1 00:00:00,149 --> 00:00:14,099 *prerol music* 2 00:00:14,099 --> 00:00:23,599 Herald: So a very warm welcome to Thomas Roth. He is a security researcher and his 3 00:00:23,599 --> 00:00:28,980 specialty is exploiting techniques and reverse engineering and industrial 4 00:00:28,980 --> 00:00:37,590 security. And the talk today will be about out SCADA the gateway to shell. 5 00:00:37,590 --> 00:00:45,364 *applause* 6 00:00:45,364 --> 00:00:50,390 And just one little notice: this talk will be in English and will be translated 7 00:00:50,390 --> 00:00:53,580 in German as well. Thomas Roth: Thank you. 8 00:00:53,580 --> 00:00:55,090 Herald: Yes. 9 00:00:55,090 --> 00:00:59,290 Thomas Roth: Awesome, thank you. OK, yeah. Welcome to my talk gateway to shell. Who 10 00:00:59,290 --> 00:01:03,850 am I? He already introduced me, but still my name is Thomas Roth. I'm a security 11 00:01:03,850 --> 00:01:08,850 researcher. I do a lot of low level security, so a lot of ARM reverse 12 00:01:08,850 --> 00:01:13,321 engineering, Coldfire and so on. And yeah, you can find me on Twitter or if you 13 00:01:13,321 --> 00:01:20,730 want to write me an email. Feel free to send me one to thomas@stacksmashing.net. 14 00:01:20,730 --> 00:01:25,720 Before we start a short introduction to the background of this talk, so, this year 15 00:01:25,720 --> 00:01:30,830 I did some SCADA penetration tests and I found that while the PLC sensors 16 00:01:30,830 --> 00:01:35,210 are pretty well covered in the security research area, I found that all the small 17 00:01:35,210 --> 00:01:39,810 devices that surround SCADA environments are not really well covered. So basically 18 00:01:39,810 --> 00:01:44,060 we have the big Siemens PLCs and so on, and there's a lot of research going on 19 00:01:44,060 --> 00:01:48,760 about them. But there are also a ton of other small Ethernet devices involved in 20 00:01:48,760 --> 00:01:56,700 industrial networks that are not really researched very well yet. And all devices 21 00:01:56,700 --> 00:02:00,570 that we're going to talk about are running their latest respective firmware. 22 00:02:00,570 --> 00:02:07,310 Unfortunately, there will be zero days and these are not theoretical attacks. Like if 23 00:02:07,310 --> 00:02:12,489 you go to Shodan or similar search engine, you can find tens of thousands of these 24 00:02:12,489 --> 00:02:18,359 devices vulnerable and open in the Internet. So let me give you a quick 25 00:02:18,359 --> 00:02:24,779 introduction into the terminology in SCADA, because I know in the title I say 26 00:02:24,779 --> 00:02:29,079 SCADA, but actually it should be ICS, which stands for industrial control 27 00:02:29,079 --> 00:02:36,900 systems, because basically ICS describes the whole system from your supervision, 28 00:02:36,900 --> 00:02:42,069 the big room with all the big screens up to your PLCs the sensors, the actors and 29 00:02:42,069 --> 00:02:46,930 so on that you will find in your installation. And the term SCADA just 30 00:02:46,930 --> 00:02:50,959 describes the supervision and control centers. So the big screens that you might 31 00:02:50,959 --> 00:02:55,040 know from movies and so on, where when the bad guy comes, suddenly all the lights 32 00:02:55,040 --> 00:03:02,400 turn red. Then there's something called a PLC, which is programable logic 33 00:03:02,400 --> 00:03:06,889 controller. It's basically like an Arduino, just for industrial applications 34 00:03:06,889 --> 00:03:11,909 and they are really easy to program and you can get them from Siemens or Schneider 35 00:03:11,909 --> 00:03:17,610 and so on and so forth. Then there is something called an RTU, a remote terminal 36 00:03:17,610 --> 00:03:22,279 unit, which is a small device that generally are, well, back in the day, was 37 00:03:22,279 --> 00:03:27,029 only used for monitoring. But today you can actually program a lot of RTUs. So 38 00:03:27,029 --> 00:03:33,280 it's kind of a mix between a PLC and an RTU. So it's basically a PLC in a remote 39 00:03:33,280 --> 00:03:41,269 location. Alrighty, to the actual topic, industrial control gateways. So when you 40 00:03:41,269 --> 00:03:45,870 look at industrial control network, you'll find that there are a lot of different 41 00:03:45,870 --> 00:03:50,281 sensors and actors and a lot of them speak different protocols. So, for example, some 42 00:03:50,281 --> 00:03:56,470 might be serial, some might be IP, some might be Modbus and so on. And so you can 43 00:03:56,470 --> 00:04:01,459 buy these small gateways that connect all these different protocols to an IP 44 00:04:01,459 --> 00:04:06,539 network. So, for example, via Ethernet or even via GPRS or Wi-Fi and so on. And I've 45 00:04:06,539 --> 00:04:11,829 seen them in almost any industrial installation that I've seen. So, for 46 00:04:11,829 --> 00:04:16,440 example, they're used in power plants. They are used in water dam control 47 00:04:16,440 --> 00:04:22,880 systems. They are used to control the power grid and so on. And the security 48 00:04:22,880 --> 00:04:27,080 concept is, "Hey, but these devices are airgapped!", so it doesn't matter really 49 00:04:27,080 --> 00:04:31,599 if they are vulnerable or not fully up to date and so on, but that's not really true 50 00:04:31,599 --> 00:04:34,919 because a lot of these devices, while they might be airgapped, they also have 51 00:04:34,919 --> 00:04:42,650 antennas and they are interconnected by a ton of different wireless protocols such 52 00:04:42,650 --> 00:04:50,970 as Wi-Fi, LoRa or GSM or even proprietary radio links. So, yeah, and even the 53 00:04:50,970 --> 00:04:54,940 case studies show that basically in this case, you would have a monitoring network 54 00:04:54,940 --> 00:04:59,650 that's connected via the cellular network to control the water mains and so on and 55 00:04:59,650 --> 00:05:04,889 check the pressure. Or even worse, they even recommend that you connect the actors 56 00:05:04,889 --> 00:05:10,430 like valves and water level gotchas and so on over GPS, which we know is not a secure 57 00:05:10,430 --> 00:05:17,830 protocol to do anything that could be critical. Or you have stuff like 58 00:05:17,830 --> 00:05:24,160 water storage tanks that are controlled