Hack All The Things: 20 Devices in 45 Minutes

so we’ve got we got a mirror CJ Hans and Mike and they are going to hack 45 or 20 devices in 45 minutes let’s give them a big party track welcome charge all right good stuff hello everyone I wanted to welcome you to GTV hacker presents hack all the things 20 devices in 45 minutes a GTV hacker production so who are we we’re GTV hacker we formed to root the original Google TV in 2010 we’ve released exploits for every Google TV device since then plus some others including the chromecast Roku and many more to come today you guys will really enjoy this presentation so who are we the speaking members today that you’re going to get to hear from are myself I work at a Kevon as a research scientist and I found at the GTV hacker group their CJ hears he’s a security researcher group head at a non-profit we have hands Nilsen he is security senior security consultant at Monsanto and we have Mike Baker mbm firmware developer and open co-found or open wrt co-founder so who are the other members there’s only able to be four of us on stage to present and we have you know roughly eight members we have guy enough age he’s actually running the CTF right now he’s part of legit yes we have Sarek who was the creator of cydia we have Quang who is a student and has a tripled pest currently and we have Tom Dwenger who goes by TV Wang and he’s our apk reverser and really just handles anything Java so why do we hack all the things well we own the hardware why not the software we also really don’t like devices to end up the landfills when a device hits its end of life you know it’s it can be not really useful anymore it it could just essentially kill a device like in the case of the Logitech Revue if any of you are familiar with it we also always aim to make the product better if we can do anything we can to make the product better you know give it more functionality whatever it is you know we do it and last but not least we really enjoy the challenge you know it’s it’s like solving a puzzle you really just you love it when you win so what takeaways are you going to get today so you’re gonna do so come on you get a room you get a root no so what take way so essentially 20 20 devices and 45 minutes doesn’t leave us a whole lot of time to spend on each device what we’re doing is consider this a showcase of things that will be added to our wiki right after the count of our presentation we are going to give technical details hardware diagrams everything we can because it’s going to be pretty hard to read and we’re not going to give everything a whole lot of time so you know you see the the link at the bottom of our slide deck Dec 22 GTV hacker comm visit that right after the presentation when we get back to our hotel will kill the basic off on it and you know you will get access to all the stuff you saw the presentation so let me introduce hands Thank You Amir so there are a limitless number of ways to attack these kind of devices it is everything today these 20 devices we have three main methods that we’re going to look at we can use you arts serial ports to talk to debug ports get into devices where we shouldn’t be able to we can use EMM see it’s SD card like and we can just connect to that use that to modify storage directly the lettuce access device operating systems and also just a whole bunch of command injection related bugs that they are very very popular in consumer electronics to Isis so not further ado let’s let’s talk about a whole bunch of you art based tags so what is the you are uh usually there’s used to interact with debug ports on a board then consumer electronics they’re generally not used for any actual functionality they’re just used for the manufacturer to connect to it do debug stuff that kind of thing it’s a very very simple interface there’s one wire for transmit one wire for receive and then one wire for ground reference so that everything works protocol simple it’s been around forever it’s way older than I am I am 27 thank you for asking so yeah it’s it’s this

great simple protocol that shows up in all kinds of places because it’s really convenient to use on these devices uses all kinds of different voltage levels there’s the serial port you’re familiar with on a computer hmm the so we have a few free you aren’t adapters to give out at the end you to go play with your own devices with I hope you get as much use out of them as we do so what do we look for when we’re trying to find a you are uh usually they’re pretty easy to spot on boards it consists of you know three or four pins usually in like a line or a little square you can get oscilloscope poke around the board try and find things that look like they’re spitting out data you can see the waveform so without further ado let’s let’s get started looking at the actual devices so the first guy here is it’s a printer okay so we have this networked all in one photo scanner printer whatever thing it’s running Linux everything runs Linux so what can we do with this guy here so if we take a look there’s here’s a board shot so throughout the presentation we’re going to be showing you board shots along with the place on the board where you can see the ports accessible so if you look off to the left here you can see where we’ve soldered on these four wires to a uart port and you can see it’s got that classic you know four pins in a row arrangement so right there there’s our you are okay awesome