.43,Default,,0000,0000,0000,,So we load the whole thing into\Ndisassembler and we see that
Dialogue: 0,0:10:56.43,0:11:03.87,Default,,0000,0000,0000,,there's some fancy XORing going\Non in the bottom left corner. And I'm
Dialogue: 0,0:11:03.87,0:11:08.00,Default,,0000,0000,0000,,going to walk you through what's, what\Nexactly is happening in this code.
Dialogue: 0,0:11:08.00,0:11:13.31,Default,,0000,0000,0000,,So basically, first, there's a variable\Ncalled password loaded into the registar
Dialogue: 0,0:11:13.31,0:11:21.79,Default,,0000,0000,0000,,R2 and then a second count variable is\Nbasically set and it starts looping and
Dialogue: 0,0:11:21.79,0:11:35.54,Default,,0000,0000,0000,,increasing always by four and goes through\Nthis whole xor shebang and it turns out
Dialogue: 0,0:11:35.54,0:11:41.20,Default,,0000,0000,0000,,that this is the obfuscation method for\Nthe AES Key. So, in password, in memory,
Dialogue: 0,0:11:41.20,0:11:45.95,Default,,0000,0000,0000,,we have an obfuscated key and we can be\Nobfusciated by just implementing the code
Dialogue: 0,0:11:45.95,0:11:53.89,Default,,0000,0000,0000,,we see here in C or in the emulator. \NAnd sure enough, eventually this
Dialogue: 0,0:11:53.89,0:12:03.33,Default,,0000,0000,0000,,will be used as the key into the ECB 128\NAES decryption. And so I implemented the
Dialogue: 0,0:12:03.33,0:12:08.76,Default,,0000,0000,0000,,whole thing in C, it was almost a copy\Npaste from the decompiler, so you can in
Dialogue: 0,0:12:08.76,0:12:14.50,Default,,0000,0000,0000,,IAD Pro, you just hit F5, copy the C code\Nat the bit, fix the memory offsets and so
Dialogue: 0,0:12:14.50,0:12:20.02,Default,,0000,0000,0000,,on. And you have the whole key obfuscation\Nmethod basically reverse engineered almost
Dialogue: 0,0:12:20.02,0:12:25.63,Default,,0000,0000,0000,,automatically. And so I compile it. And\Nsure enough, Moxa key extration, it turns
Dialogue: 0,0:12:25.63,0:12:31.20,Default,,0000,0000,0000,,out that the key is two eight eight seven\NConn seven five six four. I build a short
Dialogue: 0,0:12:31.20,0:12:39.26,Default,,0000,0000,0000,,script to decrypt the 2.1 firmware and\Nthis time Binwalk finds all the files and
Dialogue: 0,0:12:39.26,0:12:41.74,Default,,0000,0000,0000,,we can start reverse engineering the\Nactual firmware.
Dialogue: 0,0:12:41.74,0:12:48.52,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:12:48.52,0:12:54.18,Default,,0000,0000,0000,,The scripts for this are available on my\Ngithub. I'll push the actual decrypts stuff
Dialogue: 0,0:12:54.18,0:12:59.81,Default,,0000,0000,0000,,after the talk because this is the first\Ntime this has been released. And so after
Dialogue: 0,0:12:59.81,0:13:03.47,Default,,0000,0000,0000,,I was at this point, I knew that the\Nfirmware is.. I can decrypted the firmware
Dialogue: 0,0:13:03.47,0:13:07.93,Default,,0000,0000,0000,,I can look into it. By the way, it's not\Nsigned or anything. The only verification
Dialogue: 0,0:13:07.93,0:13:14.48,Default,,0000,0000,0000,,method is CRC32. And so at this point I\Nknew, OK, I can buy this device and
Dialogue: 0,0:13:14.48,0:13:19.98,Default,,0000,0000,0000,,start playing with it. And so I went to\NeBay, I bought one. I got it. I screwed it
Dialogue: 0,0:13:19.98,0:13:24.14,Default,,0000,0000,0000,,open. And sure enough, there's an ARM\Nprocessor in there. It's an Freescale
Dialogue: 0,0:13:24.14,0:13:28.64,Default,,0000,0000,0000,,i.MX25, which is just a regular ARM\Nprocessor. It's like 400 MHz or something,
Dialogue: 0,0:13:28.64,0:13:34.88,Default,,0000,0000,0000,,I don't know. And I started probing all\Nthe all the small pins inside of the
Dialogue: 0,0:13:34.88,0:13:43.04,Default,,0000,0000,0000,,device to try to find JTAG or serial\Nor anything. And so I actually hooked up
Dialogue: 0,0:13:43.04,0:13:47.32,Default,,0000,0000,0000,,my power supply to foot pedal so that I\Ncan probe and just press with my foot to
Dialogue: 0,0:13:47.32,0:13:54.25,Default,,0000,0000,0000,,reset the device. And sure enough, I found\Nthat there's a full serial console
Dialogue: 0,0:13:54.25,0:14:00.66,Default,,0000,0000,0000,,available inside of the device on these\Npins. And if you boot the device, it even
Dialogue: 0,0:14:00.66,0:14:05.16,Default,,0000,0000,0000,,tells you, please press enter to activate\Nthis console, and so you do that and you
Dialogue: 0,0:14:05.16,0:14:07.46,Default,,0000,0000,0000,,are root on the device.
Dialogue: 0,0:14:07.46,0:14:14.82,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:14:14.82,0:14:18.66,Default,,0000,0000,0000,,So that's kind of cool, but that means\Nthat you require physical access, so
Dialogue: 0,0:14:18.66,0:14:23.53,Default,,0000,0000,0000,,that's not really a vulnerability, but\Nit's very nice to have when doing security
Dialogue: 0,0:14:23.53,0:14:29.42,Default,,0000,0000,0000,,research because it means you can suddenly\Ndebug all the code on there. And so if you
Dialogue: 0,0:14:29.42,0:14:35.05,Default,,0000,0000,0000,,write an exploit, you can just touch GDB\Nto the binary and start very, very simply,
Dialogue: 0,0:14:35.05,0:14:40.42,Default,,0000,0000,0000,,writing the exploit. So at this point,\NI was trying to look at the available
Dialogue: 0,0:14:40.42,0:14:46.01,Default,,0000,0000,0000,,services on the device. So for example,\Nthere is a web interface, there's a
Dialogue: 0,0:14:46.01,0:14:52.53,Default,,0000,0000,0000,,proprietary configuration protocol,\Nthere's telnet, there's snmp, there is a
Dialogue: 0,0:14:52.53,0:14:58.91,Default,,0000,0000,0000,,serial driver protocol and so on. And I\Nstarted looking at the web interface and
Dialogue: 0,0:14:58.91,0:15:03.74,Default,,0000,0000,0000,,there was cross site scripting that was\NCross site request forgery, there was
Dialogue: 0,0:15:03.74,0:15:07.44,Default,,0000,0000,0000,,insecure authentication where they\Nbasically hash on the client. So they have
Dialogue: 0,0:15:07.44,0:15:12.52,Default,,0000,0000,0000,,some JavaScript that hashes your password\Nand then locks you in. Then there's a
Dialogue: 0,0:15:12.52,0:15:17.72,Default,,0000,0000,0000,,command injection which lets you execute\Ncode as root, there are stack overflows.