via Wi-Fi and so on or even public in the 59 00:05:24,160 --> 00:05:33,349 Internet. So, yeah, these devices are airgapped? Nope. So attacking in the field 60 00:05:33,349 --> 00:05:37,889 I already mentioned, if you go to Shodan, you will find a ton of different 61 00:05:37,889 --> 00:05:42,970 devices reachable via the Internet and even via GPS. So if you live 62 00:05:42,970 --> 00:05:49,090 close to, for example, a dam or something, it's kind of interesting to look at an SDR 63 00:05:49,090 --> 00:05:52,290 or similar radio equipment to see what's going over the airwaves, because you will 64 00:05:52,290 --> 00:05:59,090 find a ton of interesting stuff and sometimes, you can even very trivially get 65 00:05:59,090 --> 00:06:03,930 a physical access to the in field devices because they might just be in a white box 66 00:06:03,930 --> 00:06:07,569 somewhere hidden. And if you break into it, you can pull out the SIM card and it 67 00:06:07,569 --> 00:06:12,419 will put you directly into the SCADA network, if you're lucky. Don't do that, 68 00:06:12,419 --> 00:06:13,760 by the way. 69 00:06:13,760 --> 00:06:17,169 *laughter* 70 00:06:17,169 --> 00:06:24,539 So, yeah, let's let's hack some gateways. So the equipment you will need to and 71 00:06:24,539 --> 00:06:29,039 everything in this talk was done on this desk, just using these devices here, you 72 00:06:29,039 --> 00:06:33,000 really just need a laptop, you need an oscilloscope or similar measurement 73 00:06:33,000 --> 00:06:37,320 equipment just to ensure that you don't burn out your logic analyzer. You need a 74 00:06:37,320 --> 00:06:43,230 logic analyzer, a soldering iron, a multimeter and a power supply. And that's 75 00:06:43,230 --> 00:06:48,360 really basically it, because you can hack almost any embedded device that's using 76 00:06:48,360 --> 00:06:56,530 these devices and to find potential targets. I have this kind of map where 77 00:06:56,530 --> 00:07:02,139 first try to understand, can I get the firmware of the device or do I have to 78 00:07:02,139 --> 00:07:07,251 somehow, for example, use J-Tech to get it out of the device? Can I actually buy the 79 00:07:07,251 --> 00:07:12,460 devices at a sensible price? Because some of these devices cost like 600 € or so, 80 00:07:12,460 --> 00:07:18,360 and if you buy ten of them, that gets expensive very quickly. And so, uh, I need 81 00:07:18,360 --> 00:07:24,360 to check eBay and see what devices can I actually buy. And they should be half what 82 00:07:24,360 --> 00:07:29,449 current, because if you look at all the devices, like 10 years old or so, they are 83 00:07:29,449 --> 00:07:33,940 completely broken. You don't even have to look to start to look at their security. 84 00:07:33,940 --> 00:07:40,819 So, yeah, the first device that I that I choose to really look at was the moxa 85 00:07:40,819 --> 00:07:50,689 W2150A, which is this small device, which is also mounted on the board right here, 86 00:07:50,689 --> 00:07:54,319 mainly because I found the phone was available and it looked like an 87 00:07:54,319 --> 00:07:58,669 interesting device because it has Wi-Fi and so if I managed to break into it, I 88 00:07:58,669 --> 00:08:07,930 can jump an airgap potentially. And the W2150A is just a simple device server. So 89 00:08:07,930 --> 00:08:14,939 you can connect any serial device, any RS485 device simply to it and it will be 90 00:08:14,939 --> 00:08:20,669 exposed via Ethernet or even via Wi-Fi. And you can download the firmware publicly 91 00:08:20,669 --> 00:08:29,270 and it's available on eBay relatively cheap. So like 150 bucks or something. So 92 00:08:29,270 --> 00:08:33,290 I downloaded the firmware and I looked at the entropy of the firmware and 93 00:08:33,290 --> 00:08:37,090 I immediately saw that the entropy is very high, which means either it's very 94 00:08:37,090 --> 00:08:41,590 compressed or it's encrypted, unfortunately, using a tool called 95 00:08:41,590 --> 00:08:46,510 binwalk, which is really useful for looking into firmwares I saw that there's 96 00:08:46,510 --> 00:08:51,510 no compression detected. And so it was very likely that this firmware image is 97 00:08:51,510 --> 00:08:59,940 encrypted. But I noticed on the Web page that before you upgrade to version 2.0 or 98 00:08:59,940 --> 00:09:08,650 2.1 of the firmware, you must upgrade to the firmware version 1.11. And I thought, 99 00:09:08,650 --> 00:09:13,540 that's interesting. Let's look at the release notes for version 1.11. And it 100 00:09:13,540 --> 00:09:22,330 turns out that 1.11 adds the support for the encrypted firmware. So I downloaded 101 00:09:22,330 --> 00:09:28,093 the one point eleven firmware and sure enough, it's unencrypted. And if you've 102 00:09:28,093 --> 00:09:33,710 ever done anything with ARM before, if you just look into a firmware hex dump, you 103 00:09:33,710 --> 00:09:39,930 can immediately recognize whether it's ARM or not, because the first four bits of each 104 00:09:39,930 --> 00:09:45,580 instructions are the conditional bits and those are almost always E. So if 105 00:09:45,580 --> 00:09:50,320 you see a Hexdump and roughly every fourth byte is an E, you know, this is an ARM 106 00:09:50,320 --> 00:09:57,550 firmware and it's not encrypted or anything else. And so, yeah, sure enough, 107 00:09:57,550 --> 00:10:02,640 I ran binwalk on this image. This time we see there is a huge drop in entropy, which 108 00:10:02,640 --> 00:10:08,570 is the bootloader and so on, and then a high entropy, which is basically the all 109 00:10:08,570 --> 00:10:15,280 the compressed filesystems and so on. And binwalk was able to detect the SquashFS 110 00:10:15,280 --> 00:10:22,060 filesystem and extract it for me very, very easy. And so my goal was to extract 111 00:10:22,060 --> 00:10:27,250 the firmware, find the firmware upgrade code and somehow try to decipher the new 112 00:10:27,250 --> 00:10:34,250 firmware. And so I was browsing through the files and sure enough, found the file 113 00:10:34,250 --> 00:10:40,810 that was helpfully called libupgradeFirmware.so and if we look into 114 00:10:40,810 --> 00:10:45,010 the symbols, which they luckily didn't remove or anything, there is a beautiful 115 00:10:45,010 --> 00:10:48,066 symbol called firmware decrypt. 