so what can we do with that well when we turn the printer on and we have that you are connected the printer gives us this cool console menu okay you know it’s got useful things like reboot the printer reset the settings or run arbitrary shell command so there we go we didn’t have to do anything we got the shell there with that run shell command we can run whatever commits we want and then we can go have fun playing with our printer the Belkin Wemo is internet-connected wall plug basically you can use your phone to turn things a light your coffeemaker on and off it’s it’s been widely exploited by various people and yeah tiny fun little device so pulling this open you know a little hard to read there but often the off the left-of-center you can see the transmit and receive pins there and once we hook up a UART to that what do we get well the internet tells us that you know all your it’s patched they fix that it turns out that no they didn’t quite get that so during recovery you actually have two seconds to insert a command okay so what do we do about that we can just run the single command down here at the bottom it kills the script that reboots it and then there you go we’re running its route in recovery we can do what we want cool so this is a fun little embedded device it is just a gateway kind of thing that controls smart light bulbs kind of kind of like the Philips you if you’ve seen that uses igby igby is a pretty popular protocol that we’ve seen in these things I know there’s been lots of great talks about ZigBee here already so yeah this thing is kind of fun cuz it’s got a PowerPC you know who using PowerPC these days you know Apple hasn’t done that for who knows how long it provides an SSH server when you run this thing but we don’t have credentials for that okay too bad what else can we do you are so look at the board you can see those cool little test points down there at the bottom the red arrows there’s the transmit there’s the receive the it’s really fun trying to find these things because they always just kind of stand out and you’re say okay what is this plug in plug in your multimeter plug in your scope connect to it and see is there stuff coming out of here can I do anything with it so cool we have the you are here and it has you boot on it it has you boot without any settings changed on it it’s just you Moo what does you move you mood is the bootloader that lets us load and run Linux so we can talk to the bootloader now we can do anything we can reflash the device we can change the kernel command-line what is changing the kernel command-line let us do when booting Linux you can provide it with a bunch of options you know how much memory does this device have what port do I want my serial console on what

is the first program I want you to run once you low to that file system so the hit argument you can pass bin SH to that what does that do it spawns the shell as root cool really easy way to get past all of the various other initialization scripts that might lock settings down or not provide consoles skips all that goes right into a root shell I know we can do what it whatever it is we want it turns out that the thing that we wanted to do is crack the root password so we grab that ass four distinct green it’s good stuff the file transporter another device that came out recently it’s kind of neat it’s basically a cloud Nass sort of you have this device it’s got a big old hard drive in it leave it on your home network and then through their service you can connect back to your home device and then access your files great so you know pretty pretty standard kind of device it’s running Linux running arm builder basic user land which is fun thing that we haven’t seen as much of these days but build roots awesome for those of you who have played with the wrt54g back in the day lots of fun there so pull this thing open oh hey look at that they even gave us a header often we find that there are headers and devices but they’re not populated in this case it was populated so again we have a u-boot shell of L which lets us change the kernel command line again so we can get that root shell and then we can do whatever it is we want to with this device which is awesome the co-star LT it is the successor to the Visio co-star which was a Google TV this is no longer a Google TV it’s funny we don’t even have Google TV’s anymore you can be despite me being named G TV hacker so ignores the arrow garrow’s not actually what you want to look at you want to look at the little red and white text up to the top left there you go there’s the classic you know four pins in a row layout you can see the receive and transmit there so this was this was a fun one because when we first turned it on you know we saw three lines of output from the you are it was basically you boot saying hello okay here’s kernel that was it nothing okay that was weird at some point we left the flash drive plugged in and it said oh I don’t I don’t understand the file system on this flash device okay what do we do now uh try fat32 so format is fat32 plug it in try it what do we get hey I can’t find FSS okay that’s really suspicious so we did a little bit of research into this and it turns out that FS this is a you boot script image file which is a file that you Bo will just load and execute arbitrary commands from cool so we can then use the same tricks we used with the previous u-boot hacks and modify that in an