Okay. Hi, morning. Welcome. My name is Runa Sandvik, and I'm going to talk about ten things I learned while hacking a Linux-powered rifle. So I'm originally from Oslo, Norway,

but I figured I'd give the presentation in English since it's just a lot easier with a lot of English terms, and talking about rifle components as well is a bit easier in English, but feel free to ask questions in Norwegian if you want to. So this is a

presentation that I gave at Black Hat and Def Con in Las Vegas last year, and I figured I would try and now sort of give the same talk, but then also summarise, sort of put an emphasis on ten things that I learned or that I took away from this project. The number

one question that I usually get when I say that I hacked a rifle is why? And the sort of default answer for me is because I can. It's one of those things where living in

Norway and reading a lot about Black Hat and Def Con, which are sort of these two massive hacker conferences in Vegas, and seeing all the amazing things that the researchers do at this conference, or at these conferences, I just always had a bit of a bucket list

item that I wanted to pull off this fantastic project at this conference, and so hacking a rifle, I think, certainly put it on the list. So lesson one, sort of number one

thing that I learned is I would say more something that I figured out before we even started working on the project, which is that people rarely pay attention until you make a statement. If I were to hack a toaster, for example, or a fridge magnet,

or a Barbie doll, I mean, it's fun, it's cool, but it doesn't get you the same level of attention as hacking a car, or hacking a rifle, or hacking an airplane, or a satellite. You get the idea. People aren't going to pay attention until you sort of make a statement

like that, and they're not going to see the value in securing the product either until you can really, really highlight why this matters. So that was sort of the number one thing. In part, I wanted to hack a rifle because I can, but I also wanted that sort of that statement piece to really get people to pay attention. So the rifle that we hacked,

and when I say we, this was a project that I did with my husband. So we decided to...or rather, he took me to a gun show where Tracking Point had a stand showing off these

rifles that have this sort of computer inside the scope, and it has a wireless network, and it has mobile apps, and all sorts of fancy things. And I said, well, we should totally buy one, hack it, and present in Vegas, and he said, okay. So that's what we ended up doing. So the rifle that we bought is a

Tracking Point TP750. So that just means that it's a standard stock Remington 700 bolt-action rifle. So it means it takes one bullet at a time, you put one bullet into the chamber, you load it, you fire, you have to do it all over again. The standard stock rifle,

but Tracking Point then put a custom scope on it. And I have some photos later to really illustrate this, but inside the scope is a bunch of PCBs that sort of make up the little computer inside of it, and there's a link, a sort of mechanical link between the scope and

the trigger as well. The hardware platform is called Cascade on the TP750. So Tracking Point has a couple of other firearms as well with a different hardware platform,

but we have been able to confirm that the issues we found on this rifle are also present in the other firearms that are running the sort of newer platform. So it runs a modified Angstrom Linux, which is sort of the same that you'd find on a BeagleBone Black. So it's pretty

much like a really small BeagleBone Black inside a rifle. You also have 16 megabyte flash storage for kernels and then 4 gig for the file system. So I also wanted to just quickly

explain exactly what makes the Tracking Point rifle interesting. And that is what Tracking Point calls the Tag Track and Exact system. So up on the sort of first picture to the left where it says Tag, the whole idea is that you're behind the rifle and

you're looking inside the scope and you identify your targets. You can then put the crosshairs straight on your target and then tap the red button that's by the trigger on the rifle. At that point, you tag your target so that the software that's inside the

rifle will actually help track your target as it moves back and forth. You can pull the trigger, but it's actually not going to release and fire until you've managed to line up the rifle in such a way that you will hit your target every single time. So it's like sniping for dummies, pretty much. I mean, coming from Norway, I had zero experience

with guns and I did not miss a single shot. So that sort of gives you an idea of what this sort of firearm can do. Some quick things to keep in mind. Our attacks require

the Wi-Fi to be on. So when you're using the rifle, you probably do want to use the scope so you can power the scope on, but you don't have to use the Wi-Fi unless you really want to. So we do require the Wi-Fi to be on to actually do any of the stuff that

we're doing. We cannot fire the rifle remotely. We can do a lot of interesting things, but we cannot fire remotely. That's still a physical mechanism. And the TP750 is a firearm even without the scope. So this means that even if I were to permanently brick the

scope on your rifle, it will still function as a firearm. It's big and it's heavy and you can't really see what you're doing, but you can still pull the trigger and fire. So when we started this project, I mean, I had some experience with I guess I'll just

call it software hacking. My husband was sort of the more hardware person and I did software stuff, but we still had a lot to learn when we took on this project. And

sort of with any sort of hacking project, whether it's hardware or something else, you sort of have to sit down and think about ways to get in, right? You have to actually think like an attacker. You can't just take this thing out of the box and say, how would a normal person use this? You have to say, well, if I was really evil, what could

