 would be inappropriate of me to comment on this particular issue, but maybe I kind of sums it up. So for you guys over there, if you like this shirt, there is a template and the LBGFX guys will make it up for you. My idea was, I thought, well, this guy gave up his job. He put his head above the parapet and gave up his job. So maybe I should do something for him. Print up a shirt, maybe they sell it for an extra five bucks, and we give him the five bucks. But then I thought, well, actually, Cisco are doing a pretty good job of marketing him at the moment, so I don't think we really need to bother on that one. So I think we'll just leave that be. Okay, so who am I? My name is Major Malfunction. Some of you will know me. I've been involved in DEFCON since DC5. I've been working in the security industry since the 70s, and I do have a proper day job where I do this kind of stuff. Now, why did I start looking infrared? Well, basically, infrared's everywhere. This talk is called old-school hacking, because when I first started talking about it, people said to me, but that's such old technology. Why would you bother looking at that? Nobody uses that shit anymore. I thought, well, I think a few people do, so I asked around, and when I talk at conferences, I check with those conferences, so put your hand up if you've used an infrared control this week of any kind. Okay, put your hand up if you haven't used an infrared control this week. Well, electricity will come to your village soon, I'm sure. They're really useful things, you know, change the TV. So it's everywhere. Everyone still uses it, and it gets used in the obvious things like TVs for tuning and master configuration, package selection, central control of billing systems in those devices. Vending machines. I found some vending machines in Amsterdam where you actually had to go to the bar and ask the guy to switch the thing on before you could use it. So cigarette machines at the back of the bar. You would go up to the bar, say, I want to use a cigarette machine and he would ping it on. I'm not sure exactly what that was all about. I guess there's some kind of fraud going on. People find out how to trick the machine. So they want to keep it under control. They also get used, at least in the UK, for setting up the pricing. So you get those multi-vending machines where you have different goods in there. They actually program which slot costs what? So potentially there's a nice little hack there. Public display signs, obviously, you can set scrolling LEDs up to do kind of wacky things. And Gower's door openers, car alarms. It's actually car alarms that I first started looking at. In the early days I had a car with an infrared control and I found that I could record the door lock and unlock codes on my palm pilot and play them back. And I thought that was pretty neat. And then I got a new car, still had an infrared control, but this stopped working. I could do it once and then it stopped. And I wanted to understand why. So I started looking at the tools to do it and I started developing an application to try and analyze what was going on with the signal and why I was having that issue. So which I called the project murder, which was the usual sort of hacker horrible pun. So I'm using IRDA and I put my initials on the front. I get murder. And I got to a point on FreeBSD where I was actually able to read the codes, but I hadn't yet started to write them back. And then I discovered Lurk. And because of Lurk, I overcame my BSD bigotry and installed Linux on my box and I've been using that ever since. So why bother with IR? Well IR is very unlikely to be replaced, at least in the foreseeable future. It's a very good technology. It's very fit for use. It's cheap. The components exist. It's very simple. When I say it's fit for use, things like TV, it's absolutely perfect. You can point it in a completely random direction. It will still bounce off the walls and hit the TV. And it's not going to change the channel in the hotel room next door to you. You start looking at putting things like Bluetooth in controls and you've then got issues of leakage into other environments. So infrared's actually a very good tool for the job it does. From a technical point of view, why should I waste my time fiddling with this stuff? Well, as a security professional, I think it's good. You have to develop a mindset that looks around you for security issues all the time. When I move into a house, a new house or an apartment or whatever, or I get a new car, for the next few weeks, I will try and break into it. I will see how many ways I can get back into my house without actually using the door key or going up to the alarm and doing what I'm supposed to do on the alarm. And it's just habit, you know, that's using that mindset or developing that mindset where you're looking for security problems all the time. And infrared, you know, you're sitting in a hotel room, there's nothing to do. There's your infrared control, there's the TV. Hotel's quite an interesting place. They're trying to sell me stuff, but