Dialogue: 0,0:15:17.72,0:15:23.68,Default,,0000,0000,0000,,And just a week ago there was a zero day\Nreleased for the web server. So yeah, demo
Dialogue: 0,0:15:23.68,0:15:36.82,Default,,0000,0000,0000,,time. So just let me open up the Moxa\NPitch right here. And so this one is
Dialogue: 0,0:15:36.82,0:15:41.24,Default,,0000,0000,0000,,authenticated, so I'll just enter the\Ndefault password, which, by the way, in
Dialogue: 0,0:15:41.24,0:15:46.05,Default,,0000,0000,0000,,the field will 90 percent of the time\Nthese devices will be configured with
Dialogue: 0,0:15:46.05,0:15:54.95,Default,,0000,0000,0000,,default credentials. But still, so, if we\Njust start browsing through this thing and
Dialogue: 0,0:15:54.95,0:16:00.14,Default,,0000,0000,0000,,go to the basic settings, we can start\Nwith a simple cross site scripting just in
Dialogue: 0,0:16:00.14,0:16:08.81,Default,,0000,0000,0000,,the device name. One sec, so just for\Nexample we just paste in some JavaScript.
Dialogue: 0,0:16:08.81,0:16:15.02,Default,,0000,0000,0000,,Submit the whole thing, and hello 34c3.
Dialogue: 0,0:16:15.02,0:16:19.56,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:16:19.56,0:16:23.77,Default,,0000,0000,0000,,I know what you're thinking, like cross \Nsite scripting, come on, that's not a
Dialogue: 0,0:16:23.77,0:16:28.53,Default,,0000,0000,0000,,vulnerability, that's just nothing. So\Nlet's look at the ping test that's
Dialogue: 0,0:16:28.53,0:16:33.91,Default,,0000,0000,0000,,integrated into this device. And funilly,\Na different device from Moxa that runs an
Dialogue: 0,0:16:33.91,0:16:39.57,Default,,0000,0000,0000,,entirely different firmware had the same\Nvulnerability in the past. But if I just
Dialogue: 0,0:16:39.57,0:16:46.39,Default,,0000,0000,0000,,paste in my ping, so my IP address, a\Nsemicolon and then, for example, I cut
Dialogue: 0,0:16:46.39,0:16:51.97,Default,,0000,0000,0000,,/etc/passwd and activate enter. \NHere we go.
Dialogue: 0,0:16:51.97,0:17:00.06,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:17:00.06,0:17:08.20,Default,,0000,0000,0000,,Kind of funny, but, yes, for sure not\Nintended. All righty, but I know what
Dialogue: 0,0:17:08.20,0:17:12.74,Default,,0000,0000,0000,,you're thinking, right, these are\Nauthenticated bugs in the web interface,
Dialogue: 0,0:17:12.74,0:17:17.46,Default,,0000,0000,0000,,so we need something unauthenticated. We\Nwant something that's like cool and a real
Dialogue: 0,0:17:17.46,0:17:23.42,Default,,0000,0000,0000,,exploit. Right? And so I decided to look\Nat the.. this custom TCP protocol, which
Dialogue: 0,0:17:23.42,0:17:29.43,Default,,0000,0000,0000,,runs on Port 4900. And my goal was to\Nreverse engineer the whole protocol and
Dialogue: 0,0:17:29.43,0:17:34.03,Default,,0000,0000,0000,,build a fuzzer for it, to find\Nvulnerabilities, that turned out not to be
Dialogue: 0,0:17:34.03,0:17:40.99,Default,,0000,0000,0000,,necessary. So during some testing, I just\Nsent a lot of bytes onto this thing and
Dialogue: 0,0:17:40.99,0:17:49.14,Default,,0000,0000,0000,,enabled crash debugging via the serial\Nconsole. And sure enough, it crashed and
Dialogue: 0,0:17:49.14,0:17:58.74,Default,,0000,0000,0000,,put my program countdown right to\N0x41414140. Wonderful. Thank you, Moxa.
Dialogue: 0,0:17:58.74,0:18:04.37,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:18:04.37,0:18:21.55,Default,,0000,0000,0000,,So, Demo time. So let's increase the size\Nof this a bit. So I built a small script.
Dialogue: 0,0:18:21.55,0:18:34.49,Default,,0000,0000,0000,,Just called moxa_pown and I'll just supply\Nthe IP address to it. Let's see. Opening a
Dialogue: 0,0:18:34.49,0:18:43.62,Default,,0000,0000,0000,,second shell to connect to it via netcat.\NHere we go, we have a root shell on the
Dialogue: 0,0:18:43.62,0:18:44.60,Default,,0000,0000,0000,,device.
Dialogue: 0,0:18:44.60,0:18:54.26,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:18:54.26,0:19:01.54,Default,,0000,0000,0000,,So, yeah, that was the Moxa w21508,\Nbasically rolls of the tongue. And so the
Dialogue: 0,0:19:01.54,0:19:08.69,Default,,0000,0000,0000,,next device I decided to look at was the\NAdvantech EKI-1522 which you can find
Dialogue: 0,0:19:08.69,0:19:17.46,Default,,0000,0000,0000,,right here. And it's, again, just a simple\Nserial device server this time without
Dialogue: 0,0:19:17.46,0:19:21.41,Default,,0000,0000,0000,,Wi-Fi, even though they are available with\NWi-Fi. It comes with two Ethernet ports
Dialogue: 0,0:19:21.41,0:19:26.06,Default,,0000,0000,0000,,two serial ports and so on. And I\Nbasically followed the same steps again.
