Fitness Tracker: Hack in Progress

Video in TIB AV-Portal: Fitness Tracker: Hack in Progress

Formal Metadata

Fitness Tracker: Hack in Progress
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Wearables are extremely trendy nowadays, but actually, we know little about their security: what information do they send on us? How reliable are they? Can they be hacked? etc. The fact they rely on proprietary protocols does not help. So, precisely, we focus on understanding the communication with the tracker. Eventually, that's how we learn how to turn the Flex into a wearable random number generator.

Related Material

Slide rule Dependent and independent variables Presentation of a group Divisor Multiplication sign Fitness function Instance (computer science) Bit Fitness function Length of stay Bit rate Hacker (term) Logic Telecommunication Moving average Electronic visual display Energy level Right angle Hacker (term) Electronic visual display Curve fitting
Process (computing) Pointer (computer programming) Internetworking Right angle Hacker (term) Mereology Fitness function Open set
Metropolitan area network Arm Multiplication sign Fitness function Vibration Motherboard Microelectronics Motherboard Telecommunication Network topology Chain Hacker (term) Routing Spacetime
Metropolitan area network Word Hacker (term) Bit Instance (computer science) Hacker (term) Counting Videoconferencing Mereology Information security Fitness function
Metropolitan area network Trail Synchronization Hacker (term) Fitness function Window
Web page Email Trail Cellular automaton Office suite Hacker (term) Bit Fitness function Curve fitting Hand fan 2 (number)
Metropolitan area network Word Constraint (mathematics) Computer-generated imagery Maxima and minima Hacker (term) Gamma function Videoconferencing Limit (category theory) Fitness function
Gradient Plotter Multiplication sign Mathematical singularity Demo (music) 1 (number) Angle Information privacy Mereology Fitness function Computer programming Formal language Strategy game Synchronization Information Series (mathematics) Endliche Modelltheorie Information security Logic gate Area Metropolitan area network Curve Email Fitness function Sound effect Ext functor Staff (military) Bit Instance (computer science) Price index Port scanner Sequence Open set Discounts and allowances Hand fan Message passing Moore's law Interface (computing) Pattern language Right angle Hacker (term) Curve fitting Resultant Row (database) Point (geometry) Metre Laptop Vacuum Trail Divisor Ripping Line (geometry) Real number Patch (Unix) Cellular automaton Maxima and minima Distance Discrete element method Computer Value-added network Power (physics) Number 2 (number) Mach's principle Revision control Hexagon Hacker (term) Integrated development environment Utility software Software testing Software protection dongle Summierbarkeit Address space Stapeldatei Cellular automaton Code Plastikkarte Binary file Cartesian coordinate system Software Basis <Mathematik> Personal digital assistant Utility software Data Encryption Standard Electronic visual display Software protection dongle
Multiplication sign Source code Fitness function Attractor Medical imaging Pointer (computer programming) Malware Core dump Videoconferencing Information Injektivität Metropolitan area network Boss Corporation Instance (computer science) Price index Type theory Proof theory Data management Message passing Telecommunication Different (Kate Ryan album) Right angle Hacker (term) Laptop Laptop Point (geometry) Trail Server (computing) Identifiability Dependent and independent variables Real number Maxima and minima Discrete element method Hacker (term) Reverse engineering Software protection dongle Form (programming) Data type Dependent and independent variables Scaling (geometry) Information Server (computing) Code Data transmission Personal digital assistant Electronic visual display Linear subspace Communications protocol Form (programming) Software protection dongle Computer worm
Metropolitan area network Trail Divisor Multiplication sign Mathematical analysis Maxima and minima Bit Mereology Discrete element method Code Fitness function Arm Value-added network Medical imaging Message passing Crash (computing) String (computer science) Laptop Vulnerability (computing)
Randomization Source code Voltmeter Stack (abstract data type) Mereology Likelihood function Fitness function Attractor Medical imaging Duality (mathematics) Videoconferencing Information Social class Metropolitan area network Proof theory Message passing Right angle Smartphone Hacker (term) Curve fitting Laptop Trail Slide rule Server (computing) Random number generation Divisor Link (knot theory) Dependent and independent variables Maxima and minima Bit Discrete element method Computer Number Hexagon Crash (computing) String (computer science) Ring (mathematics) Arithmetic logic unit Message passing Summierbarkeit Software protection dongle Dependent and independent variables Cellular automaton Code Client (computing) Density of states Limit (category theory) System call Mathematics Software protection dongle Computer worm
Ciphertext Randomization Multiplication sign Counting Fitness function Pointer (computer programming) Synchronization Different (Kate Ryan album) Encryption Information Information security Physical system Chi-squared distribution Metropolitan area network Email Algorithm Link (knot theory) Touchscreen Executive information system Keyboard shortcut Physicalism Bit 3 (number) Instance (computer science) Sequence Measurement Type theory Message passing Right angle Smartphone Hacker (term) Curve fitting Resultant Laptop Trail Server (computing) Random number generation Maxima and minima Distance Bit Goodness of fit Latent heat Ring (mathematics) Computer hardware Ideal (ethics) Software testing Software protection dongle Summierbarkeit Firmware Game theory Computer architecture Standard deviation Key (cryptography) Cellular automaton Code Cryptography Inclusion map Event horizon Software Personal digital assistant Electronic visual display Square number Form (programming)