they don't actually want to have staff to do it, so they rely on technology. If you think about last time you checked into a hotel, you probably interacted with one person right at the beginning when you checked in. And for the rest of your stay in that hotel, you were using automated systems, apart from the catering staff, but just, you know, you're in a big hotel, you're sleeping in the bedroom, so on. But meantime, they're still trying to sell you stuff. They've got pay TV, they've got mini bars, they've got all this stuff where they're delivering a service without actually having any staff to do it. They're relying on technology to do that. There will be security problems with technology. And those problems will have direct parallels in the internet, networking world, and, you know, within the systems themselves that some of you may be involved in actually deploying. And it's fun, at the end of the day, as you'll see, it's quite fun. So it turns out that infrared really is the ultimate in security by obscurity. You've got really simple codes. Because they're sent, you can't see them. No one can see what's actually going on. They don't bother engineering any kind of security into it. If you know the right code to send, you have total control of the box. That is it. You know, I am God, bang. I now control the box. I can do anything I want. There's no two-way authentication. There's no further pin numbers. There's nothing. They also tend to use what I term an inverted security model, where the actual control of what you're allowed to do is at the wrong end. It's in the hostile environment. It's in the environment that I control. And we'll look at that in more detail. Okay, so the simplest attack is the one I described with my car, where I could just record the code and replay it. And that also applies to garage doors. So garage door openers. I think you mostly use RF over here, but in the UK and some parts of Europe, infrared controls are still very popular. There's also little robot toys, TVs, the TVs in bars and clubs and things. And if you can record a code or you know the code, then you can affect those publicly visible devices. And if you can get a hold of special controls that do extra things on those devices, you can simply clone them. And then you have the code and you replay it, and you can do the special thing. And the kind of tools you can use to do it, Casio produced some nice little infrared watches back in the 80s, I think. Apple Newton was one of the first handheld manufacturers to actually have built-in IR that had this capability. And now you have tools like Omni Remote, which runs on any palm-based operating system that has an infrared control. It's a very neat system. You can get it from Pacific Neotech. There's the URL download that. Philips Pronto is used in a lot of those big home automation systems. So you have a control and you completely program what the buttons look like, what command they send and so on. And again, there's a lot of website resource behind that. You can download existing codes for different systems and so on. So here's our first example, RoboSapien. Last year, there was a guy here at DEFCON walking around. He'd obviously bought one of these toys and he was walking it around up and down the queues. Anyone remember seeing him? Yeah. So he was walking up and down trying to get someone to buy it. So I sat down behind him and started recording the commands he was sending. So he would walk it up the aisle and I would turn it around and walk it away from the aisle. And he would turn it back and walk it back up the aisle and I would turn it away and make it shrug its shoulders or make a rude, farting noise or something. So basically I was able to then tag it. So this is a guy at work. He owns the black car. A friend of mine owns the green car. So I put my system in the back of the green car one day when he was leaving and the next morning when he arrived. And then that evening when he went to go, he walked up to his car and he unlocked it. He unlocked it. And I locked it. And he unlocked it. And I locked it. And that went on for a few minutes. And he started walking back to the office to try and make a phone call, do whatever he had to do to sort his life out. And I unlocked it for him. Because I'm a nice guy, really. So that was that's one of the older systems. I obviously didn't tackle this problem that, you know, why can't I do that to my car? I don't know. But his I could just replay as often as I like. I couldn't actually steal his car because it turns out he has an RF as well, which disables the engine. So, okay, so that's a replay attack. Very simple attack. You have to have access to the source to see the regional signal and replay it. But what if you don't know what the original signal looks like or what the exact code is for that device? You can go and buy a similar one. But you don't know the code for the man next door. So I've got the same garage door opener as he has. Well, as I say, I found this tool, LERC, which you can download. It's the Linux infrared control