Dialogue: 0,0:19:26.06,0:19:31.17,Default,,0000,0000,0000,,So I looked at the.. I downloaded the\Nfirmware. I looked at the edit using
Dialogue: 0,0:19:31.17,0:19:35.80,Default,,0000,0000,0000,,binwalk. And this time we see almost no\Nentropy. So there is.. this guy is
Dialogue: 0,0:19:35.80,0:19:40.28,Default,,0000,0000,0000,,basically completely unencrypted. And\Nagain, we saw some ARM 32 bit it runs a
Dialogue: 0,0:19:40.28,0:19:51.01,Default,,0000,0000,0000,,Linux kernel, 2.6.31 and a BOA Web server\Nwhere the last update was in 2005. And the
Dialogue: 0,0:19:51.01,0:19:56.77,Default,,0000,0000,0000,,firmware, I think, is from 2017. So these\Nare kind of outdated. And I found
Dialogue: 0,0:19:56.77,0:20:01.23,Default,,0000,0000,0000,,during the initial analysis just of the\Nfirmware that the main binary to look at
Dialogue: 0,0:20:01.23,0:20:07.18,Default,,0000,0000,0000,,will be this edgserver binary. And so I\Nloaded it into IDA pro and looked at the
Dialogue: 0,0:20:07.18,0:20:12.78,Default,,0000,0000,0000,,different things that calls. And there\Nare a lot of calls to functions like
Dialogue: 0,0:20:12.78,0:20:18.34,Default,,0000,0000,0000,,string copy, to system, to sprintf and so\Non that are generally kind of considered
Dialogue: 0,0:20:18.34,0:20:25.66,Default,,0000,0000,0000,,unsecure. And sure enough, I am doing\Nstatic analysis. I found that there's some
Dialogue: 0,0:20:25.66,0:20:33.63,Default,,0000,0000,0000,,code for sending an email as an alert, for\Nexample, when the system reboots. And
Dialogue: 0,0:20:33.63,0:20:39.25,Default,,0000,0000,0000,,the full command invocation is mailx -s\Nblah blah blah, and we have control over
Dialogue: 0,0:20:39.25,0:20:46.16,Default,,0000,0000,0000,,some parts in the string because we can\Nconfigure the two address in the UI. And if
Dialogue: 0,0:20:46.16,0:20:51.04,Default,,0000,0000,0000,,we look at what's happening\Nhere, it basically just sets up this
Dialogue: 0,0:20:51.04,0:20:56.50,Default,,0000,0000,0000,,format string. Then it goes to include the\Nsubject and then it gets some arguments
Dialogue: 0,0:20:56.50,0:21:04.26,Default,,0000,0000,0000,,from the stack and basically calls\Ninto system. And so there's no filtering
Dialogue: 0,0:21:04.26,0:21:09.93,Default,,0000,0000,0000,,going on at all. So we have an unfiltered\Npart of the system, invocation, code
Dialogue: 0,0:21:09.93,0:21:15.38,Default,,0000,0000,0000,,execution. And this was before I had the\Ndevice in my hand. And this is kind of a
Dialogue: 0,0:21:15.38,0:21:19.47,Default,,0000,0000,0000,,funny story because I first bought because\Nit was just 40 bucks, I bought this
Dialogue: 0,0:21:19.47,0:21:24.77,Default,,0000,0000,0000,,device, which in the firmware has the same\Nbug, but the mail functionality is broken,
Dialogue: 0,0:21:24.77,0:21:33.78,Default,,0000,0000,0000,,so I couldn't test it. So I had to go to\NeBay again, buy another one and buy the
Dialogue: 0,0:21:33.78,0:21:38.95,Default,,0000,0000,0000,,bigger one. And so I ordered the bigger\None on eBay. Looks like this. It comes
Dialogue: 0,0:21:38.95,0:21:45.66,Default,,0000,0000,0000,,with a Cavium CNS C.P.U. It has JTAG\Nexposed on the bottom there and serial
Dialogue: 0,0:21:45.66,0:21:50.94,Default,,0000,0000,0000,,console is available again without any\Nauthentication. So beautiful. You just
Dialogue: 0,0:21:50.94,0:21:57.81,Default,,0000,0000,0000,,connect your bus pirate or your UART\Nadapter to it and you have full serial
Dialogue: 0,0:21:57.81,0:22:06.74,Default,,0000,0000,0000,,console. So, again, we had to look at\Nfinding vulnerabilities for this device
Dialogue: 0,0:22:06.74,0:22:11.56,Default,,0000,0000,0000,,and there, again, a ton of different\Nservices, there's like a Web interface
Dialogue: 0,0:22:11.56,0:22:15.67,Default,,0000,0000,0000,,available. There is a proprietary\Nconfiguration protocol that's based on
Dialogue: 0,0:22:15.67,0:22:22.76,Default,,0000,0000,0000,,UDP. There is Telnet, there's snmp,\Nthere's a serial driver protocol and so
Dialogue: 0,0:22:22.76,0:22:28.38,Default,,0000,0000,0000,,on. And again, looked at the website and\Nagain, cross site scripting cross side
Dialogue: 0,0:22:28.38,0:22:33.28,Default,,0000,0000,0000,,request forgery, command injection, broken\Nauthentication, which basically if you log
Dialogue: 0,0:22:33.28,0:22:38.71,Default,,0000,0000,0000,,in from one computer, it uses, I think\Nhttp digest authentication, you can
Dialogue: 0,0:22:38.71,0:22:42.69,Default,,0000,0000,0000,,connect from a completely different\Ncomputer and it doesn't ask for a
Dialogue: 0,0:22:42.69,0:22:49.70,Default,,0000,0000,0000,,password. I don't know why that is, but..\NYeah. So I was thinking I was doing
Dialogue: 0,0:22:49.70,0:22:52.13,Default,,0000,0000,0000,,something wrong, but it turned out it was\Njust broken.
Dialogue: 0,0:22:52.13,0:22:54.86,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:22:54.86,0:23:03.17,Default,,0000,0000,0000,,So, yeah, and there's, again, a stack\Noverflow in another protocol. So I guess,
Dialogue: 0,0:23:03.17,0:23:13.98,Default,,0000,0000,0000,,again, demo time. Let's first look at\Nthe device itself, so, you know the
Dialogue: 0,0:23:13.98,0:23:22.83,Default,,0000,0000,0000,,password, firstly, we have a nice device\Ndescription here. This is just a basic web
Dialogue: 0,0:23:22.83,0:23:29.32,Default,,0000,0000,0000,,interface. Right. And we can, again, just\Ncopy in some basic JavaScript
Dialogue: 0,0:23:29.32,0:23:38.62,Default,,0000,0000,0000,,hit the save button. Reload and there we\Ngo, cross site scripting yet again, OK,
Dialogue: 0,0:23:38.62,0:23:49.13,Default,,0000,0000,0000,,again, not really interesting. Right. So,\Num, let's look at the stack overflow.
Dialogue: 0,0:23:49.13,0:24:04.07,Default,,0000,0000,0000,,Again, I have a small script advantech_pown.\NFor the IP there. And we have netcat
Dialogue: 0,0:24:04.07,0:24:12.09,Default,,0000,0000,0000,,running on there. Sure enough, there we\Ngo, that's root on the Advantech device
Dialogue: 0,0:24:12.09,0:24:13.81,Default,,0000,0000,0000,,again, via stack overflow.
Dialogue: 0,0:24:13.81,0:24:25.52,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:24:25.52,0:24:31.50,Default,,0000,0000,0000,,Yeah, so two of three devices have\Nbasically broken already. Let's look
Dialogue: 0,0:24:31.50,0:24:38.15,Default,,0000,0000,0000,,at the next one. This one is a Lantronix\NEDS2100. And this one is kind of
Dialogue: 0,0:24:38.15,0:24:43.77,Default,,0000,0000,0000,,interesting because it's not ARM. I\Nnormally I almost exclusively do ARMs. So
Dialogue: 0,0:24:43.77,0:24:48.50,Default,,0000,0000,0000,,this one was kind of interesting. And this\Ndevice, which is mounted somewhere right
Dialogue: 0,0:24:48.50,0:24:57.39,Default,,0000,0000,0000,,here. Yeah. This device comes with a\Nserial to ethernet secure device server.