I do? How could I get in? So the rest of the presentation is sort of divided into rounds. So I got round one through three, where we sort of have round one and the stuff that we sort of tried initially, the things that we looked at, the things that we sort of tried

and failed with, and sort of I'll summarize round one and then we'll step on to round two. So round one is sort of the unboxing, right? You get the rifle, you pop the box open and you try to figure out what is it that you just bought? What does it look like? What can you

do? So this is an illustration of the scope itself. As you'd expect on any rifle, it has a microphone and USB ports. And the power button, which is just to the right of the USB ports in the bottom right, once you've powered on the scope, if you push

the power button once, it will turn on the Wi-Fi. So it also has some sensors for just temperature and a couple of other bits and pieces. But fairly, I say standard.

There wasn't sort of anything super exciting. We thought that the USB ports would actually lead to something good, but it turns out that they are disabled on boot. So at this point, we're like, okay, so we have this rifle, it looks like this, it powers on, it has batteries and stuff. It has Wi-Fi, so what do you do? Well, you port scan, try and figure

out what kind of services are running on this thing. It's port 80, so there's a web server. And port 554, so there's a sort of video streaming service that's running

as well. And that was it. We were sort of like hoping for something more exciting like port 22 for SSH or a helmet or something that would just make this really easy. But no. So, okay, we got the rifle, we can't really just sort of SSH to it and talk to it. So, what do we do now? Well, Tracking Point developed two mobile apps for

the purpose of sort of interacting with this rifle. One app is called Shot View. All this app does is once you're connected to the Wi-Fi of the rifle, you can open this app

and it allows you to just see with that video streaming service, it will just allow you to see exactly what the shooter is seeing inside the scope. So, you can't do anything, there are no buttons, there are no settings, there's nothing that you can change or touch or interact with. You can just watch the stream. Which Tracking Point would say that this

is a really good thing for training purposes. The other app, the Tracking Point app, is a bit more exciting because it has it gives you some settings that you can change. You can change the temperature, the wind, the type of ammo used on the rifle. Every single

time you tag a target or take a shot, the rifle will record and store a video of that on the scope that you can then download onto your phone. So, if you just took this amazing shot and you want to put it on Facebook, the rifle makes that really easy.

And there's like a passcode as well. So, when you initially start the rifle, it started in what's called traditional mode. So, at this point, if you pull the trigger, it will fire and you may miss your targets. Advanced mode is where you get the tag track in an

exact system where you have to tag your target. You can hold the trigger, but it's not going to fire until the whole system has sort of calculated that if I fire right now, I'm going to hit the target. So, you can set a passcode for that as well. So, digging around some more, WPA2 is used on the Wi-Fi. We found that it's just

plain text communications between the apps and the scope. So, between your mobile phone or tablet or computer and the rifle itself. The rifle uses HTTP, so just plain text really,

or clear text, to pull updates from Tracking Point's website. So, the way that it does that is that you connect your phone to the rifle and you pull the version of the software and the serial number from the rifle onto your phone, then you take your

phone and put it on the internet again and you talk directly to Tracking Point's website and say, hey, here's my serial number. Here's the version I'm currently running. Do you have an update? Tracking Point will go, yes, here's a package for you. Send it back to your phone. You plug your phone back onto the rifle's Wi-Fi and it will push the package up. So, when we saw that, we were, like, holy shit, this is really exciting.

There are, like, packages in the clear. But the updates are actually GPG encrypted and signed. It can only be decrypted with a passphrase that only the scope knows. So, it wasn't a passphrase that we could easily guess. So, at this point, we're like,

oh, we don't have a whole lot of interesting stuff. There's sort of, like, bits and pieces that are sort of interesting, but not something that actually would give us anything, like, really interesting to talk about. So, we decompiled the mobile apps to see if there

were some additional features that we just hadn't tried. So, if you sort of try and pull out any communication that the apps can do with the rifle, you end up with sort of, like, a public API. There's, like, something for package upload. You can pull the serial