project. It has some visualization tools, which I find very useful. You can send an infrared signal into it and actually visualize what's going on. It auto learns. So you just point a remote at it and it will learn all the tricky stuff for you. You don't have to do any thinking. And it produces an ASCII human readable config file, which is very important because that means you can look at it, you can read it, you can understand it, and more importantly, you can change it, which is what we're going to do. It's software only. It will work with my infrared on my laptop. Only runs online. Alternatively, you can buy an external device, which is a USB dongle. It's available for IRtrans.de. It's a much more powerful transmitter, so you can do stuff from further away. And it solves a bunch of issues. The way LERC works is it plays with serial protocols. What IRtrans does is it actually runs in native mode. So it knows how to send native infrared commands. And that will run on Linux or that other funny virus operating system. This is what it looks like. Just a little USB dongle. Okay, so for my first example, I took my garage door opener and popped it open and found there's this dip switch. And the dip switch has eight positions. So therefore there are 256 possible codes. So what I could do to get into my neighbor's garage is try every one of them. But that would be fairly dull. So I had to look with a piece of software that comes with LERC called X-Mode 2. Now what X-Mode 2 does is you point the control at it, hit a command, and it will draw for you the signal that it sees. So there's a carrier signal, which it then modulates and you get to see if it's a long pause or a short one. So if I switch all of the eight switches on, I get this. I switch them off. I forget that. If I switch number eight on, this one pops up. Number one, that one. So I can see where the pattern starts and ends. It's obviously just a very simple one-to-one relationship between the switch and the pulses. So I concluded that I have a start bit, eight data bits, and four stop bits. So now I train LERC how to just duplicate a code or a couple of codes. In this case, I would only need one. Because what I'm looking for is to see how that code is represented. So LERC basically, this stuff is to do with timings and carrier frequencies. This is the actual code that's being sent. So for a particular switch position, it will give me a particular hex value. So I know the hex for one command. So it's not that hard then to write a little script that produces a hex for every possible command. Which I do. And then I write another little script that spits out each command. And it took 54 seconds to send all 256 possible codes to my garage door. So here I am down in the garage. I'll stick the laptop down, fire it up. A few seconds later, bingo, door opens. Now what was surprising here was, I knew the code was actually quite far up in the range. I thought it was going to take 45, 50 seconds to go. What actually happened is it went within about the first five seconds. So I thought, okay, well, maybe there's a factory back door in here. The manufacturers have actually got a code that just always works. And that's the only code I'm going to have to send. Actually, it turned out that what had happened is the building management had run out of controls. And they'd gone back to the company that sold the original system and then said, we need more remotes. Companies say, oh, that company's gone bust. We can't sell you any. You have to buy a new system. So they engineered into the system a second reader. So we have two readers here. So this reader, which is 100% compatible with that reader, has been engineered in so that another bunch of remotes can send 100% compatible codes and open my door. So stupidity. They didn't bother to actually check. Or maybe they just set the switches wrong. They couldn't get the thing to work, but whatever. They wasted a lot of time and money putting that system in. You'll notice there's a security camera here. So while I was doing all this and fiddling around and opening garrosh doors without keys, you know, presumably someone was recording that video and watching me. So I got a visit the next morning from security. No, of course not. If you have security, at least pay attention to it, guys. Okay, so hotel TVs. I thought, if I can do this to a garrosh door, maybe I can do it to a TV system. So I need a TV system that actually does more than simply changes channels. So I had to look at a hotel TV system. And this is one of the examples where I say we're running an inverted security model. The TV is controlling which content I get to see. The hotel, in most cases, is streaming content, basically all the content without any control. The TV itself filters the content. When you actually select a channel to look at that content, there's no further authentication required. If I can persuade the TV to go and look at a channel I'm not supposed to be looking at, that's it. I just send the command and I can have it. The content itself isn't wrapped in any kind of