Dialogue: 0,0:24:57.39,0:25:01.93,Default,,0000,0000,0000,,It has two serial ports. It has\NEthernet and you can buy it in two
Dialogue: 0,0:25:01.93,0:25:07.83,Default,,0000,0000,0000,,variants. One comes with Linux and one is\NEvolution OS, which is I guess, a
Dialogue: 0,0:25:07.83,0:25:14.88,Default,,0000,0000,0000,,proprietary operating system from\NLantronics. And I'm using the EvolutionOS
Dialogue: 0,0:25:14.88,0:25:22.12,Default,,0000,0000,0000,,variant in this talk. Looking at the\Nfirmware it turns out it's unencrypted and
Dialogue: 0,0:25:22.12,0:25:28.24,Default,,0000,0000,0000,,it's coldfire architecture, which I've\Nnever done really anything with before,
Dialogue: 0,0:25:28.24,0:25:32.63,Default,,0000,0000,0000,,and there are no obvious external software\Ncomponents. So if you go through this,
Dialogue: 0,0:25:32.63,0:25:37.44,Default,,0000,0000,0000,,through the firmware, you'll find there's\Nan SSH implementation, there's an SSL
Dialogue: 0,0:25:37.44,0:25:42.81,Default,,0000,0000,0000,,implementation, but it's not openSSL and\Nit's not anything very well known. And the
Dialogue: 0,0:25:42.81,0:25:47.49,Default,,0000,0000,0000,,same is true for the web server and so on.\NIt's not really anything that's well
Dialogue: 0,0:25:47.49,0:25:56.50,Default,,0000,0000,0000,,known. And this time, while probing\Nthe device, I did not really find anything
Dialogue: 0,0:25:56.50,0:26:01.58,Default,,0000,0000,0000,,interesting in terms of serial consoles or\Nso, but it just found a potential debugger
Dialogue: 0,0:26:01.58,0:26:05.73,Default,,0000,0000,0000,,port, but it didn't have a fitting\Ndebugger unfortunately. The CPU is from
Dialogue: 0,0:26:05.73,0:26:14.76,Default,,0000,0000,0000,,NXP runs at 160MHz or something. Yeah.\NThis time we actually have a web
Dialogue: 0,0:26:14.76,0:26:21.66,Default,,0000,0000,0000,,interface, we have Telnet SSL and it even\Nhas a file system, so you have like FTP
Dialogue: 0,0:26:21.66,0:26:26.21,Default,,0000,0000,0000,,and TFTP which allows you to download the\Nconfiguration, upload the configuration
Dialogue: 0,0:26:26.21,0:26:30.98,Default,,0000,0000,0000,,and so on. And it's kind of hard to secure\Nit correctly because there are so many
Dialogue: 0,0:26:30.98,0:26:37.00,Default,,0000,0000,0000,,protocols and it's not really clear what's\Nset up by default. But yeah, you get
Dialogue: 0,0:26:37.00,0:26:44.35,Default,,0000,0000,0000,,the idea. And this time the web interface\Nwas surprisingly secure. So there was no
Dialogue: 0,0:26:44.35,0:26:50.23,Default,,0000,0000,0000,,cross site scripting. There was no command\Ninjection, because there's also not really
Dialogue: 0,0:26:50.23,0:26:55.44,Default,,0000,0000,0000,,a shell that you could execute commands\Ninto. But I still found some stuff.
Dialogue: 0,0:26:55.44,0:27:01.54,Default,,0000,0000,0000,,One is the configuration injection, which\Nallows you basically to change the format
Dialogue: 0,0:27:01.54,0:27:06.63,Default,,0000,0000,0000,,of the configuration using a different\Nfield. And I found an authentication
Dialogue: 0,0:27:06.63,0:27:11.97,Default,,0000,0000,0000,,bypass, so I was able to write a small\Npiece of code that takes a while and then
Dialogue: 0,0:27:11.97,0:27:23.65,Default,,0000,0000,0000,,completely removes the password from the\Ndevice. Demo time. So if we connect to the
Dialogue: 0,0:27:23.65,0:27:29.75,Default,,0000,0000,0000,,Lantronics device, it will currently ask\Nfor a password, which in theory we don't
Dialogue: 0,0:27:29.75,0:27:44.58,Default,,0000,0000,0000,,have. Let's clean up here a bit. I know\Nit's just. And let's run Lantronix_pown,
Dialogue: 0,0:27:44.58,0:27:51.30,Default,,0000,0000,0000,,oh, that was fast. That worked. Yeah, sure\Nenough, the password is gone.
Dialogue: 0,0:27:51.30,0:27:59.98,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:27:59.98,0:28:07.23,Default,,0000,0000,0000,,Awesome. To be honest, I didn't expect the\Ndemos to go so smoothly, so I put in an
Dialogue: 0,0:28:07.23,0:28:13.71,Default,,0000,0000,0000,,hour for the talk for this went very well\Nso far, so that's good. So before we
Dialogue: 0,0:28:13.71,0:28:22.17,Default,,0000,0000,0000,,finish already, some other devices are\Neven worse. So, for example, as I
Dialogue: 0,0:28:22.17,0:28:26.55,Default,,0000,0000,0000,,mentioned, I bought some other devices,\Nfor example, this Advantaech device and
Dialogue: 0,0:28:26.55,0:28:31.61,Default,,0000,0000,0000,,this Moxa device and this Lantronix\Ndevice, which are basically the
Dialogue: 0,0:28:31.61,0:28:38.94,Default,,0000,0000,0000,,predecessors of the other devices. And\Nthose guys are really interesting to look
Dialogue: 0,0:28:38.94,0:28:45.85,Default,,0000,0000,0000,,at, one could say. So, some of those are\Nrunning eCos, which is an embedded Linux
Dialogue: 0,0:28:45.85,0:28:52.39,Default,,0000,0000,0000,,platform, which was last released in 2009,\Nand some devices run a Linux kernel with
Dialogue: 0,0:28:52.39,0:28:57.57,Default,,0000,0000,0000,,the 2.4 version and you see Linux without\Nany memory protection whatsoever. So even
Dialogue: 0,0:28:57.57,0:29:03.64,Default,,0000,0000,0000,,if they, so even a small stack overflow in\None of the userspace applications gives
Dialogue: 0,0:29:03.64,0:29:08.64,Default,,0000,0000,0000,,you full root access to the device because\Nyou can directly exploit the kernel and
Dialogue: 0,0:29:08.64,0:29:12.84,Default,,0000,0000,0000,,there are unfixed public vulnerabilities.\NSo in the first penetration test that I
Dialogue: 0,0:29:12.84,0:29:19.29,Default,,0000,0000,0000,,did, that included actually this device\Nand Moxa and part of a small one. I found
Dialogue: 0,0:29:19.29,0:29:25.17,Default,,0000,0000,0000,,that using SNMPWwalk, it gives you back\Nthe administration password via SNMP.