116 00:10:48,066 --> 00:10:51,150 *laughter* 117 00:10:51,150 --> 00:10:56,430 So we load the whole thing into disassembler and we see that 118 00:10:56,430 --> 00:11:03,870 there's some fancy XORing going on in the bottom left corner. And I'm 119 00:11:03,870 --> 00:11:08,000 going to walk you through what's, what exactly is happening in this code. 120 00:11:08,000 --> 00:11:13,310 So basically, first, there's a variable called password loaded into the registar 121 00:11:13,310 --> 00:11:21,790 R2 and then a second count variable is basically set and it starts looping and 122 00:11:21,790 --> 00:11:35,540 increasing always by four and goes through this whole xor shebang and it turns out 123 00:11:35,540 --> 00:11:41,200 that this is the obfuscation method for the AES Key. So, in password, in memory, 124 00:11:41,200 --> 00:11:45,950 we have an obfuscated key and we can be obfusciated by just implementing the code 125 00:11:45,950 --> 00:11:53,890 we see here in C or in the emulator. And sure enough, eventually this 126 00:11:53,890 --> 00:12:03,330 will be used as the key into the ECB 128 AES decryption. And so I implemented the 127 00:12:03,330 --> 00:12:08,760 whole thing in C, it was almost a copy paste from the decompiler, so you can in 128 00:12:08,760 --> 00:12:14,500 IAD Pro, you just hit F5, copy the C code at the bit, fix the memory offsets and so 129 00:12:14,500 --> 00:12:20,020 on. And you have the whole key obfuscation method basically reverse engineered almost 130 00:12:20,020 --> 00:12:25,630 automatically. And so I compile it. And sure enough, Moxa key extration, it turns 131 00:12:25,630 --> 00:12:31,200 out that the key is two eight eight seven Conn seven five six four. I build a short 132 00:12:31,200 --> 00:12:39,260 script to decrypt the 2.1 firmware and this time Binwalk finds all the files and 133 00:12:39,260 --> 00:12:41,740 we can start reverse engineering the actual firmware. 134 00:12:41,740 --> 00:12:48,519 *applause* 135 00:12:48,519 --> 00:12:54,180 The scripts for this are available on my github. I'll push the actual decrypts stuff 136 00:12:54,180 --> 00:12:59,810 after the talk because this is the first time this has been released. And so after 137 00:12:59,810 --> 00:13:03,470 I was at this point, I knew that the firmware is.. I can decrypted the firmware 138 00:13:03,470 --> 00:13:07,930 I can look into it. By the way, it's not signed or anything. The only verification 139 00:13:07,930 --> 00:13:14,480 method is CRC32. And so at this point I knew, OK, I can buy this device and 140 00:13:14,480 --> 00:13:19,980 start playing with it. And so I went to eBay, I bought one. I got it. I screwed it 141 00:13:19,980 --> 00:13:24,140 open. And sure enough, there's an ARM processor in there. It's an Freescale 142 00:13:24,140 --> 00:13:28,640 i.MX25, which is just a regular ARM processor. It's like 400 MHz or something, 143 00:13:28,640 --> 00:13:34,880 I don't know. And I started probing all the all the small pins inside of the 144 00:13:34,880 --> 00:13:43,040 device to try to find JTAG or serial or anything. And so I actually hooked up 145 00:13:43,040 --> 00:13:47,320 my power supply to foot pedal so that I can probe and just press with my foot to 146 00:13:47,320 --> 00:13:54,250 reset the device. And sure enough, I found that there's a full serial console 147 00:13:54,250 --> 00:14:00,660 available inside of the device on these pins. And if you boot the device, it even 148 00:14:00,660 --> 00:14:05,160 tells you, please press enter to activate this console, and so you do that and you 149 00:14:05,160 --> 00:14:07,463 are root on the device. 150 00:14:07,463 --> 00:14:14,820 *applause* 151 00:14:14,820 --> 00:14:18,660 So that's kind of cool, but that means that you require physical access, so 152 00:14:18,660 --> 00:14:23,530 that's not really a vulnerability, but it's very nice to have when doing security 153 00:14:23,530 --> 00:14:29,420 research because it means you can suddenly debug all the code on there. And so if you 154 00:14:29,420 --> 00:14:35,050 write an exploit, you can just touch GDB to the binary and start very, very simply, 155 00:14:35,050 --> 00:14:40,420 writing the exploit. So at this point, I was trying to look at the available 156 00:14:40,420 --> 00:14:46,010 services on the device. So for example, there is a web interface, there's a 157 00:14:46,010 --> 00:14:52,530 proprietary configuration protocol, there's telnet, there's snmp, there is a 158 00:14:52,530 --> 00:14:58,910 serial driver protocol and so on. And I started looking at the web interface and 159 00:14:58,910 --> 00:15:03,740 there was cross site scripting that was Cross site request forgery, there was 160 00:15:03,740 --> 00:15:07,440 insecure authentication where they basically hash on the client. So they have 161 00:15:07,440 --> 00:15:12,520 some JavaScript that hashes your password and then locks you in. Then there's a 162 00:15:12,520 --> 00:15:17,720 command injection which lets you execute code as root, there are stack overflows. 163 00:15:17,720 --> 00:15:23,675 And just a week ago there was a zero day released for the web server. So yeah, demo 164 00:15:23,675 --> 00:15:36,820 time. So just let me open up the Moxa Pitch right here. And so this one is 165 00:15:36,820 --> 00:15:41,240 authenticated, so I'll just enter the default password, which, by the way, in 166 00:15:41,240 --> 00:15:46,050 the field will 90 percent of the time these devices will be configured with 167 00:15:46,050 --> 00:15:54,950 default credentials. But still, so, if we just start browsing through this thing and 168 00:15:54,950 --> 00:16:00,140 go to the basic settings, we can start with a simple cross site scripting just in 169 00:16:00,140 --> 00:16:08,810 the device name. One sec, so just for example we just paste in some JavaScript. 170 00:16:08,810 --> 00:16:15,017 Submit the whole thing, and hello 34c3. 