argument to the kernel again and with that we can get root along with FS there’s this safe kernel image one we can use this to actually just boot the entirely different kernel just from a USB flash drive that we plugged in awesome the staples connect is just another small home automation hub it’s rebranded OAM hardware you know we see a lot of this kind of stuff it’s you know it’s got Wi-Fi it’s got a USB port for plugging in your hard drives whatever what do we have here hey look it’s a header Hey look there receive and transmit pins on it sweet what does that get us well it got us a restricted you good environment so what do we do here well the obvious answer is if we short out pins night 29 and 30 on the nanochip to ground while it’s booting the human environment that gets read from the name gets corrupted you mood says uh-oh resets everything and there we go we can actually just type commands into the u-boot console again so after we reset all the various properties and arguments and you boot to that kaput we can just use standard olden it trick get root on there and congratulations we have now routed this we also crack the password for this one this was not a very hard cross or password to crack but it is useful to know that at this point

I would like to introduce CJ all right so I’m going to talk to you about emmc flash as you pointed out emmc flash is pretty cool it’s pretty much an SD card on the chip the thought was that you can take an SD card put on a chip not have to worry about any extra magical bits a normal man flash will have extra bits that handles error correction error correcting code out-of-bounds stuff it’s usually paint for developers to deal with so dropping the MMC flash on there then you can go ahead and just use a normal file system access it like an SD card when it supports it everything just supports it it’s great and hacking wise usually you can get into it with free with rather cheap emmc readers which we’re giving a few away totally free we have since MMC is pretty much electrically compatible with SD cards many MMC readers and SD card readers can be used one another and if you’re looking for figure out you know you have an MC flash it’s BGA do you need pins defined so the thought is how do I do that the thought you can first look but for nearby resistors that’s usually a plus furthermore you can talk about board design sometimes things will be labeled you’ll see resistor numbers then you can figure out increments and whatnot also the command lines and the clock lines tend to be on one side of the flash while the data lines tend to be on the other so based off how it’s routed you can usually tell somewhat with intuition and if that doesn’t work hooked up to a logic analyzer clock line looks very specific data lines will send April votive data so you can grab it that way if that doesn’t work then you pull the chip and trace it which is what we did with the amazon firetv which we’ll show you in a moment but that picture although small is a BGA flash pulled and wired up to an MMC reader which is actually an SD card reader so we could get a dump of it but speaking of the fire TV so as we know this is our device number seven it’s a quad core 1.7 gigahertz Snapdragon runs fire OS which is just a modified well heavily modified Android and we have pin outs so emmc pin out on the left two boxes died to find this my first box I found the pin up I couldn’t get it to work so got a second box pulled the flash realized no I was right but somehow in the process killed the first so third time’s the charm got it routed it it’s fine it’s great the pen outs on the left it’s also on the wiki DC 22 GTE hacker comm and on the right we have a you are panned out not a whole lot of information comes out of there and mostly fast food related stuff so moving on with the emmc we have the Hisense android TV it’s a Google TV sort of they rebranded it to kind of lose the stigma uses a slightly newer processor last year at Def Con we demonstrated how to bypass secure boot on last year’s entire system on chip family it was a nice little bug but moving on with this high sense which is a quad-core CPU use Android 4.2.2 we bring up the emmc again so pinups we have peanuts data zero for a data line command clock ground and power that is all you need usually easy to saw the two the resistors are small but you’re not pulling a flash so considerably easier for the Hisense Google TV pretty much what you do you mount the factory setting partition which by the system is mounted with no parameters so no no su ID no no exact you can pretty much dump whatever you want on there and run it as a normal user so wire it up mount my factory setting partition which contains a bunch of DRM self so they usually don’t touch it which is good for persistence give it a good old forest 475 5 C mod and you get to execute through ADB and just elevate you could also modify system which pretty much holds the general OS for Android and then put on super issue or things that most beautiful milli with but I like a normal you know static SU binary moving forward never say something has never been hacked in 2011 the post office because they are the experts at refrigerated security put out an ad stating stating that a refrigerator has never been hacked I did not have the room or the pretty much reason to spend $3,000 on a refrigerator so finally got to do the second best thing by parts for the refrigerator enter the LG smart fridge runs Android 2.3 which is a bit old but ok it’s the brains of the fridge it controls ice compressor water pretty much everything normal usage you we use it to track groceries or say you know I drank this much water today it has Wi-Fi USB and SD card so the first thought pull it open here’s what it looks like inside these pots again big pictures on the wiki you are which actually found second boots – root console but that’s no fun so what we did instead went through emmc you’ve got to go the hard way so you go into MMC and