Dialogue: 0,0:29:25.17,0:29:26.78,Default,,0000,0000,0000,,{\i1}laughing{\i0}
Dialogue: 0,0:29:26.78,0:29:31.50,Default,,0000,0000,0000,,And so I went online. I tried to report\Nit. And it turns out it's well known
Dialogue: 0,0:29:31.50,0:29:34.16,Default,,0000,0000,0000,,there's a metasploit module for this
Dialogue: 0,0:29:34.16,0:29:36.83,Default,,0000,0000,0000,,{\i1}laughing{\i0}
Dialogue: 0,0:29:36.83,0:29:41.69,Default,,0000,0000,0000,,and it's unfixed, OK? And these devices\Nare still in support. So I don't know why
Dialogue: 0,0:29:41.69,0:29:50.95,Default,,0000,0000,0000,,the vendor is not patching this. Yeah. So\Nthe summary with trivial vulnerabilities
Dialogue: 0,0:29:50.95,0:29:56.52,Default,,0000,0000,0000,,in most devices, or at least all that I've\Nlooked at, there are no security
Dialogue: 0,0:29:56.52,0:30:00.57,Default,,0000,0000,0000,,mitigations whatsoever. So they don't even\Nenable like the compiler flags that you
Dialogue: 0,0:30:00.57,0:30:05.85,Default,,0000,0000,0000,,just set and then you have at least some\Nkind of stack protection and some like
Dialogue: 0,0:30:05.85,0:30:11.07,Default,,0000,0000,0000,,stack cookies and whatnot. And some\Nvendors are really bad at responding to
Dialogue: 0,0:30:11.07,0:30:18.43,Default,,0000,0000,0000,,vulnerability reports. So, yeah, I'm not\Ngoing to name the vendor, but not even, on
Dialogue: 0,0:30:18.43,0:30:22.18,Default,,0000,0000,0000,,Twitter I asked them to please give me a\Nsecurity contact and they responded,
Dialogue: 0,0:30:22.18,0:30:26.84,Default,,0000,0000,0000,,please use our contact form. I said I did,\Nthree times. I send you emails, you're not
Dialogue: 0,0:30:26.84,0:30:30.60,Default,,0000,0000,0000,,responding to me. And so they stopped\Nresponding to me on Twitter too.
Dialogue: 0,0:30:30.60,0:30:40.81,Default,,0000,0000,0000,,{\i1}laughing{\i0}\N{\i1}applause{\i0}
Dialogue: 0,0:30:40.81,0:30:47.20,Default,,0000,0000,0000,,So how to mitigate? Well, the only way\Nthat I would see to mitigate against this,
Dialogue: 0,0:30:47.20,0:30:53.38,Default,,0000,0000,0000,,and I'm more on the deconstructive side of\Nthe story, is defense in depth. So never
Dialogue: 0,0:30:53.38,0:30:56.85,Default,,0000,0000,0000,,directly expose any of these devices to\Nthe Internet, even if they say they
Dialogue: 0,0:30:56.85,0:31:02.49,Default,,0000,0000,0000,,support VPN, even if they say they are a\Nsecure device of whatever, just don't do
Dialogue: 0,0:31:02.49,0:31:08.78,Default,,0000,0000,0000,,it. Get a real VPN gateway and make sure\Nthat you never rely on a single level of,
Dialogue: 0,0:31:08.78,0:31:16.17,Default,,0000,0000,0000,,for example, encryption. So, for example,\NWPA2 was broken by the crack attack and
Dialogue: 0,0:31:16.17,0:31:20.80,Default,,0000,0000,0000,,they actually released a patch for it\Nafter two months. And these are these are
Dialogue: 0,0:31:20.80,0:31:26.37,Default,,0000,0000,0000,,still two months where you are exposed to\Nvulnerability on your potentially mission-
Dialogue: 0,0:31:26.37,0:31:33.76,Default,,0000,0000,0000,,critical system. Also never use GPRS for\Nthese devices without VPN because it just,
Dialogue: 0,0:31:33.76,0:31:41.48,Default,,0000,0000,0000,,it will go wrong. Okay. Yeah, thank you. I\Nguess now we have time for Q&amp;A. Thank you
Dialogue: 0,0:31:41.48,0:31:43.28,Default,,0000,0000,0000,,all for coming.
Dialogue: 0,0:31:43.28,0:31:49.17,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:31:49.17,0:31:57.99,Default,,0000,0000,0000,,Herald: Thank you very much for the talk.\NSo we have very much time for Q&amp;A. So
Dialogue: 0,0:31:57.99,0:32:03.98,Default,,0000,0000,0000,,please line up to the microphones and we\Nhave someone at microphone 4 already.
Dialogue: 0,0:32:03.98,0:32:09.22,Default,,0000,0000,0000,,Mic 4: Yes, hello. Hello. Thanks for your\Ntalk. This is.. obviously this is a
Dialogue: 0,0:32:09.22,0:32:14.79,Default,,0000,0000,0000,,problem. This is a part of the bigger\Nproblem of security in IT. Right. In
Dialogue: 0,0:32:14.79,0:32:18.95,Default,,0000,0000,0000,,anything related to any kind of\Ntechnology. And this is only going to go
Dialogue: 0,0:32:18.95,0:32:25.23,Default,,0000,0000,0000,,worse with time, right. Internet of shit,\Ninternet of things and so and so on, so
Dialogue: 0,0:32:25.23,0:32:31.74,Default,,0000,0000,0000,,forth. So my question is, you gave some\Nideas how to mitigate this in this very
Dialogue: 0,0:32:31.74,0:32:36.54,Default,,0000,0000,0000,,specific area that use VPN, et cetera, et\Ncetera. But my question is, so hacker
Dialogue: 0,0:32:36.54,0:32:42.46,Default,,0000,0000,0000,,community is not very, let's say,\Ninterested in regulation. Right? And when
Dialogue: 0,0:32:42.46,0:32:46.61,Default,,0000,0000,0000,,we see, when we see a government trying to\Ndo something with technology that usually
Dialogue: 0,0:32:46.61,0:32:51.58,Default,,0000,0000,0000,,goes bad, we have this idea in our head\Nthat, OK, this can only go like this can
Dialogue: 0,0:32:51.58,0:32:56.74,Default,,0000,0000,0000,,only go bad. Right. But so my question is:\Ndo you think that perhaps there is some
Dialogue: 0,0:32:56.74,0:33:00.81,Default,,0000,0000,0000,,space for regulation here?\NT: There's definitely space for
Dialogue: 0,0:33:00.81,0:33:07.45,Default,,0000,0000,0000,,regulation, but I think regulation does\Nnot solve the underlying technical issues.
Dialogue: 0,0:33:07.45,0:33:13.61,Default,,0000,0000,0000,,So these devices, it's 2017 and these\Ndevices are using C-code. I think that's
Dialogue: 0,0:33:13.61,0:33:18.58,Default,,0000,0000,0000,,just asking for trouble, basically. And so\Nwe really need to see this shift, even in
Dialogue: 0,0:33:18.58,0:33:22.69,Default,,0000,0000,0000,,the embedded world, to switch to memory\Nsafe languages, for example Rust or
Dialogue: 0,0:33:22.69,0:33:28.13,Default,,0000,0000,0000,,something similar, and really to stop\Nusing C in this kind of context. I don't
Dialogue: 0,0:33:28.13,0:33:35.73,Default,,0000,0000,0000,,think there's anyone who can .. Thank you.\N{\i1}applause{\i0}
Dialogue: 0,0:33:35.73,0:33:39.07,Default,,0000,0000,0000,,T: But there's definitely space for\Nregulation.