171 00:16:15,017 --> 00:16:19,560 *applause* 172 00:16:19,560 --> 00:16:23,770 I know what you're thinking, like cross site scripting, come on, that's not a 173 00:16:23,770 --> 00:16:28,530 vulnerability, that's just nothing. So let's look at the ping test that's 174 00:16:28,530 --> 00:16:33,910 integrated into this device. And funilly, a different device from Moxa that runs an 175 00:16:33,910 --> 00:16:39,570 entirely different firmware had the same vulnerability in the past. But if I just 176 00:16:39,570 --> 00:16:46,390 paste in my ping, so my IP address, a semicolon and then, for example, I cut 177 00:16:46,390 --> 00:16:51,970 /etc/passwd and activate enter. Here we go. 178 00:16:51,970 --> 00:17:00,060 *applause* 179 00:17:00,060 --> 00:17:08,199 Kind of funny, but, yes, for sure not intended. All righty, but I know what 180 00:17:08,199 --> 00:17:12,740 you're thinking, right, these are authenticated bugs in the web interface, 181 00:17:12,740 --> 00:17:17,460 so we need something unauthenticated. We want something that's like cool and a real 182 00:17:17,460 --> 00:17:23,420 exploit. Right? And so I decided to look at the.. this custom TCP protocol, which 183 00:17:23,420 --> 00:17:29,430 runs on Port 4900. And my goal was to reverse engineer the whole protocol and 184 00:17:29,430 --> 00:17:34,030 build a fuzzer for it, to find vulnerabilities, that turned out not to be 185 00:17:34,030 --> 00:17:40,990 necessary. So during some testing, I just sent a lot of bytes onto this thing and 186 00:17:40,990 --> 00:17:49,140 enabled crash debugging via the serial console. And sure enough, it crashed and 187 00:17:49,140 --> 00:17:58,740 put my program countdown right to 0x41414140. Wonderful. Thank you, Moxa. 188 00:17:58,740 --> 00:18:04,370 *applause* 189 00:18:04,370 --> 00:18:21,550 So, Demo time. So let's increase the size of this a bit. So I built a small script. 190 00:18:21,550 --> 00:18:34,490 Just called moxa_pown and I'll just supply the IP address to it. Let's see. Opening a 191 00:18:34,490 --> 00:18:43,620 second shell to connect to it via netcat. Here we go, we have a root shell on the 192 00:18:43,620 --> 00:18:44,600 device. 193 00:18:44,600 --> 00:18:54,263 *applause* 194 00:18:54,263 --> 00:19:01,540 So, yeah, that was the Moxa w21508, basically rolls of the tongue. And so the 195 00:19:01,540 --> 00:19:08,690 next device I decided to look at was the Advantech EKI-1522 which you can find 196 00:19:08,690 --> 00:19:17,460 right here. And it's, again, just a simple serial device server this time without 197 00:19:17,460 --> 00:19:21,410 Wi-Fi, even though they are available with Wi-Fi. It comes with two Ethernet ports 198 00:19:21,410 --> 00:19:26,060 two serial ports and so on. And I basically followed the same steps again. 199 00:19:26,060 --> 00:19:31,170 So I looked at the.. I downloaded the firmware. I looked at the edit using 200 00:19:31,170 --> 00:19:35,800 binwalk. And this time we see almost no entropy. So there is.. this guy is 201 00:19:35,800 --> 00:19:40,280 basically completely unencrypted. And again, we saw some ARM 32 bit it runs a 202 00:19:40,280 --> 00:19:51,010 Linux kernel, 2.6.31 and a BOA Web server where the last update was in 2005. And the 203 00:19:51,010 --> 00:19:56,770 firmware, I think, is from 2017. So these are kind of outdated. And I found 204 00:19:56,770 --> 00:20:01,230 during the initial analysis just of the firmware that the main binary to look at 205 00:20:01,230 --> 00:20:07,180 will be this edgserver binary. And so I loaded it into IDA pro and looked at the 206 00:20:07,180 --> 00:20:12,780 different things that calls. And there are a lot of calls to functions like 207 00:20:12,780 --> 00:20:18,340 string copy, to system, to sprintf and so on that are generally kind of considered 208 00:20:18,340 --> 00:20:25,660 unsecure. And sure enough, I am doing static analysis. I found that there's some 209 00:20:25,660 --> 00:20:33,630 code for sending an email as an alert, for example, when the system reboots. And 210 00:20:33,630 --> 00:20:39,250 the full command invocation is mailx -s blah blah blah, and we have control over 211 00:20:39,250 --> 00:20:46,160 some parts in the string because we can configure the two address in the UI. And if 212 00:20:46,160 --> 00:20:51,040 we look at what's happening here, it basically just sets up this 213 00:20:51,040 --> 00:20:56,500 format string. Then it goes to include the subject and then it gets some arguments 214 00:20:56,500 --> 00:21:04,260 from the stack and basically calls into system. And so there's no filtering 215 00:21:04,260 --> 00:21:09,930 going on at all. So we have an unfiltered part of the system, invocation, code 216 00:21:09,930 --> 00:21:15,380 execution. And this was before I had the device in my hand. And this is kind of a 217 00:21:15,380 --> 00:21:19,470 funny story because I first bought because it was just 40 bucks, I bought this 218 00:21:19,470 --> 00:21:24,770 device, which in the firmware has the same bug, but the mail functionality is broken, 219 00:21:24,770 --> 00:21:33,780 so I couldn't test it. So I had to go to eBay again, buy another one and buy the 220 00:21:33,780 --> 00:21:38,950 bigger one. And so I ordered the bigger one on eBay. Looks like this. It comes 221 00:21:38,950 --> 00:21:45,660 with a Cavium CNS C.P.U. It has JTAG exposed on the bottom there and serial 222 00:21:45,660 --> 00:21:50,940 console is available again without any authentication. So beautiful. You just 223 00:21:50,940 --> 00:21:57,809 connect your bus pirate or your UART adapter to it and you have full serial 224 00:21:57,809 --> 00:22:06,740 console. So, again, we had to look at finding vulnerabilities for this device 225 00:22:06,740 --> 00:22:11,559 and there, again, a ton of different services, there's like a Web interface 226 00:22:11,559 --> 00:22:15,670 available. There is a proprietary configuration protocol that's based on 227 00:22:15,670 --> 00:22:22,760 UDP. There is Telnet, there's snmp, there's a serial driver protocol and so 228 00:22:22,760 --> 00:22:28,380 on. And again, looked at the website and again, cross site scripting cross side 229 00:22:28,380 --> 00:22:33,280 request forgery, command injection, broken authentication, which basically if you log 230 00:22:33,280 --> 00:22:38,710 in from one computer, it uses, I think http digest authentication, you can 231 00:22:38,710 --> 00:22:42,690 connect from a completely different computer and it doesn't ask for a 232 00:22:42,690 --> 00:22:49,700 password. I don't know why that is, but.. Yeah. So I was thinking I was doing 233 00:22:49,700 --> 00:22:52,130 something wrong, but it turned out it was just broken. 