number. You can set a passcode. Get the version number. Set the type of ammo. There's some interesting bits and pieces, but nothing really juicy. And we also found that while

the mobile app or this API lets you change wind and temperature and ammo, it's only within a set range. If you try to change the temperature, it's going to give you, like, I think, five values that you can choose from. So, you can, for example, set the temperature to be

minus 5,000. So, it does do some input validation. So, we're like, okay, well, we don't have anything, like, super exciting. We have a couple of buttons that we can push but they don't really do anything. We have these apps, but our input is always validated,

so what do we do next? So, we just decided to just start pushing buttons. To see, like, maybe there's, like, a magic button combo that would open admin mode or pop open SSH or something. But, no. Sadly not. Which sort of led us to sort of summarise round one with

the SSID of the Wi-Fi contains the serial number of the rifle, and you cannot change it.

So, identifying a tracking point Wi-Fi is pretty simple because it's going to be like a TP underscore and a bunch of numbers which is the rifle's serial number. The password is easy to guess, and you cannot change it either. And any RTSP client can stream

the scope views. You can stream it on your computer if you want to. Like I mentioned, the API validates input, and I say it's unauthenticated because anyone who can get onto your rifle's wireless network can use the mobile app. There's no sort of check to see is this Runa's

phone talking to me right now? Anyone who can get on the Wi-Fi can do stuff, can use the apps. I mentioned that you can set a four-digit pin to lock advanced mode, but four digits

is pretty easy to brute force, and there's also a public API call that just resets the lock completely, so you could easily connect to someone's rifle, reset the pin if it's there, and then set your own pin so that the owner can't use it. And the updates are GPG encrypted and signed. So, at this point, I think, so we spent about a year

off and on working on this project, and I think at this point, we had been trying to sort of work on it for probably about four or five months, and we were getting pretty close to the time when you have to submit a talk to Black Hat and DEF CON, and

we were like, we really, really need to find something better than this, which sort of, to summarize lesson three, you need to be willing to potentially brick the device. There sort of comes a time in any sort of hardware project where you need to just suck it up and just open the thing up and see if that

gives you more access, which potentially bricks it later on, but if you're lucky, you can sort of still salvage some bits. So, for round two, we decided to take a closer look at the inside of the scope. So, in this case, you see the scope on top with a bunch of PCBs, and then you see the red button by the

trigger, that's the red button that you push to tag your target, and at that point, the trigger is locked. So, you can pull the trigger all you want, but it's not going to release and fire until the rifle has decided that now's the right time. Yeah, just a bit of a different image showing pretty much the

same thing, and here's what it looks like if you sort of pop the scope open, a bunch of PCBs and some buttons up top, which looks like this up close, but this

photo is a bit more interesting. So, all the PCBs in this photo are double-sided, so that means that there's stuff on either side of every single PCB in here, and so you see sort of two PCBs on either side, and then you

have this triangle, and there's stuff on all sides, and the whole thing holds together, so you can't easily just pull it out. In addition, towards the top of the photo, there's a bunch of tiny, tiny cables that connect that PCB

to like the rest of the rifle, so you can't just like pull it out and play with it and pop it back in. So, we figured we'd sort of, we needed to find a way to just connect a computer to this rifle without taking the PCBs

out. We really wanted to avoid cutting any cables or doing anything that could could break it. Now, if you watch any sort of hardware talk, or hardware hacking talk specifically, a lot of people will talk about UART and how

that just makes it really easy to just hook up some cables and you plug it into your computer and you have root access, you get a console and you have full access to the system. So, that's what we did, and when we saw this screen, we were like, yes, we finally got it, like it's actually booting, we got the ASCII, this is amazing. But then this happened, and

to highlight that a bit, console access but with a login. So, it was pretty clear that TrackingPoint didn't really want anyone logging on to the

machine. We did guess, we did spend some time trying to guess the login, which was a waste of time, because we didn't really get anywhere with that. We did get to, let's see if the other image shows it. Maybe not. You can interrupt the boot process and get this additional

sort of slight, almost like a debug menu. So, you can dump the memory, and you can look at the boot parameters, and you can change a couple of things in there. So, we spent a long time trying to just dump the memory, because we figured, well, if we don't have console

access, if we can't log in, then maybe we can just dump the memory and we will just get everything anyways. That's when we learned that the kernels, which is this part, when you boot, are on a different chip than the file system that we're after. So, we spent a long time,