pretty much mount system as with the fire TV what we did instead was we pushed a normal Android launcher so when the system boots up you’ll see it a little later it will pop up and pretty much ask you you know what launcher do you want to start and you just start number one and then you can then run your own apps with relative ease and again since the you are already Budokan so we ended up finding that our secure zero which pretty much meant that they didn’t even try but now moving on past all the hardware stuff into command injection so just a heads up user input cannot be trusted do not use shell commands in your set code again never ever trust user input if you do please at least escape your commands this counts for system as well because you see manufacturers they’ll put in an LS and then pull variable % s into system and then say I pass into that variable a semicolon reboot semicolon it will execute LS semicolon reboot semicolon in Linux – semicolon pretty much tells it let’s execute new command many times that will happen is root and you can get in so a perfect demo of that a series of Vizio Smart TVs that the Broadcom 97,000 based Yahoo powered Smart TV which is a little old but it’s still widely available and full array backlit which I like first the thin once you get better blacks the smartness could be better it’s again a little old TVs nice and thick thanks to that full right backlight so there is a command injection via the Wi-Fi password if you’re setting up Wi-Fi you can go to menu you go to network you select Wi-Fi if you type in these commands which I’ll explain in a moment you can have route overview on so pretty much what we do is we take USB you are adapters which we have some to give away very soon and to the first command which makes it a character character note that pretty much tells the kernel where to send the data we want to attempt chichi be hacker you have a major and a minor that again just routes the data properly enter that give it a minute or two it will error out then you enter the large bash command which pretty much says take all the input coming across that character for device sends it to the shell and any anything date coming from the shell send it to the character device which is great then we have route over USB you are so it was device ten moving on to device eleven the Sony BDP s 5100 blu-ray player it’s a blu-ray player as an MGK 8500 series chipset it runs Linux Wi-Fi netflix vudu smart apps all of that fun stuff keep that mind for a minute next up we have the lg BP 530 blu-ray player it’s again a blu-ray player with the same chipset that runs my next Wi-Fi netflix vudu they’re pretty similar and we found that there’s actually a bug in these supplied packages from the chipset manufacturer that affects many players possibly including many more than this if you put an empty file name Vudu dot txt on a fat32 Drive and a folder called voodoo and also create a folder file called voodoo SH in that same folder add these commands in which pretty much always the password so we because we didn’t want to crack at this time just zeros it out and a telnet command you press vodoo with the drive in you get a telnet shell on the LG player and the Sony player and many other players with the same chip set such as the next one which is the Panasonic bdg 230 but oh that’s easy we found another one on this just because so picture of the board we have UART as previously explained tx/rx ground that was rather important for us in figuring out this bug because at times debugging output comes out across those pins that you would not see you won’t normally see but we were able to see it that way there was in the LS there was a command injection in the network folder name so typing in a command to south of town that shell which we only noticed because of the you are were then able to inject commands and on the MS route so now I’m going to hand it off to mbm thanks CJ so next up is the Motorola RAZR now I’m not going to talk about Android Android has been routed this is about the baseband this is an isolated processor separate from Android so the communication between Android and the baseband is done over a USB network connection the baseband listens on the USB network port of runs a diagnostic script and it runs that diagnostic script as Rou now if you