thanks everybody I will start straight of rates of what is this it's easy it's a fitness tracker again it's the 1 there on on the slides it's not Obama's OK it's mine well it's the 1 on hacking
and I well if you haven't got 1 and we don't know what those are basically it well no attracted sports so it will tell you how many steps you been walking on some it also acts as a sleep response that's what they advertise it as so it'll it'll tell you if the and the quality of your sleep is good if you got an efficiency will not get and some the display this is really the entry level of sports responded to the date on it has only 5 let's say there is at the top there but the act like kind of a pro gets more so that you know how far you are from your next goal might to know my next goal is to walk 5 thousand steps in the in the day or 10 thousand Steps something like that and links some other but only the LEDs on like meant to be meaningful for somebody it also vibrate so you can wake up in the morning with it if you want or wake just in time to get to my talk and some on this 1 you have no well Tomita so if you're hiking on top of the Everest or whatever well it doesn't know but has no GPS those are only on the higher and higher models of of the Dutch factors so actually you see it's really I like you know a plastic plastics that fear and if you open it up this is where you get to the small plastic enclosure there and that's where you've got all the logic the electronics and everything that tells you how many steps on walking during the presentation for instance right and then I tried to open it stock convolved with
a circular so then my husband came in and he was frightened to see me with that so we decided to do the job he
thinks that like enormous Carter and I was frightened for his fingers and so we tried to open it up as you can see it's pretty tough because it's a very small enclosure on its last plastic is quite solid it is difficult to read through and then once you flip through it's very difficult not to break what is inside because what is inside is very fragile but you can see there are some of the move the pointer it's there rights and that's the Bluetooth antenna and here you can see on the wall the red part there that's the end of the Internet and there if you have a good alliance this this is the end of the right so in the end we managed to
open its without breaking the motherboard well nearly without making it and that's pretty good because some other guys and some of i fix it then 360 electronics had tried and they had broken the mother board so that that that it was no longer responding here what we broke if you can see it rips next time is there it's the
few so probably it will be blinking anymore but at least it should be still working and there and you can see this is the main chain so it's nasty an microelectronics jets with an ARM cortex and 3 on correct on their you've also got a real-time clock this is a tree axle accelerometers and so this is what matters is the acceleration on 3 axes this is the route to just this is for charging and then on the other side so low that you got you haven't got that much space because the battery here it takes but a lot of space of course and you've got the vibrator friends so that this is equivalent to
just this is all for that apartment part you have an idea how many tractors have been sold on all tractors combines not only for the bits of 10 million 40 million 70 million hands up for a 10 million 40 million but a 70 million and I didn't tell them that looks like it's between 40 million 70 million according to you what 70 million what according to steps right and it looks like it's growing so it's it's really a massive there those are the words but that's never worse what where in security conference in hacking conference so the question we have on our minds is what can we get it to register and take steps for instance so that crocodile is suggesting well if I were them for legs will account for more steps or something like that that's what we're gonna have a look at so we're going to have a video for that I but basically I tried to haven't registers some fake steps and find lazy like happens for quite a few hackers and I thought OK I'd like you to registered on the steps while I'm just sitting at my desk and working that would be cool and that's what I did so
you finally influences so
yeah we're 1st some synchronizing that the tractor that's like kind of the Jedi way I'd say to to synchronize its course of Huron windows or something like that there's an easier way to do it but still it works as synchronize and I have a look
at the beginning how many steps I had a bad day 30
8 steps but very much right and then I attach it to find yeah that stupid etc. very small fan like 5 euros something like that and that's at my office and that's lazy walking there we go and then we're gonna trying to synchronize it again and see how many steps of being doing I you know have been
looking very much have refresh the page 100 and 5 steps still might yeah I cell that was 67 steps in 45 seconds that's something
like 3 kilometres an hour it's not like you know I'm really you're walking very fast but it's better than nothing especially when I'm just sitting on on my chin I get back constraints now when