Dialogue: 0,0:33:39.07,0:33:43.17,Default,,0000,0000,0000,,Herald: Since there was a question from\Nthe Internet.
Dialogue: 0,0:33:43.17,0:33:47.53,Default,,0000,0000,0000,,Signal Angel: OK, yeah, the Internet wants\Nto know why you are not naming the bad
Dialogue: 0,0:33:47.53,0:33:51.98,Default,,0000,0000,0000,,vendor, because it looks like it's the\Nonly option basically if they don't
Dialogue: 0,0:33:51.98,0:33:57.99,Default,,0000,0000,0000,,respond to you. Let's say I asked them on\NTwitter and my Twitter is right there. And
Dialogue: 0,0:33:57.99,0:34:02.64,Default,,0000,0000,0000,,if you click on Tweets and Replies..\N{\i1}laughter{\i0}
Dialogue: 0,0:34:02.64,0:34:05.85,Default,,0000,0000,0000,,Signal Angel: Yeah, somebody just posted\Nthe link on IRC.
Dialogue: 0,0:34:05.85,0:34:10.87,Default,,0000,0000,0000,,{\i1}laughter{\i0}\NT: I did not name them, just for the
Dialogue: 0,0:34:10.87,0:34:13.31,Default,,0000,0000,0000,,record.\N{\i1}laughter{\i0}
Dialogue: 0,0:34:13.31,0:34:17.03,Default,,0000,0000,0000,,{\i1}applause{\i0}\NHerald: So we have a question from
Dialogue: 0,0:34:17.03,0:34:23.37,Default,,0000,0000,0000,,microphone number 2.\NMic 2: So you shown an exploit for the
Dialogue: 0,0:34:23.37,0:34:29.56,Default,,0000,0000,0000,,last device that disabled authentication.\NWhat did you use to achieve that?
Dialogue: 0,0:34:29.56,0:34:35.53,Default,,0000,0000,0000,,T: So this one is unpatched and not yet\Nfixed, so I would rather not disclose the
Dialogue: 0,0:34:35.53,0:34:38.72,Default,,0000,0000,0000,,details yet.\NMic 2: OK.
Dialogue: 0,0:34:38.72,0:34:42.92,Default,,0000,0000,0000,,Herald: Microphone number 1, please.\NMic 1: I wonder if you've also been
Dialogue: 0,0:34:42.92,0:34:47.73,Default,,0000,0000,0000,,looking at a building automation system,\Ncontrol systems, or just industrial
Dialogue: 0,0:34:47.73,0:34:53.51,Default,,0000,0000,0000,,automation control systems?\NT: So you can use these devices basically
Dialogue: 0,0:34:53.51,0:35:00.61,Default,,0000,0000,0000,,wherever you want. And I think some of the\NMoxa ones are used in home automation. But
Dialogue: 0,0:35:00.61,0:35:05.92,Default,,0000,0000,0000,,I've looked at I guess Crestron, it's\Ncalled? But not in a lot of detail. So I'm
Dialogue: 0,0:35:05.92,0:35:09.51,Default,,0000,0000,0000,,more on the industrial side at the moment.\NMic 1: Thanks.
Dialogue: 0,0:35:09.51,0:35:15.08,Default,,0000,0000,0000,,Herald: Microphone number 3.\NMic 3: Any field experience or even just
Dialogue: 0,0:35:15.08,0:35:21.26,Default,,0000,0000,0000,,opinions on using industrial strength\NRaspberry Pi hardware with community
Dialogue: 0,0:35:21.26,0:35:25.56,Default,,0000,0000,0000,,supported Linux distributions or something\Nlike OpenBC whatever on them.
Dialogue: 0,0:35:25.56,0:35:30.87,Default,,0000,0000,0000,,T: Yeah. So I guess the big trouble there\Nis support, right? There are some, some
Dialogue: 0,0:35:30.87,0:35:34.58,Default,,0000,0000,0000,,German companies and so on that provide\Nsupport for industrial Raspberry Pis and
Dialogue: 0,0:35:34.58,0:35:40.79,Default,,0000,0000,0000,,even like nice casing and so on. But I'm\Nnot sure if really Raspberry Pi is the way
Dialogue: 0,0:35:40.79,0:35:45.24,Default,,0000,0000,0000,,to go here. I think there are\Nboards that are.. the problem is not the
Dialogue: 0,0:35:45.24,0:35:49.72,Default,,0000,0000,0000,,underlying stack, right? It's not the\Nhardware. Really, that's the issue. It's
Dialogue: 0,0:35:49.72,0:35:55.95,Default,,0000,0000,0000,,the software. And you will have the same\Nissues on on the Raspberry Pi. So, yeah, I
Dialogue: 0,0:35:55.95,0:36:00.88,Default,,0000,0000,0000,,guess you could buy these devices, which\Nare like industrial grade shockproof and
Dialogue: 0,0:36:00.88,0:36:07.46,Default,,0000,0000,0000,,whatnot, and put some Linux on it and \Ndo it better. But I don't think that
Dialogue: 0,0:36:07.46,0:36:11.65,Default,,0000,0000,0000,,the hardware or platform will \Nchange anything at the moment.
Dialogue: 0,0:36:11.65,0:36:16.32,Default,,0000,0000,0000,,Herald: There is another question from\Nmicrophone number 4.
Dialogue: 0,0:36:16.32,0:36:21.75,Default,,0000,0000,0000,,Mic 4: Hi, more a social question, did you\Nget in contact with any development team,
Dialogue: 0,0:36:21.75,0:36:25.85,Default,,0000,0000,0000,,software development team in any of these\Ncompanies, or might it be that there is no
Dialogue: 0,0:36:25.85,0:36:33.08,Default,,0000,0000,0000,,one behind the emails and everything?\NT: So I guess some of these companies are
Dialogue: 0,0:36:33.08,0:36:37.35,Default,,0000,0000,0000,,really so big, that they don't reply to\Nyou if you don't have a support contract
Dialogue: 0,0:36:37.35,0:36:45.05,Default,,0000,0000,0000,,with them. But, for example, the support\Nof the ones that are not on my Twitter is
Dialogue: 0,0:36:45.05,0:36:49.73,Default,,0000,0000,0000,,kind of decent when it comes to two\Nsecurity reports. And so my next steps
Dialogue: 0,0:36:49.73,0:36:57.22,Default,,0000,0000,0000,,will be to go via the ICS Cert, but, you\Nknow, to report them. So, yes, there are
Dialogue: 0,0:36:57.22,0:37:03.74,Default,,0000,0000,0000,,development teams that will get in contact\Nwith you, just not from all vendors.
Dialogue: 0,0:37:03.74,0:37:06.67,Default,,0000,0000,0000,,Herald: Thank you. We have another\Nquestion from the Internet.