and we just dumped four Linux kernels, basically. So, at this point, we sort of had to summarize with two amazing bullet points. Console access is password-protected, and the kernels and file systems are in separate chips. So, at this point, we're like, I think at this point, we had actually submitted to both Blackhand

and Defcon, and we had, like, sort of stated that we have all of these amazing results, and we didn't. So, we were sort of, like, down to, like, crunch time to really, like, find something to present on stage, because otherwise, we would go on stage in Vegas and say, here's this thing, we didn't get in. Which, to sort of summarize point four,

it's not always as easy as it looks on YouTube. When everyone talks about, like, oh, hey, I got UART, and then I got full-on console access, and we're like, no, no. It doesn't always work like that. Sometimes, it takes a bit longer, and you have to be a bit creative

to actually find the stuff that you're after. So, for round three, so, remember how I said, like, you have to be willing to break the device? We sort of got down to, like, well, we don't really have anything.

The conferences are actually coming up really soon. I know this is, like, a $13,000 rifle, but we need some stuff. So, we ended up pulling out the PCB, because we're like, well, if we can't get to the file system by dumping memory, and we don't have console access, let's just pull the PCB,

and let's pull the chip with the file system and just dump it that way. Except, it's pretty hard to figure out which chip has the file system. And we spent a long time reading a lot of schematics and trying to figure out which one could possibly be the chip with the file system.

And I can tell you, we actually, sorry, we actually pulled the wrong chip first. We ended up pulling the FPGA. So, when we put it back on, the rifle never quite worked the same way again. I mean, it still boots,

and it has Wi-Fi, and you can technically fire. It just doesn't work the same way as it used to. So, the file system was actually hiding under here. So, at this point, we were really wondering how, on Earth, do you read data off of a chip like that?

And thanks to some amazing people that helped us out with the project, we learned that there's something called eMMC. So, it's like a sort of USB memory card type thing. On the PCB, on the side, you don't even have to pull the PCB from the rifle. You can just sort of, same concept as with

the right cables, and you get access. So, we're like, okay, so, we're seeing all of these, like, pins. We're like, well, okay, but how do you, how do you, like, go from, like, these pins to an actual connection to your computer? Well, it's like a $100 device. Pretty cheap,

pretty easy. So, all hooked up, it looks sort of like this. And at the end of it, it's like a USB cable that you just plug into your computer, and it sort of just pops up as, like, a USB drive. Full access to the system. At this point, we're like, yes, we finally have something. And this was, like, two months

before this, like, massive conference in Vegas. We're like, yes, we finally have stuff. But now came the hard part. We finally got access to the system, but finding any vulnerabilities that we could use as sort of, like, malicious attackers was still the challenge. It was still something that we had to do.

So, poking around poking around the file system and sort of figuring out how the how the system works, what is it that you communicate with when you're using the mobile apps, is we managed to sort of create this admin API. And I

haven't listed all the calls that we got access to, but the type of API call that if you know about it, you can use it, and this one will open port 22, so you can SSH in.

There's a bunch of other calls as well. Sorry. We decided not to list not to name all of them, because the U.S. military does own and use some of these

rifles. And tracking point has also stated that any U.S. agency that wants to use their firearms to fight ISIS in Syria will get the firearms for free. So, we figured we would just not list or name some of these API calls just not to piss anyone off. So, there's one call that I'll

just refer to as the system backend. So, it's one call that if you know about it, you can use it, which will open a port in the firewall on the rifle, and you can just use, like, a standard UNIX socket to connect to it and talk directly to the system backend. So, while the API

that the mobile app is using validates your input, so, like I said, you can't, like, if you're changing the temperature, you've got, like, five values that you can change between or choose between. But if you're talking directly to the system backend, you can set whatever you want, and it's not going to reject it. So,

if you want to set at this point that the temperature is minus 50,000, you can, and it's going to happily accept that value. So, by talking directly to the system backend in this way, you can make temporary changes to

the system. And you can change things like wind, temperature, ballistics values. You can change the ammo. You can make the scope think that it is attached to a totally different firearm. You can control the solenoid, so you can actually lock the trigger. So,

while we cannot fire remotely, we can prevent anyone from actually pulling the trigger. So, here's a, I got a video demo that shows how the rifle works normally. So, the sort of top right box there is the

video from the scope itself. And what you'll see is you'll see the crosshairs move. And then we tag the red circle in the middle. And then you'll see us fire. So, as the crosshairs, we're just sort of trying to figure out where to drop the tag. That's

tag. And this was 50 yards. I forget how much that is in meters, but it's not very, very far. But it has a, it can go a bit further, but this was just for the purposes of the video. So, it's pretty, pretty easy.