when it comes to being lazy to be honest I I'm really not the worst on that kind there were some other researchers liquidated they attached it to the wheel of the car that's really great I and we will be the random part like for 10 minutes not too fast like and the registered it was something like love it over 1000 steps that way which is not the same thing not so fast like it was wasn't maybe 4 kilometres an hour word limit more I probably didn't want to drive too fast and loose their tracker I don't know exactly how they set it up but that's another possibility I could put it on my car and so we'll be there we have it that way without actually making so it's not like
I you've seen that we can abuse that because of that and because of the distance is only steps multiplied by the walking strides we can up and we can also abuse distance and of course we can reduce the calories and they're very active minutes which are displayed on our that can get because the oldest depends at the beginning on what's the tracker registers steps well what about running all it turns out that but many people did research on those actually remainder is and how it was measured and with an excellent meter well we can work out pretty a lots of things for instance we have here the various curves for when we're walking and those there when we're jogging basically see higher peaks when you're jogging because you kind have but more acceleration what not me because I got under that dark a case that normal people it would look like that probably you also have some other patterns for somebody sitting down and standing up when you're standing up right you get out so you have a high acceleration on the vertical axis and the vertical axis is on that plot is the Y axis that's why you have that 1 the can even do better you can actually tell working out what you were doing so you've got I've that here patterns for when you're back you when you're brushing your teeth right cell with all that with only 1 and a natural leader getting detracts from the 3 axis of course I can tell if they're walking if you're running but I can also tell if you're brushing your teeth as quot so why would we be doing that OK it's cool to attach ones 1 strategy were fan but it's maybe kind of useless what the goal behind it at least 4 area and that hacker is somebody wants to get something out of it is to promote earned those undeserved badges it's the way I will be able to learn my 5 thousand steps batch my 10 thousand steps that or something like that and with that you can actually lead to various programs are from various companies which will give you kind of power points that you can redeem for various gifts like a gift card 50 dollar gift cards that that happens I can get some special discounts sneakers sports to whatever and there are plenty of other things that you can get from those there's for instance on the gambling solution for instance of its company called packed well they say are you you you kind of pattern major attracted to them and then you say OK this morning or today I'm gonna walk 10 thousand steps that's my and play some money if you only do like 9 thousand well you lose your bet you lose your money and your money goes to the other people who won the bet if you win your bet you get here Monday plus a little bit of all the money that the other is from the last there I k so you can get some kind of real money does on cheating and getting those and undeserved patches so that's kind of a motivation for attackers of course there's also money for business but that's pretty obvious but also hold those affirmation companies which gets that they got from your fitness tracker as well the make money out of it here we have I think which is a the company who I after gates with so Fitbit trackers and they say they said well we are also launching or industry-leading privacy protected of course and secure API and with that I'm trusted partners on an opt-in basic only to receive health outcomes effectivity data from participating users so there's money for everyone there to cannot begin at steps distance everything I with an axle reader we can do actually more than just an uh hacking and tracking tracking steps we can even know if you're brushing your teeth or pecunia vacuum in your house and there's money for everybody there's on the alleged amidst owner of the tracker in attacker and also the industry and when there's money that's the fact we know there's also spent there's always threat behind south now we're going to investigate and investigate a little bit more the software part of that this record their on and only knows due to the right well it also knows the NSC but I haven't got any any and and it's the device so I haven't tried that but the talks with so if you want to synchronize your data that we have at some point you have either right the dongle this 1 computer USB dongle for or SmartKom that knows of use low-energy and based those devices will kind of related but you're synchronize data to the fact those at the other end so that's what I wanted to do is just to myself on my laptop and from the laptops here to their fitness factor I just want to be able to talk to it to send messages to receive messages from it and learn from that to start happening so I wrote a small plaque and utility to do that and to rights to it it's pretty easy because actually you just have to send USB messages to the right end point there's 1 endpoint for peduncle with there and another and point for the tractor so you send you the message to the end point of the tractor and actually after after that it goes but due to the fact that there so we're gonna trying to trying to to several their attendance is not very fancy as you'll see that it works well I shouldn't say that different from that the 1st thing I have to well and claimed that dongle so that I can register it with my own staff and then I will we can get some information like from the dongle from 2 and gets up there that's stand version of my dental and its MAC address OK then I'm gonna detects trackers in the room of it some of you have trackers in the front rows they will probably be detected as well so all messages with the tracker all are always only there's plenty of characters so so smooth yeah at least in this and so contrary to that this was and there's another 1 there