234 00:22:52,130 --> 00:22:54,855 *laughter* 235 00:22:54,855 --> 00:23:03,170 So, yeah, and there's, again, a stack overflow in another protocol. So I guess, 236 00:23:03,170 --> 00:23:13,980 again, demo time. Let's first look at the device itself, so, you know the 237 00:23:13,980 --> 00:23:22,830 password, firstly, we have a nice device description here. This is just a basic web 238 00:23:22,830 --> 00:23:29,320 interface. Right. And we can, again, just copy in some basic JavaScript 239 00:23:29,320 --> 00:23:38,620 hit the save button. Reload and there we go, cross site scripting yet again, OK, 240 00:23:38,620 --> 00:23:49,129 again, not really interesting. Right. So, um, let's look at the stack overflow. 241 00:23:49,129 --> 00:24:04,070 Again, I have a small script advantech_pown. For the IP there. And we have netcat 242 00:24:04,070 --> 00:24:12,090 running on there. Sure enough, there we go, that's root on the Advantech device 243 00:24:12,090 --> 00:24:13,810 again, via stack overflow. 244 00:24:13,810 --> 00:24:25,516 *applause* 245 00:24:25,516 --> 00:24:31,500 Yeah, so two of three devices have basically broken already. Let's look 246 00:24:31,500 --> 00:24:38,150 at the next one. This one is a Lantronix EDS2100. And this one is kind of 247 00:24:38,150 --> 00:24:43,770 interesting because it's not ARM. I normally I almost exclusively do ARMs. So 248 00:24:43,770 --> 00:24:48,500 this one was kind of interesting. And this device, which is mounted somewhere right 249 00:24:48,500 --> 00:24:57,390 here. Yeah. This device comes with a serial to ethernet secure device server. 250 00:24:57,390 --> 00:25:01,929 It has two serial ports. It has Ethernet and you can buy it in two 251 00:25:01,929 --> 00:25:07,830 variants. One comes with Linux and one is Evolution OS, which is I guess, a 252 00:25:07,830 --> 00:25:14,880 proprietary operating system from Lantronics. And I'm using the EvolutionOS 253 00:25:14,880 --> 00:25:22,120 variant in this talk. Looking at the firmware it turns out it's unencrypted and 254 00:25:22,120 --> 00:25:28,240 it's coldfire architecture, which I've never done really anything with before, 255 00:25:28,240 --> 00:25:32,630 and there are no obvious external software components. So if you go through this, 256 00:25:32,630 --> 00:25:37,440 through the firmware, you'll find there's an SSH implementation, there's an SSL 257 00:25:37,440 --> 00:25:42,810 implementation, but it's not openSSL and it's not anything very well known. And the 258 00:25:42,810 --> 00:25:47,490 same is true for the web server and so on. It's not really anything that's well 259 00:25:47,490 --> 00:25:56,500 known. And this time, while probing the device, I did not really find anything 260 00:25:56,500 --> 00:26:01,580 interesting in terms of serial consoles or so, but it just found a potential debugger 261 00:26:01,580 --> 00:26:05,730 port, but it didn't have a fitting debugger unfortunately. The CPU is from 262 00:26:05,730 --> 00:26:14,760 NXP runs at 160MHz or something. Yeah. This time we actually have a web 263 00:26:14,760 --> 00:26:21,660 interface, we have Telnet SSL and it even has a file system, so you have like FTP 264 00:26:21,660 --> 00:26:26,210 and TFTP which allows you to download the configuration, upload the configuration 265 00:26:26,210 --> 00:26:30,980 and so on. And it's kind of hard to secure it correctly because there are so many 266 00:26:30,980 --> 00:26:37,000 protocols and it's not really clear what's set up by default. But yeah, you get 267 00:26:37,000 --> 00:26:44,350 the idea. And this time the web interface was surprisingly secure. So there was no 268 00:26:44,350 --> 00:26:50,230 cross site scripting. There was no command injection, because there's also not really 269 00:26:50,230 --> 00:26:55,440 a shell that you could execute commands into. But I still found some stuff. 270 00:26:55,440 --> 00:27:01,540 One is the configuration injection, which allows you basically to change the format 271 00:27:01,540 --> 00:27:06,630 of the configuration using a different field. And I found an authentication 272 00:27:06,630 --> 00:27:11,970 bypass, so I was able to write a small piece of code that takes a while and then 273 00:27:11,970 --> 00:27:23,650 completely removes the password from the device. Demo time. So if we connect to the 274 00:27:23,650 --> 00:27:29,750 Lantronics device, it will currently ask for a password, which in theory we don't 275 00:27:29,750 --> 00:27:44,580 have. Let's clean up here a bit. I know it's just. And let's run Lantronix_pown, 276 00:27:44,580 --> 00:27:51,300 oh, that was fast. That worked. Yeah, sure enough, the password is gone. 277 00:27:51,300 --> 00:27:59,980 *applause* 278 00:27:59,980 --> 00:28:07,230 Awesome. To be honest, I didn't expect the demos to go so smoothly, so I put in an 279 00:28:07,230 --> 00:28:13,710 hour for the talk for this went very well so far, so that's good. So before we 280 00:28:13,710 --> 00:28:22,170 finish already, some other devices are even worse. So, for example, as I 281 00:28:22,170 --> 00:28:26,549 mentioned, I bought some other devices, for example, this Advantaech device and 282 00:28:26,549 --> 00:28:31,610 this Moxa device and this Lantronix device, which are basically the 283 00:28:31,610 --> 00:28:38,940 predecessors of the other devices. And those guys are really interesting to look 284 00:28:38,940 --> 00:28:45,850 at, one could say. So, some of those are running eCos, which is an embedded Linux 285 00:28:45,850 --> 00:28:52,390 platform, which was last released in 2009, and some devices run a Linux kernel with 286 00:28:52,390 --> 00:28:57,570 the 2.4 version and you see Linux without any memory protection whatsoever. So even 287 00:28:57,570 --> 00:29:03,640 if they, so even a small stack overflow in one of the userspace applications gives 288 00:29:03,640 --> 00:29:08,640 you full root access to the device because you can directly exploit the kernel and 289 00:29:08,640 --> 00:29:12,840 there are unfixed