encryption, unlike satellite TV, where they expect you to be able to receive it, even though you're not a subscriber, because it's a closed system. They don't need to. It's entirely within their own building, it's their own backbone. They control who gets to see what on that system. Also, they think. Okay, so if the system's broadcasting stuff, presumably, you can just plug in another TV, tune yourself in and watch whatever you want on any channel, but humping a TV around is a pain in the arse. So instead of that, we have these little USB dongle thingies. So I plug this one in, this is in line with the back end. And on the master TV, I'm getting the content they expect me to see, the master menu. On this one, I've got another channel because I've tuned to another channel. And if I flick through the channels, I find there's various other bits of content. This is all just system messages. Occasionally, I came across these strange screens where they were seemingly putting up an advert for something, which is an advert no one's ever going to see, because none of the official channels actually look at this. But what was most interesting on there is there's a URL. This is the company that makes the thing. If I go to that URL, there's a load of technical documentation. So this PDFs tells me how the systems work. What else I might be looking for when I start looking at these things? What new features they're putting in? Which hotels they've put them in? So you spot a feature you're interested in. You can just go and look at their client list. They're testing that over here. Let's go and stay there for a night. Some of the things they're thinking of putting in are truly scary. Webcam in your bedroom. Now, why would anyone want ... No, okay. Don't answer that. Think on it. And of course, they're broadcasting premium content. So this is a pay movie that I'm supposed to have paid for to watch, which I can watch on my tiddly little screen here. Or I can route it back out and into the skirt and watch it on the TV. Okay, that's fine, but that's just looking at the back end content. We haven't actually got control of the system, but we've proved the concept that there is stuff on the back end, which we can get to. So I started looking at the actual remote controls. Can I do the same trick that I did, brute forcing my garage door to the TV remote? What I found is the codes are much more complex. They're much bigger. They have more bits. And the reason they do that is because they group them. You have manufacturer collision avoidance, so you have multiple remotes in the same environment. You don't want them interfering with each other's devices. So you have a preamble that says I'm a Sony or I'm a JVC or whatever. You may have a remote that controls the TV and the video from the same manufacturer. So you have different groups for that. And you have standard groups versus extra groups. So Phillips may make a TV that they sell to hotels and to home, and you have different sets of controls for their different environments. There's also this interesting group here, the hidden group. This is what we're looking for. So this is what they look like. As you can see, it's a much longer code. It's much harder to emulate or guess. So in fact, when I looked at it, it turned out to be a 14-bit code in this particular case. Now unlike a Gower's door, when I test these codes, excuse me, I need to watch, I need to actually pay attention because something will happen. And then 10 seconds later, I could send another command that cancels that and does something else. So unless I'm actually watching each command as it plays out, I may miss the event. So Gower's door, I can just leave it running, wait for it to pop. This I actually have to spend time on it. And it turns out I need to take about two seconds per code to have time to react and watch and let the code settle down, not be interfered by the next one, which would be nine hours to test the whole system. And I found that out the hard way because one night in Amsterdam, after a conference, back at my hotel room, and I'm playing with this stuff, this was in the early days when I was just figuring it out. Next thing I know it's five hours later, it's one o'clock at night. I've just spent the only night in Amsterdam playing with hotel damn TVs. Coffee shops are closed, and I really fancied a cup of coffee. So I thought now I have to fix this. I need to reduce the time it takes to do this stuff. So I tried to find a way to reduce the search space. So basically that meant looking at what bits are being used in the codes. So if I take each of the codes in turn, not to nine, and I look at which bits have actually been either set to one or toggled from zero to one or one to zero, I work my way through them all. Basically just try each one, organize them in such a way that I can see what's going on. Finally get to the end, and I'm down to, first two bits are used, got four bits I've never seen change here. And the last eight bits is the actual code. So I want to reduce that further. That's not enough for the