I think mine is the 1st 1 is this 1 the other 3 item that I the in the R that means like forgot signal strength revoke forgotten art but the higher it is the closer it is to my USB dongle so that that's quite logical I have the first one is minus close to that and then the other ones are like features that those contractors have right so now um I'm going to have to select the tracker I want to talk with different than it was I have some idea but it out with your results and I can see mine any longer what's that um this try that this was a very good test because actually at some at work I only tried with 1 Mungle because the other 1 as you can see a rip it off and sigh there it goes on gonna select main and now what can I do well I conferences and all I can to write this now I probably won't see it but this 1 has the blends language I'll show you 1 of the it natural can see it but there's a few linking on my device there yeah thing we can do we always have to reset its I'm sorry it's all all of this stuff is a little bit painful but otherwise it's just says time out all the time we can get its data so I have to use that to get my tractor of believe and will trying and synchronize the data so minus times minus the seconds number due and get structured data sound there is so yeah that's interested and encryptor data out all the steps of the walking the spreading for the lot this time it's here's 1 to 4 and and I'm at the beginning what's interesting is that I managed to reverse that at least the header so I know that I am synchronizing with the Flex and say that it's for version 2 we don't really care that there's a sequence counter at the beginning and this is basically are like a model indicator and of which kind of flexor which version number is and then you've got the intricate and cryptic blob which is infected with keys out from the bits which contains all the steps and all the activity I've been doing so that's what and skill that
so all of these are messages that you so that I can stand with that kind of small tool well I had to reverse everything manually because there's no kind of hackers the documentation of course for those devices so that was pretty long of course are some I managed to reverse like 20 messages for the dongle the have a different type and then 24 messages for the tractor with a different types and then there's the communication with the server in itself the Fitbit servers this is done through HTTP URI http yes but with an XML communication protocol and this is very easy to to reverse because you just have to wait just wait a shot sniff that the network traffic and see how it's working but that this isn't really difficult there so we'll just have a glimpse at what time tracker packets look like just how old won't be going into the details of the 24 packets of course I would happens is that all packages that you sent you send to the tractor they always start by C 0 that's the indicator for this is attractive packets then you've got the command identifier and 10 in that case it means gets down question which means I would like to get the data to synchronize at the tracker received that's and will starts and respond by of the I'm gonna start and send you my data for us to just and so on so this's command identifier 41 started out don't response then it sends the delta that's the encrypted blob that he so on that huge fileted and then and against it sends another packet say OK I finished and you've got also about the dump size so so that can be sure that you haven't been missing in packet for instance there is also was seriously at some point but I haven't seen any cash for instance there we go OK so we can do plenty of things we can get the the information of the dongle we can we can see how many tractors they are nearby if you wanna come later on and tried to synchronize with my tool do come and see me afterward so how some we can have the legs they're blink that's great now just images if I tell my my managements hated you know it's great I been working like for 3 months and so of unable to get a few minutes blinking and so what we can do it with the standard tool but here I can do it with my own tool but unnaturally be impressed by it so I will try and do a more than that actually actually when it comes to getting satisfying management of it would be helpful actually if you man if you could fill in the subspace spanned satisfaction form of it's really very easy you've got like a scale of 0 very bad and 5 excellent be sure that if you put 0 track ships and uh if you can generate like 1999 instead of 5 that would be interesting for me as well right so the real question I'd say online and management would be interested in is rather out well this tractor get infected they don't know if you know what I am working with 14 and and I'm a malware analyst's there OK so this is really what my boss will be interested in in our if it can be really infected or if it can is it able to propagate and malware to other devices so we worked out so i and injection scenario here we have an attacker this sends some malicious code 2 of the track the tracker gets infected and and then next time although the eutectic can go away and the victim is going to discover at some time 7 point is going to discover the track for instance if he wants to know well and to synchronize it or something like that and what's interesting there is that we manage to get all responses from the tracker also contain that knowledge right so from now on whenever the infected attractor is queried for something while it will always answer some packets plus the knowledge source code and then well of course on the victim's laptop we can imagine plenty of nasty things that this malicious payload will deliver on like crashed laptop to propagate another device something like that so I will show you a video