Dialogue: 0,0:37:06.67,0:37:13.96,Default,,0000,0000,0000,,Signal Angel: Hello? OK. The Internet\Nwants to know what to do about, because
Dialogue: 0,0:37:13.96,0:37:18.26,Default,,0000,0000,0000,,there are a lot of old devices in the\Nfield, how do you propose a vendor should
Dialogue: 0,0:37:18.26,0:37:24.20,Default,,0000,0000,0000,,deal with legacy devices and updates?\NT: Yeah, so keeping legacy devices
Dialogue: 0,0:37:24.20,0:37:29.68,Default,,0000,0000,0000,,supported is very expensive because, for\Nexample, if you buy a Qualcomm chip, they
Dialogue: 0,0:37:29.68,0:37:35.09,Default,,0000,0000,0000,,will eventually drop support for the Linux\Nkernel for it and so on. But if you buy
Dialogue: 0,0:37:35.09,0:37:39.62,Default,,0000,0000,0000,,like a Freescale automotive chip, they\Nguarantee you a certain time of support.
Dialogue: 0,0:37:39.62,0:37:43.49,Default,,0000,0000,0000,,But then you actually have to invest the\Nmoney to regularly provide the updates and
Dialogue: 0,0:37:43.49,0:37:48.86,Default,,0000,0000,0000,,ensure that your devices are secure. The\Nproblem is that the lifetime of industrial
Dialogue: 0,0:37:48.86,0:37:55.47,Default,,0000,0000,0000,,installations currently is much larger\Nthan the lifetime of this processors' supports
Dialogue: 0,0:37:55.47,0:38:00.82,Default,,0000,0000,0000,,and so on. So I guess we'll have to get\Nused to upgrading our hardware regularly
Dialogue: 0,0:38:00.82,0:38:07.40,Default,,0000,0000,0000,,or switch to, or figure out a different\Nway of deploying secure software onto
Dialogue: 0,0:38:07.40,0:38:11.26,Default,,0000,0000,0000,,them. But I really think the underlying\Nproblem is, that we are still using
Dialogue: 0,0:38:11.26,0:38:16.23,Default,,0000,0000,0000,,memory unsafe languages. And I guess the\Nfact that there's cross site scripting
Dialogue: 0,0:38:16.23,0:38:20.15,Default,,0000,0000,0000,,just shows that there's no security\Nawareness really at those vendors
Dialogue: 0,0:38:20.15,0:38:29.40,Default,,0000,0000,0000,,whatsoever. At some of the vendors.\NHerald: So, microphone number 2, please.
Dialogue: 0,0:38:29.40,0:38:34.35,Default,,0000,0000,0000,,Mic 2: I was wondering, you mentioned that\Nsome of these facilities use GPRS.
Dialogue: 0,0:38:34.35,0:38:36.39,Default,,0000,0000,0000,,T: Yeah.\NMic 2: Do you know if they have mostly
Dialogue: 0,0:38:36.39,0:38:40.75,Default,,0000,0000,0000,,their own closed infrastructure, or if\Nthey're using general consumer telecom
Dialogue: 0,0:38:40.75,0:38:44.85,Default,,0000,0000,0000,,stuff?\NT: So they will use commercial
Dialogue: 0,0:38:44.85,0:38:50.48,Default,,0000,0000,0000,,networks mostly, and then they have custom\NEPNs which have an IPSec tunnel or
Dialogue: 0,0:38:50.48,0:38:55.70,Default,,0000,0000,0000,,something similar to their premises. But\Nthere's also there's also a company that
Dialogue: 0,0:38:55.70,0:39:02.59,Default,,0000,0000,0000,,sells industrial control SIM cards\Nwhich give you a public IP and you don't
Dialogue: 0,0:39:02.59,0:39:08.10,Default,,0000,0000,0000,,want to search on Shodan for that vendor.\NMic 2: Yeah. Thank you.
Dialogue: 0,0:39:08.10,0:39:11.05,Default,,0000,0000,0000,,Herald: There is a question from\Nmicrophone number 3.
Dialogue: 0,0:39:11.05,0:39:14.100,Default,,0000,0000,0000,,Mic 3: Hi there, isn't economics meant to\Nsolve some of these problems? We're not
Dialogue: 0,0:39:14.100,0:39:20.36,Default,,0000,0000,0000,,talking about dirt cheap devices. How\Nsurely at 300 bucks you should better have
Dialogue: 0,0:39:20.36,0:39:24.54,Default,,0000,0000,0000,,someone who's read security one and one.\NHow long before a large organization gets
Dialogue: 0,0:39:24.54,0:39:28.20,Default,,0000,0000,0000,,the result of their security audit and\Ngoes to the aforementioned vendors and
Dialogue: 0,0:39:28.20,0:39:32.96,Default,,0000,0000,0000,,says, provide us something that's not\Ntrivially hackable, otherwise we stop
Dialogue: 0,0:39:32.96,0:39:37.84,Default,,0000,0000,0000,,buying your rubbish?\NT: Well, I mean, it's the same in all of
Dialogue: 0,0:39:37.84,0:39:45.33,Default,,0000,0000,0000,,IT, right? So everything has\Nvulnerabilities. And yes, there should be
Dialogue: 0,0:39:45.33,0:39:50.40,Default,,0000,0000,0000,,market pressure. But that's why I'm trying\Nto raise awareness for the issues that
Dialogue: 0,0:39:50.40,0:39:53.27,Default,,0000,0000,0000,,these devices have.\NMic 3: Thanks.
Dialogue: 0,0:39:53.27,0:39:55.73,Default,,0000,0000,0000,,Herald: There's another question from the\NInternet.
Dialogue: 0,0:39:55.73,0:40:01.34,Default,,0000,0000,0000,,Signal Angel: Yep. The Internet wants to\Nknow how and if it's a good idea to raise
Dialogue: 0,0:40:01.34,0:40:06.55,Default,,0000,0000,0000,,the level of awareness in public, because\Nthey think it's a good approach to make
Dialogue: 0,0:40:06.55,0:40:11.87,Default,,0000,0000,0000,,people, the public know that, well,\Ninfrastructure in the cities is at risk.
Dialogue: 0,0:40:11.87,0:40:16.00,Default,,0000,0000,0000,,T: Uh, sorry. Could you repeat the first\Npart of the question?
Dialogue: 0,0:40:16.00,0:40:21.34,Default,,0000,0000,0000,,Signal Angel: Yeah. They want to know how\Nto raise awareness for this in the public?
Dialogue: 0,0:40:21.34,0:40:27.79,Default,,0000,0000,0000,,T: Good question. I guess we need some\Nnews articles or something about this in
Dialogue: 0,0:40:27.79,0:40:32.80,Default,,0000,0000,0000,,regular paper, but I personally think it's\Njust an accident waiting to happen. So
Dialogue: 0,0:40:32.80,0:40:37.100,Default,,0000,0000,0000,,eventually someone will turn off the\Nlights in a city or wherever, will open a
Dialogue: 0,0:40:37.100,0:40:44.77,Default,,0000,0000,0000,,flood valve or something. And that's when\Nthe awareness will start.
Dialogue: 0,0:40:44.77,0:40:47.81,Default,,0000,0000,0000,,Herald: There's another question from\Nmicrophone number 4.