result. So what I do is I take a single command, doesn't matter what commander is, in this case I took the power command, and I start toggling bits. So if I toggle the first bit of the power command from one to zero, and I send the command again, and the command succeeds, then I can assume that bit is not actually used, it's ignored. In this case the command fails, so I know that bit's important. This one worked, so that bit's ignored. And in fact, all three, those three were ignored, that one failed. So I now know I've got a total of 10 bits I have to care about. She gives me a thousand codes, which is about half an hour, so I can live with that. So I spit out a bunch of conflicts which have all the possible codes. In this case I did them as four groups, because I couldn't, I really couldn't figure out how to do 14 bit fields in Perl, so I did four sets of eight bit fields with a leading. And then I spit those out, and I run those and I watch what happens. And sure enough, I find a load of really interesting stuff. This one in particular. This is the God Code, Bingo, it's a game in England. Bingo, I've won. Okay, so the kind of things you do with hidden codes. The internal, the housekeeping staff use them for daily things, like setting what they've done to the minibar. If they've cleaned the room, they'll set a status report so they don't have to fill in forms and report at the end of the day. The hotel actually has real time information as to what rooms in what state. You've then got some one off tasks that the engineers use if they're having problems with the TV or they're first setting it up. And some debugging information. Okay, so one of the first things you can do is you can start to reconfigure the TV. You can change the messages. So when the TV gets switched on, comes up with a welcome message or a channel message, you can assign the TV to another room. You can assign channels that are now free, that used to be paid channels. And you can find channels that just simply don't exist on a normal TV. So here's an example. First thing any good hacker does is tag his TV. So now when you switch the TV on this room, that's what comes up. And if you can find it, I'll give you some really cool prize, some bit of Def Con swag. Same thing in Amsterdam. Or you can change a big banner that comes up when you turn the TV on. So this is not only owned, but it's really owned. I've locked it. No one else is going to use it. Actually, I unlocked it before I left, of course. Just testing. This is for security, you know, for research purposes only. Don't go home and abuse this stuff. Kids. And I try and, you know, tip the hat to conferences I go to. Okay. So one of the other things you can do is change the filtering on the TV. Most broadcasters these days, they actually send a signal to say what the certificate of the film is that they're sending. And so responsible hotels, if you check in with children, they'll put filtering on the TV so that you don't get inappropriate content. So if you're a sensitive character like me and you walk into an environment like this and everything's just coming through, they're not filtering anything, then you may want to take the matter into your own hands and deal with it. So now only the good stuff comes into my room. None of that sports and use crap. You can also just start to look for these invisible channels, back end systems that may be leaking information. So fairly simple test signal. They obviously use that for just tuning the TV in. Actually, it's more interesting that these numbers, they usually are something other than zeros. And there seems to be some strange correlation with them becoming zeros and the minibar billing stopping to happen. I have no idea why that would be. You get some debugging information. Again, there's some weird numbers that I don't know what they are, but it says code. So that's got to be interesting, right? I think most of it signal strengths, things like that. Occasionally I'll even interrupt a good movie to do this stuff. Sometimes you find stuff that really, you know, it's quite interesting. It shouldn't be there. I shouldn't be able to find information like this. So I know I'm running some kind of DOS environment and I've even got an IP address. So there's obviously some kind of computer back there. Maybe I can talk to it. Maybe I don't want to talk to it. Strange. So we've got a web server back there too. That looks fairly harmless, so I've got an object not found page. Big deal. Actually, see how my mouse moves? Turns out the up-down left right buttons did the same thing to this one. So I poke around a bit. I get another not found page, but it gives me a nice helpful message. Actually, this pops up a bit after that first page. So it gives me a link. So I click on it. It gives me another link. Microsoft helpfully suggests if I'm not getting what I want from this system, perhaps I should go to the home page, the system that served it. There's my IP address, which is a link, and it sends me here. What is that doing on the back end system on a TV? No idea. And I