Nothing sort of super exciting. Now, this one is a bit more interesting. So, at this point, we, by communicating directly with the system backend, said that the bullet is heavier than it really is. We

went from like a default value of like 125 grains to I wonder if it was 50,000. Some crazy, crazy number that just happily accepted it. So, what you see again in the top right, this is the same

target that we just fired at. So, what you'll see is that we're gonna try and, again, put the crosshairs in the red blob in the middle, tag the same target in the same spot, and fire. So, the crosshairs jump far to the right because we

changed the value. Now, what happened is that we hit the target on the left instead. So, by just changing one value, the weight of the bullets, we can hit a completely different target. And there

is no indication in the HUD here to the user that this is going on. So, but these are all temporary changes. We wanted something a bit more exciting than that. We wanted to try and make permanent changes to the rifle. Which sort of leads us to this sort of lesson five. You need

to understand the tools you secured the device with. I guess that is more of a lesson for the vendor and not for me, the hacker. But digging around the software update script of the rifle. So, I mentioned the packages are all GPG

encrypted. It can only be decrypted with a pass phrase. Once we were on the scope, we found the update script and we found the pass phrase that we needed to decrypt the packages. So, actually pulling like ten versions or ten updates worth

of packages was really easy. And you could decrypt the individual packages as well and then modify them. And the reason you could modify them is that tracking point has two GPG keys. One which the company holds and is the set of keys that it's using to actually sign and

encrypt the updates in the first place. The second key or the second set of keys is on the scope. And every single tracking point firearm has the same GPG key on it. So, if you have access to that key, you can create an update that is actually valid on every single tracking point firearm out there. Which

will allow us to make persistent permanent changes to the system and also gives you root access. Because at this point, we found that, yes, we can make it fire to the left or to the right. We can make it not fire at all.

But we still wanted to be able to SSH into the rifle. So, I created a custom software update that just added our own user to the system. So, this is a video that just shows it will show us trying to log in as the user hacker. You'll see that failed because that user

doesn't exist on the system. Then we'll upload and apply our custom update. And then we'll try to SSH again. So, initially we're just

using the SSH accept call just to open the port. We try to log in. It fails. And this is what you see inside the scope when you're applying the software update. So, it added the

user to the user table. And then it just reboots and just loads the HUD again. So, we

try and SSH one more time. Get the password and get root access. So, that just sort of goes to show I guess lesson number 6. Again, a pretty simple one that a motivated attacker

will always find a way in. Granted, it took us almost a year on and off. But it took us a very long time. It wasn't like these YouTube videos where they're like hooking up and they're in ten minutes later. So, it took a long time, but it was a really, really fun project. So, for the sort of round three

findings, the admin API is unauthenticated. So, this means that anyone who can connect to the wireless network and know the right API call to use to communicate with the system back end can do so. There's no additional checks.

The only thing that the only thing that can give away that someone has connected to the rifle is when you're inside the HUD, up in the top right corner, there's a little like a Wi-Fi indicator with like a number below

it. And so, it will say one or two or three, depending on how many people are connected. But I can assure you, if you're looking inside that scope and you're really focusing on your target, you're not going to see this tiny number up in the right-hand corner change. That and anyone who's got full access to the system in this way can easily just either disappear that little

icon or just change the numbers. System back end is unauthenticated. System back end does not validate input, which is what allowed us to change the bullet grain value. The GPG key on the scope can encrypt and sign updates for any tracking point firearm. So, at this point,

we knew that if you wanted to make permanent changes to the system, and if you wanted root access, you had to use a software update to do so. Which is fun, but we wanted to find like an additional way of getting in. So, if you

want to watch the video, it's on YouTube, but we found a remote code execution as well. So, without a software update, you can still get straight up root access on the rifle. So, you would think that after talking about

root access and custom software updates and remote code execution on this thing, you would think that it's pretty bad. But I would say that it's actually not all that bad. When you look at this sort of hardware project or IoT

device and compare it to other IoT devices, TrackingPoint actually did a pretty good job securing it. So, the USB ports are disabled during boots. You can't do anything with that. You can even if you just try and plug in a USB

stick, nothing will happen. There's no power going to those ports. The media is deleted from the scope once you download it onto your phone. So, this means that if someone else were to connect to your rifle, they're not going to see the shots that you took two months ago if you have already