Dialogue: 0,0:40:47.81,0:40:51.68,Default,,0000,0000,0000,,Mic 4: OK, for what kind of industrial\Nprocesses are these devices you just
Dialogue: 0,0:40:51.68,0:40:57.11,Default,,0000,0000,0000,,demoed used?\NT: So I've seen them in power utility. I
Dialogue: 0,0:40:57.11,0:41:02.35,Default,,0000,0000,0000,,know they're used in water dam\Ncontrol systems. They are used and in
Dialogue: 0,0:41:02.35,0:41:07.04,Default,,0000,0000,0000,,serial connecting a CNC machine to the\Nnetwork, they are used in connecting all
Dialogue: 0,0:41:07.04,0:41:10.69,Default,,0000,0000,0000,,kinds of stuff. Because if you have a big\Nplant, you have a ton of different
Dialogue: 0,0:41:10.69,0:41:15.72,Default,,0000,0000,0000,,sensors. So you might, you might need the\Nwater level sensor. And for whatever
Dialogue: 0,0:41:15.72,0:41:20.68,Default,,0000,0000,0000,,reason, you only can get it with a modbus\Nand then you need to convert the modbus to
Dialogue: 0,0:41:20.68,0:41:25.12,Default,,0000,0000,0000,,TCP and then you need one of these\Ngateways. And so, I've seen in one
Dialogue: 0,0:41:25.12,0:41:28.53,Default,,0000,0000,0000,,cabinet, 20 of them. So they're \Nreally used a lot I guess.
Dialogue: 0,0:41:28.53,0:41:31.87,Default,,0000,0000,0000,,Mic 4: OK, thank you. I just retweeted\Nyour tweet to Star Alliance.
Dialogue: 0,0:41:31.87,0:41:37.98,Default,,0000,0000,0000,,T: Huh. {\i1}laughs{\i0} Thank you. {\i1}laughs{\i0}\NHerald: So there's another question from
Dialogue: 0,0:41:37.98,0:41:41.26,Default,,0000,0000,0000,,the Internet.\NSignal Angel: Yeah, the Internet wants to
Dialogue: 0,0:41:41.26,0:41:50.75,Default,,0000,0000,0000,,know if you did any research on MQTT\Nfor example from like Beckhoff uses?
Dialogue: 0,0:41:50.75,0:41:54.49,Default,,0000,0000,0000,,T: I actually talked to someone who\Nrecommended me to look at Beckhoff
Dialogue: 0,0:41:54.49,0:41:58.25,Default,,0000,0000,0000,,yesterday, but I've not looked at them\Nwhatsoever yet.
Dialogue: 0,0:41:58.25,0:42:01.90,Default,,0000,0000,0000,,Herald: And there's another question from\Nmicrophone 3.
Dialogue: 0,0:42:01.90,0:42:07.45,Default,,0000,0000,0000,,Mic 3: OK, could you show the Moxa web\Npanel, because I would like to double
Dialogue: 0,0:42:07.45,0:42:16.62,Default,,0000,0000,0000,,check, which proves that they and they\Nwould like you to see their Web page. And
Dialogue: 0,0:42:16.62,0:42:24.05,Default,,0000,0000,0000,,I think this browser isn't very secure.\NT: OK, let's take a look.
Dialogue: 0,0:42:24.05,0:42:29.16,Default,,0000,0000,0000,,Mic 3: Yeah, and under gohead the\Nwebserver small print.
Dialogue: 0,0:42:29.16,0:42:41.53,Default,,0000,0000,0000,,{\i1}laughter{\i0}\NHerald: Nice finding.
Dialogue: 0,0:42:41.53,0:42:47.86,Default,,0000,0000,0000,,T: That's probably the issue here.\N{\i1}laughs{\i0}
Dialogue: 0,0:42:47.86,0:42:55.66,Default,,0000,0000,0000,,Herald: Are there any more questions? Any\Nquestions from the Internet?
Dialogue: 0,0:42:55.66,0:43:02.01,Default,,0000,0000,0000,,Signal Angel: The internet wants to know\Nhow a memory safe language would prevent
Dialogue: 0,0:43:02.01,0:43:08.75,Default,,0000,0000,0000,,the authentication bypasses you showed?\NT: Not one would not be protected against
Dialogue: 0,0:43:08.75,0:43:13.13,Default,,0000,0000,0000,,but it protects against a ton of other\Nstuff. It's just one example of where the
Dialogue: 0,0:43:13.13,0:43:18.42,Default,,0000,0000,0000,,industry needs to change. We need to stop\Nusing memory unsafe languages. We need to
Dialogue: 0,0:43:18.42,0:43:23.91,Default,,0000,0000,0000,,start really thinking about security\Ndesign from the start, and we must not in
Dialogue: 0,0:43:23.91,0:43:28.32,Default,,0000,0000,0000,,2017, there's no excuse for having cross\Nsite scripting or anything on the web
Dialogue: 0,0:43:28.32,0:43:35.72,Default,,0000,0000,0000,,page. That's also if we in the \NLantronics website, if you click logout,
Dialogue: 0,0:43:35.72,0:43:39.48,Default,,0000,0000,0000,,it tells you logout is not supported in\Nyour browser.
Dialogue: 0,0:43:39.48,0:43:43.29,Default,,0000,0000,0000,,{\i1}laughter{\i0}\NT: Probably because I'm not using Internet
Dialogue: 0,0:43:43.29,0:43:48.13,Default,,0000,0000,0000,,Explorer five.\NHerald: So there's another question from
Dialogue: 0,0:43:48.13,0:43:53.24,Default,,0000,0000,0000,,microphone number 3.\NMic 3: Any remote part of the exploit
Dialogue: 0,0:43:53.24,0:43:57.75,Default,,0000,0000,0000,,where you did a buffer \Noverflow - I think.
Dialogue: 0,0:43:57.75,0:44:01.49,Default,,0000,0000,0000,,T: Yeah?\NMic 3: What I'm wondering is, are
Dialogue: 0,0:44:01.49,0:44:07.18,Default,,0000,0000,0000,,there.. isn't it like very standard to\Nhave ALSR on these devices?
Dialogue: 0,0:44:07.18,0:44:10.24,Default,,0000,0000,0000,,T: No! {\i1}laughts{\i0} It should be, but it\Nisn't.
Dialogue: 0,0:44:10.24,0:44:16.20,Default,,0000,0000,0000,,Mic 3: Okay. Thank you though. That was\Npretty much my question.
Dialogue: 0,0:44:16.20,0:44:23.43,Default,,0000,0000,0000,,Herald: Is there another question from the\NInternet? It doesn't seem like it?
Dialogue: 0,0:44:23.43,0:44:36.05,Default,,0000,0000,0000,,Signal Angel: So, one just came in, OK, if\Nyou want to hear it. Ok, nope.
Dialogue: 0,0:44:36.05,0:44:41.33,Default,,0000,0000,0000,,{\i1}laughter{\i0}\NHerald: So, all right, give a very warm
Dialogue: 0,0:44:41.33,0:44:43.33,Default,,0000,0000,0000,,applause to Thomas Roth again!
Dialogue: 0,0:44:43.33,0:44:46.78,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:44:46.78,0:44:59.88,Default,,0000,0000,0000,,{\i1}postroll music{\i0}
Dialogue: 0,0:44:59.88,0:45:08.00,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin the year 2021. Join, and help us!