actually go and you look at the script they’re running a busybox command by piping the file name through awk this means that using the file name we can do a knock shell injection so if we have an file name that contains this X 0 1 system we can inject any command that we want and run it as Roo so next up we’re going to talk about the Pogoplug mobile this is a cloud storage device also a Nazz so you can plug in a USB Drive we’ve got a UART on it this gives us access to the bootloader and the root shell but we also have a command line injection using the web page so if you go to the sq DHP plug page and you add an action command you can inject arbitrary commands they all run as root so if we move on to the neck your push to TV this is a set-top box we have the UART pins and through the UART we can interrupt the bootloader and through the bootloader we can also control the Linux and run our own commands using the same injection that was talked about earlier now if you happen to miss the bootloader you can also run commands using the root shell for a few seconds and we also have command line injection via the web interface you simply set the nickname of the box and that will be executed as root so semicolon whatever and you can make this persistent if you want you can mess around with the SPI you can set the default you boot environment variables and set whatever you want to run a you boot the next boot up so moving on we have the Oh Motel oh this is a void browser it’s running open wrt and we have a UART again this is using a console log in but we’re talking about command injection so they already have the SSH running it’s just firewalled by default so what we need to do is to inject a command to change the firewall rules and we do this using the web interface we can inject that whatever command we want and we’re going to show you on the next slide the actual command but we want to point out that the default root password is the exclamation mark OMAP one two three we had a little bit of fun once we got in we just dumped the password file and started a cracker by default the SSH is only available on the land so there’s no risk there so this is the Omo Telo web interface and if you look at the arrow there we’re pointing at the command so if you type in the XCOM with the IP tables you can adjust the IP tables rule that gives you access to the SSH and you can use the password those gave so next up we have the Netgear Nazz this is a media device it’s a flash based so everything’s an SWF file this is a a secure Broadcom SOC with encrypted updates so everything on this box is signed so let’s take a quick look at the UART again this gives us access to some things but we’re going to talk about the command line engine or the injection via the web interface so when it downloads and update the updates are downloaded over HTTP this is a really bad idea so if I pull down one of the apps pull it open I can eject a malicious sim link and traverse the filesystem and dump files anywhere on the filesystem so if I repack the app

put a man in the middle and feed it my version of the app using the update I can drop a root shell so moving on we have the Asus cube we’ve already hacked this previously we had an app available on the Play Store unfortunately Google pulled it they don’t like these apps so let’s talk about how to get back in if we mount an SMB share we get the permissions of the SMB share so all we need to do is set up an SMB share with the SU binary and we set the su ID bit we can then a DB into the cube run the SU binary and we get Roo so now I’m going to hand off to a mirror thank you Mike so let’s let’s start having some more fun let’s get some more interesting devices up I’m going to talk about the summer baby zoom Wi-Fi monitor so what this is the Wi-Fi baby monitor it has custom RF and it’s marketed as a secure baby monitor baby monitoring device so with our common pattern first things first we always look at UART here’s the UART adapter or the UART pin out it’s a little hard to read again DC – honey – GTV hacker comm for the pin out soon after the presentation but this actual bug will the first bug they they have a hard-coded username and password on the device that the binary uses to communicate with the web interface now you know this this is a terrible practice from a security standpoint you don’t want to hard-code credentials in every single device so if you can see below the credentials are leet-speak ms catted min or c admin and authenticate is the password so let’s get into the hard code username and password if you call nvram show you can see that it lists three users two of which have different credentials or actually different user rights and then you see the hard-coded username and password actually also has admin as well as the snap admin which is the one that has the specific password that it changes per device so let’s get into some command execution on this device hard coded passwords are cool but a you know command injection and command execution that’s what we’re always looking for we want to run route commands so system GT cgi is a binary that is accessible within mid credentials it uses HTTP basic auth and the system GT post of art gets executed with system as root if you can see below we gave a little example of how you can to make a call to enable a telnet server anytime you enable a telnet server with root remember most cases probably not going to be password protected unless you’re passing like a – L slash bin slash login which tells it that when someone connects to the device to run bin slash login normally with some of these examples we do slash bin slash SH so when someone logs in it directly drops you to a root shell now anytime you do that again don’t leave that open you don’t want people connecting to your device you know let’s be safe here so 20 devices you know that’s cool and all but this is Def Con 22 and we want to take it one step further so why not 22 devices so we we figured and actually this was a there’s a lot of work to come up with 20 devices to hack and even more work to get 22 done in the period of time before the conference so let’s let’s get into the next one the next item on our list is the Samsung smart cam what this is it’s very similar to the summer Wi-Fi baby’s room pro but it’s just a standalone camera it doesn’t have a hand-held RF monitor doesn’t pan and tilt it’s just a network camera with a speaker and a microphone it has a web interface for local access and a mobile phone app for remote access and yeah so let’s get into the UART adapter again you can see a populated pin header with ground rx TX and VCC and we note the pod settings and connection settings at the very bottom as well the fact that it