of that because I have not been the so you and this 1 so it's really a year before I started it's really like you've got a hacker is a proof of consent it's not very visual I'm sorry about that it's clear that they so there'd starting and
I'm going to inject to the tracker some image in its analysis codes but it's not offered the demonstration purposes unjust injecting the string have your deflects right and then I each time by sending commands to my tractor you can see below that it is always answering the right packet but also hiked reflects which is which could be the knowledge discovery then I decided OK I sent plenty of messages and there's always factor affects their what happens if I really totally resets my tractor can I still see that injected CO so we are 100 per cent for for this part and then now where do completes reset and we use a few bytes there can still recovering like most of its which is what we're interested in so we can perhaps which actually does the injected by delivered further on so that we're not using so this is possible because of the vulnerability on the tractor which has been of course
disclosed to the bits and which they said it will be set patching very soon I so I will be
disclosing yeah exactly how how long it's been done but still in that video he can see that there are a few limitations 1st course at a proof of concept there was no real knowledge has come to only just a string being sent and that we see you coming back in in all packets afterwards the other limitation I have is that with this technique which I am only it able to inject at most 17 but 17 bytes that's not that's not a lot right would be a bit short for a full fledged botnet costs but still I think it's so valuable because if you were old enough to recall like that the crash and pension intrusion in 2004 well it was only 4 bytes you receive those 4 bytes on your computer and it would crash crash it completely so 17 bytes went is really far more than that the other limitations that we have for now is that I haven't been working on the way to actually executed deliver the payload on the so on the victim it receives the packet the infected packet but it still has to infect is uh to infect the laptop produce something on it this means like exploiting perhaps the risk the stack for exploiting the Bluetooth stack things like that that's for some other parts of research to be done there and of course and the other limit of course is that it that will be patching so this will be possible anyway in a few months probably now some other things we can do with the tractor there on that slide image in you don't want to use your attractor any longer for sports and you want to do something else with it or that y denote if it gets the servers are down and you don't know what to do with this factor and longer what we can use it as a source of and dropping so that's perhaps because I like photography cell that thought well you know we're always likelihoods source of entropy how about using this track there the way we do it again is just having a look at the various messages that we can send to the track there is 1 message will which is cool like potential trading them the tractor which is meant to set the bond between the smartphone and the tractor and for that well the dongle caught a smartphone is going to sense the challenge the tractor response the other way with his own challenge and then the dongle is meant to compute match out of those to check that those 2 random numbers numbers and that way tend towards the track now if we just want a random number generator and we are just interested in the 2nd packets this 1 the 51 to get that 1 we just send like a very down the first one 50 we don't care we don't have to generate a local random number will just send all with the same 1 and then we read the random number that the tracker sentence sentence and we use that as a source of randomness let's try that you know I have plenty of detractors cell some money on this number 3 but actually I could have your attracted to work as well and R&D that is get random numbers so the 1st few bytes 1st 8 bytes to get a a bit slow because it has to establish the Bluetooth link to the tracker and then it goes I wouldn't call that class that's fast enough to get some some random numbers you get so those are the random numbers that it generates
it is now I'm sure that you wonder are OK those