resisted picking up the keyboard and playing with it, obviously. Nothing further to see here. Move along. Oops. Who left that lying around? So, yeah, I can move around. I can click on icons. And when I click on them, things pop up and they kind of do things and they launch. So I thought I'd be, you know, I found this stuff, I'd be friendly and helpful to a bit of tidying up while I'm here. They hadn't defrag for ages. Didn't like the color scheme. This is a CD that was in the CD drive. And I just love this comment here. So any copyright enforcement officers in the building? Okay. So what else could we do? We could change the status of things in our room. Minibar. Oh, dear. They're all zeros. You might not want the hotel staff coming in and finding all these empty bottles all over the floor. So you can DOS your room by setting it to clean. They never bother you again. I've even found things which the vendor who built the system obviously put that in, but the hotel hadn't paid for the full package. So for example, on this system, we can watch movies. We can play with a PlayStation. We could look at some hotel information, whatever. And that's it. But in the background there, there's an internet connection. This screen was not available by any other means. There was no way to officially get to it, but it was a fully functional internet connection. So it was hooked up to their back end. It was using their internet connection, which they probably use for the hotel. And this was real content. If I clicked on those links, I could start digging down further and actually using Squeak's technique to then tweak HTTP URLs and things and basically find a way to get to a search engine, whatever, and then get out to the outside world. Sometimes you can actually control physical devices. This is a mini bar. This is a red light that says it's locked. That's the beer I was going to have before this happened. So that was motivation to find the unlock code, obviously. We can see what other people are doing. And we can do that because you often see this message. You choose something, premium content, whatever, and it will say, please wait, we're assigning another channel. And so what they're doing is they're going to broadcast the content, and then they're going to retune your TV to that channel, which only you can watch, obviously, because they control the TV, right? So do I. So this guy is, obviously, he's watching a film. He's interested in mountain dwelling women or something. It's harmless enough. OK, he's watching a movie. But what if he's browsing the internet and he goes to his web mail account and he reads his mail and he replies to his mail? Maybe I should help him with his spelling or something. But OK, so I can also assign the TV to another room. One of the interesting things you can do in your TV or on your TV in your room is look at your bill. So we choose account status. It looks up my name and there's my bill. Is that strange round number appears again? So the reason it can show me my bill is because it knows that this TV is in my room and it knows that because it has an address. In this case, it's A161. So if I change it and it's now A162, I'm looking at the bill of the guy next door. Wow, look at all those room chargers. What the hell's he been doing? His mini bar's probably empty. He's watched every pay peak TV movie in the place. He's been having a while time. I'm guessing when he goes down to check out, there may be some discussion. And I'm a busy professional. He's probably a busy professional. I have a big heart. You can probably tell that. So I figure I'll help him out and send him on his way. If I can do that for one room, I can do it for all of the room. So I have a little shell script and I have a little tripod and a digital camera. And when I turn up in a hotel and I go to bed and I get up the next morning, I have a little page like this. Yes, it was me. I did spend the night in Paris Hilton Grove. So that page gives me a little thumbnail of every room in the hotel. Who's staying where? Who's staying with who? Where they've been calling? All kinds of stuff. Which rooms are empty? Which are full because you get different messages. So by the time I'm done, I know the percentage occupancy of the hotel. I know who's there, who they're with, what they've been eating, drinking and viewing, where they've called and how long they've been there. Pretty bad. OK, now the good stuff. This is what you all really came for, right? Pay per view. So there seem to be two different kinds of TV pay per view. There's the ones that you actually choose a film and it gets played for you. And there's ones that just play in a cycle. And when you choose the film, you get tuned in. There's various different ways they control this stuff. One of them is they send a blocking signal. So in this case, we've been scanning. We found a channel. We've got the sort of cheesy 70s music. We think we've hit pay dirt, but it's being blocked. So I found a command that unblocks it. So just a boring old documentary from the 70s. Alternatively, you could just