public vulnerabilities. So in the first penetration test that I 290 00:29:12,840 --> 00:29:19,290 did, that included actually this device and Moxa and part of a small one. I found 291 00:29:19,290 --> 00:29:25,170 that using SNMPWwalk, it gives you back the administration password via SNMP. 292 00:29:25,170 --> 00:29:26,780 *laughing* 293 00:29:26,780 --> 00:29:31,500 And so I went online. I tried to report it. And it turns out it's well known 294 00:29:31,500 --> 00:29:34,160 there's a metasploit module for this 295 00:29:34,160 --> 00:29:36,830 *laughing* 296 00:29:36,830 --> 00:29:41,690 and it's unfixed, OK? And these devices are still in support. So I don't know why 297 00:29:41,690 --> 00:29:50,950 the vendor is not patching this. Yeah. So the summary with trivial vulnerabilities 298 00:29:50,950 --> 00:29:56,520 in most devices, or at least all that I've looked at, there are no security 299 00:29:56,520 --> 00:30:00,571 mitigations whatsoever. So they don't even enable like the compiler flags that you 300 00:30:00,571 --> 00:30:05,850 just set and then you have at least some kind of stack protection and some like 301 00:30:05,850 --> 00:30:11,070 stack cookies and whatnot. And some vendors are really bad at responding to 302 00:30:11,070 --> 00:30:18,429 vulnerability reports. So, yeah, I'm not going to name the vendor, but not even, on 303 00:30:18,429 --> 00:30:22,180 Twitter I asked them to please give me a security contact and they responded, 304 00:30:22,180 --> 00:30:26,840 please use our contact form. I said I did, three times. I send you emails, you're not 305 00:30:26,840 --> 00:30:30,600 responding to me. And so they stopped responding to me on Twitter too. 306 00:30:30,600 --> 00:30:40,809 *laughing* *applause* 307 00:30:40,809 --> 00:30:47,200 So how to mitigate? Well, the only way that I would see to mitigate against this, 308 00:30:47,200 --> 00:30:53,380 and I'm more on the deconstructive side of the story, is defense in depth. So never 309 00:30:53,380 --> 00:30:56,850 directly expose any of these devices to the Internet, even if they say they 310 00:30:56,850 --> 00:31:02,490 support VPN, even if they say they are a secure device of whatever, just don't do 311 00:31:02,490 --> 00:31:08,780 it. Get a real VPN gateway and make sure that you never rely on a single level of, 312 00:31:08,780 --> 00:31:16,169 for example, encryption. So, for example, WPA2 was broken by the crack attack and 313 00:31:16,169 --> 00:31:20,799 they actually released a patch for it after two months. And these are these are 314 00:31:20,799 --> 00:31:26,370 still two months where you are exposed to vulnerability on your potentially mission- 315 00:31:26,370 --> 00:31:33,760 critical system. Also never use GPRS for these devices without VPN because it just, 316 00:31:33,760 --> 00:31:41,480 it will go wrong. Okay. Yeah, thank you. I guess now we have time for Q&A. Thank you 317 00:31:41,480 --> 00:31:43,282 all for coming. 318 00:31:43,282 --> 00:31:49,170 *applause* 319 00:31:49,170 --> 00:31:57,990 Herald: Thank you very much for the talk. So we have very much time for Q&A. So 320 00:31:57,990 --> 00:32:03,980 please line up to the microphones and we have someone at microphone 4 already. 321 00:32:03,980 --> 00:32:09,220 Mic 4: Yes, hello. Hello. Thanks for your talk. This is.. obviously this is a 322 00:32:09,220 --> 00:32:14,792 problem. This is a part of the bigger problem of security in IT. Right. In 323 00:32:14,792 --> 00:32:18,950 anything related to any kind of technology. And this is only going to go 324 00:32:18,950 --> 00:32:25,230 worse with time, right. Internet of shit, internet of things and so and so on, so 325 00:32:25,230 --> 00:32:31,740 forth. So my question is, you gave some ideas how to mitigate this in this very 326 00:32:31,740 --> 00:32:36,540 specific area that use VPN, et cetera, et cetera. But my question is, so hacker 327 00:32:36,540 --> 00:32:42,462 community is not very, let's say, interested in regulation. Right? And when 328 00:32:42,462 --> 00:32:46,610 we see, when we see a government trying to do something with technology that usually 329 00:32:46,610 --> 00:32:51,580 goes bad, we have this idea in our head that, OK, this can only go like this can 330 00:32:51,580 --> 00:32:56,741 only go bad. Right. But so my question is: do you think that perhaps there is some 331 00:32:56,741 --> 00:33:00,810 space for regulation here? T: There's definitely space for 332 00:33:00,810 --> 00:33:07,450 regulation, but I think regulation does not solve the underlying technical issues. 333 00:33:07,450 --> 00:33:13,611 So these devices, it's 2017 and these devices are using C-code. I think that's 334 00:33:13,611 --> 00:33:18,580 just asking for trouble, basically. And so we really need to see this shift, even in 335 00:33:18,580 --> 00:33:22,690 the embedded world, to switch to memory safe languages, for example Rust or 336 00:33:22,690 --> 00:33:28,129 something similar, and really to stop using C in this kind of context. I don't 337 00:33:28,129 --> 00:33:35,729 think there's anyone who can .. Thank you. *applause* 338 00:33:35,729 --> 00:33:39,072 T: But there's definitely space for regulation. 339 00:33:39,072 --> 00:33:43,173 Herald: Since there was a question from the Internet. 340 00:33:43,173 --> 00:33:47,530 Signal Angel: OK, yeah, the Internet wants to know why you are not naming the bad 341 00:33:47,530 --> 00:33:51,980 vendor, because it looks like it's the only option basically if they don't 342 00:33:51,980 --> 00:33:57,990 respond to you. Let's say I asked them on Twitter and my Twitter is right there. And 343 00:33:57,990 --> 00:34:02,640 if you click on Tweets and Replies.. *laughter* 344 00:34:02,640 --> 00:34:05,850 Signal Angel: Yeah, somebody just posted the link on IRC. 345 00:34:05,850 --> 00:34:10,869 *laughter* T: I did not name them, just for the 346 00:34:10,869 --> 00:34:13,309 record. *laughter* 347 00:34:13,309 --> 00:34:17,029 *applause* Herald: So we have a question from 348 00:34:17,029 --> 00:34:23,369 microphone number 2. Mic 2: So you shown an exploit for the 349 00:34:23,369 --> 00:34:29,559 last device that disabled authentication. What did you use to achieve that? 350 00:34:29,559 --> 00:34:35,529 T: So this one is unpatched and not yet fixed, so I would rather not disclose the 351 00:34:35,529 --> 00:34:38,720 details yet. Mic 2: OK. 352 00:34:38,720 --> 00:34:42,919 Herald: Microphone number 1, please. Mic 1: I wonder if you've also been 353 00:34:42,919 --> 00:34:47,729 looking at a building automation system, control systems, or just industrial 354 00:34:47,729 --> 00:34:53,510 automation control systems? T: So you can use these devices basically 355 00:34:53,510 --> 00:35:00,609 wherever you want. And I think some of the Moxa ones are used in home automation. But 356 00:35:00,609 --> 00:35:05,920 I've looked at I guess Crestron, it's called? But not in a lot of detail. So I'm 357 00:35:05,920 --> 00:35:09,509 more on the industrial side at the moment. Mic 1: Thanks. 