are the looks random but are they really random that's really a good question right so well tested non-taxonomic with the batteries of tests which are not recommended by the this for their own uh their through 209 random number generator is that they want to kind of tests so there is a tool called ends which regroups all those 1st test the key square test in the intestine Monte Carlo key tests and then there's another batteries of tests which is called the modern here and in an ideal world OK that's what we're targeting we would have a random number with generator with those values there might never get this of course because ideal world is never perfect and that's what we get for our tracker with my sister and there and why we see of compared with some other uh sources of entropic so Victor go this is French literature just to see how bad it goes when something is not random the difference in cyphertext here all cyphertext is meant to be pretty much random at the end when it's you know infected so it's also a good way to test to to see well how would good random House which would be and then you've got some physical evidence like radioactive decay as as well compare with and what the results are the the bits difficult to was assessed because there's no like real excellence and a random number generator that it looks OK so I mean it doesn't look really worse that what we have stated standards on the Linux systems for instance so perhaps I would not be using it of cryptography but it's not true that so yeah that's all just to recap so well we are able to fool steps distance counts we can have let's blink that's great I like it personally but we can also have lost and we can see that the synchronize synchronization data that go to the the Fitbit servers are encrypted and I'll be working on that later we are able to to inject 17 binds on the track which could be provided potentially harmful because we could we can that way infects or tracker and propagate the infection to other devices and we are able to enjoy tracker as a random number generator that sent you get humans there if you want to see some more of the the tools my tool will be posted in like a few days at the time I get back home I that if we've got some time for questions will be happy to answer and if some of you want to try to synchronize their tracker with the tool as possible as well no question or is it that I don't see the hands of yeah yeah so the question was it is it possible to apply it to other Fitbit trackers yes it is and this work is applicable to any of the tractor as far as I know I I there there are some specificities for some others are like they don't have the same device type the don't have the same exactly the same headers I haven't reversed exactly all of them but some yes the synchronize the same way you send the messages the same way and its global to get the same no way to to communicate with the track they just you have some for instance for those with a screen you have some messages which are implemented on this 1 but not used well on the the search for instance or on the charge of those packets are really useful and do something on the on the device but the question of the the the the the the the I I don't know what they're gonna do with with that they told me they would be fixing and Ieave I talked with them and the 1st time it was in March March this year and they told me it was about not security issue so I told them well if I don't mind as long as he shakes itself out and they haven't 6 suggests that's the only thing I know well it's possible to update the firmware yes I'm my deny use so in the the tool here I can
get the firmware data well accepted it's thing cryptids same thing so some can't make sure all the sense out of its yet and let me show you yeah it's very it gets more data so they have a way out to update the firmware and probably that what they will do do it that way the patch and send them from where update afterwards to people who were synchronizing I guess that's the way they're gonna do it does that answer your questions III the case any other questions yeah it's kind of a way have I haven't I tried to hide the firmware it's because it's encrypted were not uh it leaves the tracker there it leaves it's already interested so when I see the bites on the laptop it's already encrypted and 5 so have a look at them on the smartphone saying it's interested and when I discussed with the some of the bits security engineers they told me that the indeed the considers the laptop or smartphone as outside the security enclosure so that the had interested in before which is actually I guess that's a good measure so it's infected and for now I'm not even sure what algorithms they are using it could be either a yes or X T I am not sure if that's all I haven't been able to locate and the GDR using either and for that I need to to inspect the hardware so that's why at the beginning we started like opening it and now we have to like it to be to probe the hardware to to get something I haven't been able to see anything more with the software the the we the I can ask them for an updates but when I asked for an update it gets encrypted on my on the tractor so comparing interested data is useless yes I can downgrade I'm not so sure because there is at the beginning of some of the at the beginning of the packet there's a sequence counter and of for instance I tried some other times to do with some replay attacks on steps like I reports every packet that is going to go the data server while I've been doing 10 steps and try to replace that with changing the sequence counters correctly and it did not work so I guess that it's more than just encryption there's probably Indian corrupted packets either a some timer or something more but it's not working if you replace it so it might not be possible to downgrade for the same reason the In the case of cell have I tried other grounds and no I have not so far I have been playing with some other other devices like a sunny smart watches well but the architecture is completely different artists absolutely no 1 again no relationship with the with the track to try other trackers to be fun yeah and again OK well against sound that's all atmospheres another 1 that OK but thank you very much for attending


 2345 ms - page object


AV-Portal 3.20.1 (bea96f1033d39fbe77f82542458e108105398441)