retune all the channels. So you don't have to search for individual ones. So we also program. I'm sorry, it's a bit blurry this picture. Seems to be one of the sort of fundamental issues with this kind of research. It's just not possible to get a good picture one-handed. And there's that educational channel you've been looking for. And like any good hacker, you tag it for them. Now, if all that seems like way too much trouble, they have this great feature called a Barker channel. Barker channel is what gets what comes up when you first turn the TV on. So, oh, it's changed. So that's infrared. Other things I've been looking at recently, back to the old car alarms, those central locking systems. They've started using RF. Gower's door openers over here use RF. I think it's going to be a carrier change only. The codes will be the same. They're just using RF instead of infrared. Some interesting things with hotel safes while I was looking at hotels. We'll come to that in a second. Car alarms, I've already found that the existing RF systems often have very simple reset codes. The reason they do that is so their engineers can unscrew a car if you get locked out of it. And I found this out because my wife phoned me. It was actually after Defcon a few years ago. A few of us were sitting around decompressing, having a beer. I get a call from my wife saying, oh, you won't guess what happened to me. I got locked out of the car in this really bad part of town with loads of shopping. It was getting dark. I had like three kids, not all mine, three kids with me. And I couldn't get in. I phoned the garage. They said, well, it's going to be two hours before we can get someone out to you. So she explained the situation. Single female in a bad place. They said, OK, we're not supposed to tell you this stuff. But this is what you do. So you can imagine my first question is, are you all right? No, my first question was, you did write down the code, right? And being a good hacker's wife, she said yes. And got a round of applause from the goons around me. So she gave me this code. A few weeks later, I was driving with a friend and he's in a rental. And we have to drop it off on a garage forecourt. And I noticed that he had the same remote as my wife's car. So I'm like, well, hang on a second. Let me just try something. Do the code. You don't want to know what 50 cars opening their doors at the same time sounds like, especially when you're not supposed to have done it. By this time, we were running down the road. Turns out that hotels, when you forget your pin number that you put in, they come with, guess what, an infrared dongle. So don't have a hack for you for this one, but I'm looking into it. This is a great device. TV be gone. Who's played with these? Yeah, a few people. Very cool device. Press a button and it sends every known off signal. So press the button once and just wait. And the TV in the bar that's irritating the crap out of you. So playing sports is going to go off. So I cracked one open and had a look and it's a simple development chip. The guys who sell it sell a system where you can very rapidly develop applications that use it. So I thought I should come up with one of my own. You'll notice the happy smiling face here. I'll just flick between the channels for you. One button and it's owned. So I might work on that. That's it. Any questions? Yes, sir. I've seen some of the new modern systems and I haven't seen any better controls into the question was will modern systems fix this problem? The newer systems I've seen still have the exact same problems but it's actually worse. They're starting to do things like allowing you to put credit card details in through your TV. And as I said, webcam, stuff like that. So the potential for abuse is actually getting worse. Yes, sir. The question is have I played with street signs? The big, big screens in Vegas? It's very likely the very systems I'm talking to, the desktops I'm talking to, are probably on the same network as the systems that are controlling those signs. Just a thought. Can I tell you what the code are? Codes are. I think you should work for that. I spent nine hours in a room in Amsterdam. Oh, the car, for the car. It's actually very simple. All you did was take the battery out. Press the unlock code 10 times slowly. Put the battery back in. I think that was just to discharge any capacitance that was in the system. And then again, press the unlock code 10 times very slowly. And I think what's happening is it's saying to the car, I'm a brand new remote. You're a brand new car. Let's party. Any other questions? Question was are you able to get phone records? It depends on the hotel. Different folios show different detail. OK, last question. There isn't one. OK, our last one. Do I have any literature? I don't have any with me, but I'll get the slides put up on the DEF CON site so you can view them. So that's it. Thank you, Major Malfunction. We need everyone out those doors, not the doors you came in. Those doors. We have a big line for the next presentation on war driving.