358 00:35:09,509 --> 00:35:15,079 Herald: Microphone number 3. Mic 3: Any field experience or even just 359 00:35:15,079 --> 00:35:21,259 opinions on using industrial strength Raspberry Pi hardware with community 360 00:35:21,259 --> 00:35:25,559 supported Linux distributions or something like OpenBC whatever on them. 361 00:35:25,559 --> 00:35:30,869 T: Yeah. So I guess the big trouble there is support, right? There are some, some 362 00:35:30,869 --> 00:35:34,579 German companies and so on that provide support for industrial Raspberry Pis and 363 00:35:34,579 --> 00:35:40,789 even like nice casing and so on. But I'm not sure if really Raspberry Pi is the way 364 00:35:40,789 --> 00:35:45,240 to go here. I think there are boards that are.. the problem is not the 365 00:35:45,240 --> 00:35:49,720 underlying stack, right? It's not the hardware. Really, that's the issue. It's 366 00:35:49,720 --> 00:35:55,950 the software. And you will have the same issues on on the Raspberry Pi. So, yeah, I 367 00:35:55,950 --> 00:36:00,880 guess you could buy these devices, which are like industrial grade shockproof and 368 00:36:00,880 --> 00:36:07,460 whatnot, and put some Linux on it and do it better. But I don't think that 369 00:36:07,460 --> 00:36:11,650 the hardware or platform will change anything at the moment. 370 00:36:11,650 --> 00:36:16,319 Herald: There is another question from microphone number 4. 371 00:36:16,319 --> 00:36:21,749 Mic 4: Hi, more a social question, did you get in contact with any development team, 372 00:36:21,749 --> 00:36:25,849 software development team in any of these companies, or might it be that there is no 373 00:36:25,849 --> 00:36:33,080 one behind the emails and everything? T: So I guess some of these companies are 374 00:36:33,080 --> 00:36:37,349 really so big, that they don't reply to you if you don't have a support contract 375 00:36:37,349 --> 00:36:45,049 with them. But, for example, the support of the ones that are not on my Twitter is 376 00:36:45,049 --> 00:36:49,730 kind of decent when it comes to two security reports. And so my next steps 377 00:36:49,730 --> 00:36:57,220 will be to go via the ICS Cert, but, you know, to report them. So, yes, there are 378 00:36:57,220 --> 00:37:03,737 development teams that will get in contact with you, just not from all vendors. 379 00:37:03,737 --> 00:37:06,670 Herald: Thank you. We have another question from the Internet. 380 00:37:06,670 --> 00:37:13,960 Signal Angel: Hello? OK. The Internet wants to know what to do about, because 381 00:37:13,960 --> 00:37:18,259 there are a lot of old devices in the field, how do you propose a vendor should 382 00:37:18,259 --> 00:37:24,200 deal with legacy devices and updates? T: Yeah, so keeping legacy devices 383 00:37:24,200 --> 00:37:29,680 supported is very expensive because, for example, if you buy a Qualcomm chip, they 384 00:37:29,680 --> 00:37:35,089 will eventually drop support for the Linux kernel for it and so on. But if you buy 385 00:37:35,089 --> 00:37:39,619 like a Freescale automotive chip, they guarantee you a certain time of support. 386 00:37:39,619 --> 00:37:43,490 But then you actually have to invest the money to regularly provide the updates and 387 00:37:43,490 --> 00:37:48,859 ensure that your devices are secure. The problem is that the lifetime of industrial 388 00:37:48,859 --> 00:37:55,470 installations currently is much larger than the lifetime of this processors' supports 389 00:37:55,470 --> 00:38:00,819 and so on. So I guess we'll have to get used to upgrading our hardware regularly 390 00:38:00,819 --> 00:38:07,400 or switch to, or figure out a different way of deploying secure software onto 391 00:38:07,400 --> 00:38:11,259 them. But I really think the underlying problem is, that we are still using 392 00:38:11,259 --> 00:38:16,229 memory unsafe languages. And I guess the fact that there's cross site scripting 393 00:38:16,229 --> 00:38:20,150 just shows that there's no security awareness really at those vendors 394 00:38:20,150 --> 00:38:29,395 whatsoever. At some of the vendors. Herald: So, microphone number 2, please. 395 00:38:29,395 --> 00:38:34,349 Mic 2: I was wondering, you mentioned that some of these facilities use GPRS. 396 00:38:34,349 --> 00:38:36,390 T: Yeah. Mic 2: Do you know if they have mostly 397 00:38:36,390 --> 00:38:40,749 their own closed infrastructure, or if they're using general consumer telecom 398 00:38:40,749 --> 00:38:44,849 stuff? T: So they will use commercial 399 00:38:44,849 --> 00:38:50,479 networks mostly, and then they have custom EPNs which have an IPSec tunnel or 400 00:38:50,479 --> 00:38:55,700 something similar to their premises. But there's also there's also a company that 401 00:38:55,700 --> 00:39:02,589 sells industrial control SIM cards which give you a public IP and you don't 402 00:39:02,589 --> 00:39:08,100 want to search on Shodan for that vendor. Mic 2: Yeah. Thank you. 403 00:39:08,100 --> 00:39:11,050 Herald: There is a question from microphone number 3. 