only does console logging so the pre off on this particular device is rather interesting we found this guy after looking at how they process logins and how they handle creating the original administrator password when you first set up the device you’re prompted to set up your own administrator password the downside to this is that they don’t actually check that the password is already set so you can call this script to change the password on an administrator password that’s already set up so you know it’s it’s a nasty bug so the CGI script normally does the aw check but not on a new user and this is only accessible over the land so command injection on this particular thing now they you can set up a wireless your wireless settings for your wireless network at home and you can set up a wpa2 WPA WEP or open network with the WEP key it’s actually put into a config file and then pulled out a little while later and when it’s pulled out it’s stored into a command and so you get command injection by inputting a a shell escaped command into the web key it can it can be exploited without fists without physical access to the device because how how it works is in order for the bug to get triggered you set up your web key with you know the malicious string and then to actually get it to do the connection you have to unplug the network cable unless it’s already connected over Wi-Fi if it is connected over Wi-Fi and you change the WEP key it could disconnect you and you could just lose access you know it’s it’s it needs the physical access essentially to trigger the other thing is the web interface runs is route so you get route command injection by changing the Wi-Fi WEP key in this screenshot protect this particular screenshot we show kind of the input field where the command injection occurs and we give an example of how to enable a route telnet show I mentioned earlier passing /l slash bin slash SH or dash L slash bin slash SH tells it to pass new connections over to slash bin slash SH so again this is another one of those that you don’t want to do and leave running on your camera unless you change you add a new user and do slash bin slash login so that’s the route on that device that’s our 21st I’m really excited to tell you guys about the 22nd mostly because I see so much potential in this device mostly for us hackers this device is called the wink hub I really like this device mostly because of all the peripherals that it has and the fact that this particular device has a bluetooth chipset Wi-Fi chipset a z-wave chipset and a ZigBee chipset it also has a TI c c11 1 RF SDR and it you know with a little bit of dev work it could be a really great RF toolkit for any of the RF hackers out there it has multiple peripherals essentially what this is a home automation gateway that you it interacts with already setup api’s and you know it has all the communication methods so that it can contact all your devices and they even have their own line of devices from a propane gauge to a device that does humidity temperature light and motion sensing it also has smart locks and so the thing about this device will actually get to the information about the devices here in a second so this is the board it’s really pretty board everything’s compartmentalized the debug headers are all broken out I mean it’s it’s really nice the other thing about this device is it’s an under $50 device they have deals where if you buy peripherals you can even get the device free so you know if you’re interested in RF stuff and you want to put a little bit of dev work this is a really really cool board you notice it has five and 10 I on it it gives you the ability to pretty much communicate with every smart device you can think of as long as there’s some API available and wink has chosen supported so the wink hub has a command injection bug if you don’t read PHP if you don’t know PHP you can see that there’s a sudo command that takes in a node ID in an attribute ID value that’s passed in from the post variables so this goes to a pass through command and then the return code is is pushed back as well as a the the output of the command so really cool take it home or go buy one you can route it have lots of fun and now probably