downloaded them. Because they're deleted from the scope right away. WPA isn't used even if you cannot change the wireless password. The AP does validate user input and I added like a little asterisk to it because the API I'm talking about is the one that you're

using when you're using the mobile app. So, at least a random person with the mobile app can't do any solid damage. You need to know the other API calls to actually do anything fun. Console access is password protected. We had to have like a software update or remote code execution to

actually get in. And this is something that we didn't get until we had really taken the whole thing apart. Software updates are GPG encrypted and signed. So, like, they tried. They didn't sort of implement it the way they probably should have. But it does mean that

like random people that aren't willing to invest like a year's worth of time researching a project aren't going to go and mess with people's rifles. So, they actually did a pretty good job securing the system. But I guess another lesson for the vendor and not for the

hacker, companies need a process for handling security issues. And this is very, very true for tracking points. So, when we sort of submitted to Black Hat and Def Con, at the same time we contacted Tracking Point because we just wanted to say like, hey, we're working on this project. We're

presenting or we're hoping to present in Vegas. We haven't really found anything sort of major yet, but we just like want to open the lines of communication and just sort of stay in touch. And we got zero replies. Until Andy Greenberg was writing this Wired article about

our project. And he reached out to Tracking Point a week before our presentation last August. And only at that point did Tracking Point get in touch with us to hear what we had found and how they should fix it. So, we went through all the different issues with them and told them exactly

what they need to do to actually just lock this thing down even more. They stated that they will mail a USB with a patch to all their customers. That never happened. The only thing that did happen was Tracking Point updated its website with a message that says you can

continue to use the Wi-Fi on the rifle if you're confident there are no hackers within 100 feet. So, this is like the official comment from Tracking Point when someone hacks their rifles. Later on, so, they're still in business. And later on

one of the fanners I think was quoted in the media as saying no one is going to hack the rifle of a red-blooded American. And I'm thinking, well, we did. And you should fix it. But they still haven't. So, the issues are still there.

Lesson 8. Hacking a rifle sounds pretty fancy, but IoT attack vectors are pretty much the same across the board. If you look at presentations where people talk about hacking cars or hacking any other sort of type of device, it's going to come down to the same approach

for the most part. The same issues pop up again and again and again. So, this wasn't sort of black magic. It wasn't stuff that you guys couldn't do either. It took just a very long time. But the way that we got in, finally, is sort

of standard approach, I would say. So, we added like a slide to kind of like give the vendors something instead of just sort of standing on stage and saying, hey, we hacked your rifle and you should fix it. We wanted to sort of

add that the issues that we found are not unique to the rifle at all. And that too many vendors ignore the low-hanging fruit, especially if you look at the two bottom resources there, build it securely in the OWASP IoT top 10. It's like two fantastic resources to just

find really, really common issues in IoT devices, whether it's default passwords, console access with no password, SSH, root access, all of these different things. There's just a lot of like standard bits and pieces there. And sort

of leads me to this sort of other point that innovation is the main focus in IoT, sadly. If you look at any sort of like Kickstarter page or look at any sort of IoT device out there, people

don't want this super secure box that does some stuff. People want this super awesome box and then they don't really care if it's secure or not. Security always comes not even second. It's not something that people usually question. And I wouldn't say it's not because people don't care.

They just don't understand that security is something that they should question and something that they should want. It's just always the case that, and especially in Scandinavia, I would say that people just assume that it's there. Because why would you create a device that is insecure? You just can't. It doesn't work

like that. So innovation is sort of like the driving force in this space. And finally, I do want to add that for anyone who's considering working on a hardware project, final, final lesson for us was

don't be afraid to ask for help. If we didn't ask for help and didn't get help from a bunch of really, really awesome people, many of them are former Intel people actually, we would never have gotten the presentation that we really wanted to give. We would

never have found as many of the issues as we found. So if you are working on any sort of hardware hacking project, there's a bunch of people that are interested in it that are in this space and that are really happy to help out as well. There's a Norwegian named Maria Moo. She gave a presentation

in Germany in December last year about hacking her pacemaker. Some of you might have seen that presentation. But she did the same thing. She had this project in mind, but she also reached out to people in the community for help with it, which just made her presentation a lot more awesome. So there are

a lot of really awesome people in this space and they're happy to help. So with that, I want to thank you all for coming. If you have any questions, I'm happy to take them now or I'll be around later as well. Thank you.