404 00:39:11,050 --> 00:39:14,999 Mic 3: Hi there, isn't economics meant to solve some of these problems? We're not 405 00:39:14,999 --> 00:39:20,359 talking about dirt cheap devices. How surely at 300 bucks you should better have 406 00:39:20,359 --> 00:39:24,539 someone who's read security one and one. How long before a large organization gets 407 00:39:24,539 --> 00:39:28,200 the result of their security audit and goes to the aforementioned vendors and 408 00:39:28,200 --> 00:39:32,960 says, provide us something that's not trivially hackable, otherwise we stop 409 00:39:32,960 --> 00:39:37,839 buying your rubbish? T: Well, I mean, it's the same in all of 410 00:39:37,839 --> 00:39:45,329 IT, right? So everything has vulnerabilities. And yes, there should be 411 00:39:45,329 --> 00:39:50,400 market pressure. But that's why I'm trying to raise awareness for the issues that 412 00:39:50,400 --> 00:39:53,270 these devices have. Mic 3: Thanks. 413 00:39:53,270 --> 00:39:55,729 Herald: There's another question from the Internet. 414 00:39:55,729 --> 00:40:01,339 Signal Angel: Yep. The Internet wants to know how and if it's a good idea to raise 415 00:40:01,339 --> 00:40:06,549 the level of awareness in public, because they think it's a good approach to make 416 00:40:06,549 --> 00:40:11,869 people, the public know that, well, infrastructure in the cities is at risk. 417 00:40:11,869 --> 00:40:16,000 T: Uh, sorry. Could you repeat the first part of the question? 418 00:40:16,000 --> 00:40:21,339 Signal Angel: Yeah. They want to know how to raise awareness for this in the public? 419 00:40:21,339 --> 00:40:27,789 T: Good question. I guess we need some news articles or something about this in 420 00:40:27,789 --> 00:40:32,800 regular paper, but I personally think it's just an accident waiting to happen. So 421 00:40:32,800 --> 00:40:37,999 eventually someone will turn off the lights in a city or wherever, will open a 422 00:40:37,999 --> 00:40:44,773 flood valve or something. And that's when the awareness will start. 423 00:40:44,773 --> 00:40:47,813 Herald: There's another question from microphone number 4. 424 00:40:47,813 --> 00:40:51,680 Mic 4: OK, for what kind of industrial processes are these devices you just 425 00:40:51,680 --> 00:40:57,108 demoed used? T: So I've seen them in power utility. I 426 00:40:57,108 --> 00:41:02,350 know they're used in water dam control systems. They are used and in 427 00:41:02,350 --> 00:41:07,039 serial connecting a CNC machine to the network, they are used in connecting all 428 00:41:07,039 --> 00:41:10,690 kinds of stuff. Because if you have a big plant, you have a ton of different 429 00:41:10,690 --> 00:41:15,719 sensors. So you might, you might need the water level sensor. And for whatever 430 00:41:15,719 --> 00:41:20,680 reason, you only can get it with a modbus and then you need to convert the modbus to 431 00:41:20,680 --> 00:41:25,119 TCP and then you need one of these gateways. And so, I've seen in one 432 00:41:25,119 --> 00:41:28,529 cabinet, 20 of them. So they're really used a lot I guess. 433 00:41:28,529 --> 00:41:31,869 Mic 4: OK, thank you. I just retweeted your tweet to Star Alliance. 434 00:41:31,869 --> 00:41:37,979 T: Huh. *laughs* Thank you. *laughs* Herald: So there's another question from 435 00:41:37,979 --> 00:41:41,260 the Internet. Signal Angel: Yeah, the Internet wants to 436 00:41:41,260 --> 00:41:50,749 know if you did any research on MQTT for example from like Beckhoff uses? 437 00:41:50,749 --> 00:41:54,489 T: I actually talked to someone who recommended me to look at Beckhoff 438 00:41:54,489 --> 00:41:58,249 yesterday, but I've not looked at them whatsoever yet. 439 00:41:58,249 --> 00:42:01,900 Herald: And there's another question from microphone 3. 440 00:42:01,900 --> 00:42:07,450 Mic 3: OK, could you show the Moxa web panel, because I would like to double 441 00:42:07,450 --> 00:42:16,619 check, which proves that they and they would like you to see their Web page. And 442 00:42:16,619 --> 00:42:24,050 I think this browser isn't very secure. T: OK, let's take a look. 443 00:42:24,050 --> 00:42:29,160 Mic 3: Yeah, and under gohead the webserver small print. 444 00:42:29,160 --> 00:42:41,527 *laughter* Herald: Nice finding. 445 00:42:41,527 --> 00:42:47,859 T: That's probably the issue here. *laughs* 446 00:42:47,859 --> 00:42:55,658 Herald: Are there any more questions? Any questions from the Internet? 447 00:42:55,658 --> 00:43:02,009 Signal Angel: The internet wants to know how a memory safe language would prevent 448 00:43:02,009 --> 00:43:08,750 the authentication bypasses you showed? T: Not one would not be protected against 449 00:43:08,750 --> 00:43:13,130 but it protects against a ton of other stuff. It's just one example of where the 450 00:43:13,130 --> 00:43:18,420 industry needs to change. We need to stop using memory unsafe languages. We need to 451 00:43:18,420 --> 00:43:23,910 start really thinking about security design from the start, and we must not in 452 00:43:23,910 --> 00:43:28,319 2017, there's no excuse for having cross site scripting or anything on the web 453 00:43:28,319 --> 00:43:35,720 page. That's also if we in the Lantronics website, if you click logout, 454 00:43:35,720 --> 00:43:39,479 it tells you logout is not supported in your browser. 455 00:43:39,479 --> 00:43:43,290 *laughter* T: Probably because I'm not using Internet 456 00:43:43,290 --> 00:43:48,130 Explorer five. Herald: So there's another question from 457 00:43:48,130 --> 00:43:53,239 microphone number 3. Mic 3: Any remote part of the exploit 458 00:43:53,239 --> 00:43:57,750 where you did a buffer overflow - I think. 459 00:43:57,750 --> 00:44:01,490 T: Yeah? Mic 3: What I'm wondering is, are 460 00:44:01,490 --> 00:44:07,180 there.. isn't it like very standard to have ALSR on these devices? 461 00:44:07,180 --> 00:44:10,239 T: No! *laughts* It should be, but it isn't. 462 00:44:10,239 --> 00:44:16,199 Mic 3: Okay. Thank you though. That was pretty much my question. 463 00:44:16,199 --> 00:44:23,428 Herald: Is there another question from the Internet? It doesn't seem like it? 464 00:44:23,428 --> 00:44:36,052 Signal Angel: So, one just came in, OK, if you want to hear it. Ok, nope. 465 00:44:36,052 --> 00:44:41,329 *laughter* Herald: So, all right, give a very warm 466 00:44:41,329 --> 00:44:43,329 applause to Thomas Roth again! 467 00:44:43,329 --> 00:44:46,779 *applause* 468 00:44:46,779 --> 00:44:59,882 *postroll music* 469 00:44:59,882 --> 00:45:08,000 Subtitles created by c3subtitles.de in the year 2021. Join, and help us!