what you guys have been waiting for let’s see if we can get dual core up here for a little a little fun oh I got it on the screen right okay duper got it in eighty anyone I can wrap all pack all the things but it’s not going to turn out well I promise you okay sweet nad come on buddy okay good times just yeah just play like a music oh this also seemed like fun we got like a light show and stuff in 80 oh I see him yeah let’s welcome in 80 to the stage come on guys look at him run for you that’s a that’s a dedicated rapper right there thank you buddy you saved me okay so we’re at music and rap music accessories so whoa while he’s rapping we’re gonna walk around we’re gonna hand out some of these UART adapters we got some dual core CDs we got a chromecast we’re gonna hand out we got MMC adapters we got roughly a hundred UART adapters it’s gonna be lots of fun got some cool lights let’s have a good time guys this is the party track let’s make it rain cool alright give me a sec please make some noise for the GTV hackers hacking all the things now to be honest that was a cheap ploy for me to try to catch my breath from running over here from the vendor area my name is nad I’m the rapper in dual core you might have heard us from songs such as drink all the booze hack all the things which is what we intend to do here but I want to give a shout out real quick anyway here hack cars cool so a friend of mine published the car hacker’s handbook it’s licensed under Creative Commons so you can download it for free online you can also buy it on Amazon I have a couple copies with me at my booth in the vendor area if you had cars come talking about some cool car hacking maybe I can hook you up with a copy anyways I’m gonna do some rap music probably run out of breath maybe die uh can I can I get you guys to like officially DJ like my DJ does and hit the spacebar to start the song are you ready for this you tell me when alright we’ll count it down one two wait what comes after two not every geek with a Commodore 64 can hack into NASA so I’m gonna say drink all the booze you guys held hack all the things yo even up settle scores quick our disaster recovery requires even more fists put your bytes up through it all you got my c64 and we blew it into orbit and face him with eight straight perfect boom of old emotions make hate break circuits because you heard as a name fake service optimize our run time to escape verdicts cut it into just so flow that the can side mass encodes engine size command line landmine so before they’ll see me after I’m advice talker ritual + Velociraptor there’s no proof or Shuman because we really have to my team built seems it destroyed read capture hate what they see finish this chapter by the way we’re not any keeps me hacking than that so we drink all the booze drink all the booze drink all the booze got this bike it is red when I still give me wings so we drink all the booze drink all the booze drink all the booze zero through three we’re in every single rain no I’m just waiting till my blackberry dies cuz I’ll replace it with the Raspberry Pi don’t compare to the track it mimics everything they said dole neutralize any threat to Red Skull attempt no they killed virus writers that we mentioned

but instead they ascended to the vx7 who react our data’s live why is sorry hi ciphers and sign device drivers which school will we hit next they didn’t run the format so we’ve got a print app next step is engine check freestyle – das bitte passing a crush internet mcs arrive battles get your Wi-Fi tackled hack 5 pineapple I don’t think you’re like my snapples cuz I popped it with mod to the cyanide capsule you guys ready to hack all the things here we go sir we drink all the booze drink all the booze drink all the booze that’s a spike in this rare Pony still give me wings so we drink all the booze drink all the booze drink all the booze you know there’s gonna be security right first we drink all the booze then hack all the things the fact or the firmware on anything you praying regardless of the hardware service or recoded connected to the Internet someone’s going to own it just spoil the pirates and clapping off the sound attack above the cloud then we’ll back an underground there’s no mass controls down we pop tor nodes around the globe try gonna let you down hacks on schedule attitude countless devices online here comes another challenge the state infiltrated so hunting us this is what my konrad zuse Terrigen debuggers who trace every buffer tamponade Nicolo haven’t been to safety better pop another note goes I think I’ll need a plan decides to earn his something just want to watch the your turn we’re still a chill drink all the booze drink all the booze drink all the booze got this fight game is dreadful they still give me wink so we drink all the food drink all the booze drink all the booze zero three three we’re in every single race I mean these serviceable firewalls are double beggars hack off the face yes make some noise for the GPZ hackers guys I can’t believe we had dual-core alligator that’s amazing guys give around a hand for this guy’s he did it without notice you did it without pay just a great guy so real quick let’s go to the slides again where we went okay yeah we got get out of here soon whoa okay so so we’re gonna have questions in the Q&A at chill-out lounge we want to give a big THANK YOU to woo okay got it got it so we’re gonna give a big shout out to Def Con we can shout out to dual core DDG GT tff radix Mingo oxo string Cody Walker Ian Whitfield DC 22 to be hyper calm we’ll have our slides after we get back to our hotel room where we can push the switch and wiki is GTV hacker comm forms form GTV hacker comm blog GT hacker conf or our blog woo and I gotta exercise more free no net channel GTV hacker follow us on twitter at GTV hacker we don’t bite we love hearing from the community thank you everyone for having us out we love you guys thank you again