 Hey, how's everybody doing? So just a quick survey. Who here likes hacking? Who thinks hacking is interesting? Yeah? Two people? All right. How about who thinks like guns are kind of interesting? Oh, yeah. Anvil? All right. How about hacking guns? Any interest in that? Can I hack some guns? Good. That's what we're going to talk about today. We're going to talk about popping a smart gun. So what is a smart gun? So a smart gun would be a gun that can be fired only by an authorized user. I think that a lot of the mentality around smart guns has been shaped by Hollywood. In particular, the movie Skyfall. This is a Bond film a couple years ago. In the film, Q gives Bond a modified Walther and is somehow associated with Bond's grip. Some sort of biometrics. And in the movie, Bond can shoot the weapon but when the assailant gets the weapon, tries to shoot Bond, doesn't work. And then the assailant gets killed by a Komodo dragon or something. But anyhow, we're a little ways away from that for now. But we do have several smart gun models in development that are biometric based. So these would be things like fingerprints or palm prints. We also see ones that use things like magnetic rings and then things like RFID and RFID rift spans, that sort of thing. Now there's a lot of controversy around smart guns. And this is largely due to a New Jersey law that was passed in the early aughts. And this law said that after three years, three years after the first smart gun becomes available at retail, only smart guns can be sold in New Jersey. And so gun people were a little upset about this, thinking that they would no longer be able to buy non-smart firearms. And as a result, they started to kind of protest when gun stores discussed even carrying smart guns, up to the point of people getting death threats and that sort of thing. Now I'm not quite, I'm not really that extreme. I think that if you want a smart gun, you should be able to have a smart gun. I like guns. I like shooting guns, rifles, pistols, shotguns. I think that if you've never shot claves with a shotgun, you should give it a try. It's fun. I do think that if you are going to buy a smart gun, you should be able to get what you're paying for. You should be able to match what's on the label. And also, yeah, if you should be able to buy a smart gun, but not limited to only smart guns. All right. So if you do care to buy a smart gun, the only one you can buy in the states right now is the Armatics IP-1. And this is a fully, from the ground up, smart gun design. It's not like a modification of some other model. And it's made by a German company called Armatics. It's a 22 caliber semi-automatic, straight blowback action, hammer fired, holds 10 rounds, takes two AAA batteries. So, you know, have batteries for your gun. You don't want to have that run out. Um, it has two components, the pistol and the watch. And the way that it authenticates its users to see if they're authorized is by communicating with the watch. So, give you an idea of how that's supposed to work. Uh, what you would do, the user would put the watch on the wrist and then enter a pin on the watch and then select a period of time between about one and eight hours. And during that period of time, the watch will allow the gun to be fired. And so during that period of time, you might draw the weapon and go shoot something and you would squeeze the grip. You squeeze the back strap on the pistol. And when that happens, the pistol will signal the watch and the watch will check to see if it's authorized. And if it is, it will send a token to the pistol. The pistol will say, yep, I'm here. And the pistol will, uh, allow itself to be fired with that, that token from the watch. That only works if it's within about a foot. So it needs to be within about 25 centimeters or a foot, um, to work out like that. So, uh, let's see how this works with the, uh, the caveat that this is not my computer. So, we'll see, we'll see. So the first thing I'm going to show two videos. The first one is if you don't have a watch on and, oh, hold on a second. Yep, nope, hold on. Hold on. There we go. In case you weren't unaware, they were having AV difficulties in this room all day, so. Um, alright, so here's what happens if you try to fire the, the, the RMAX FP1 without a watch on. Uh, what you'll see is that when you pull the trigger, the hammer will fall and the gun will just go click. Nothing will happen. Alright. So, that's without the watch. Now, the normal operation with the watch is, you pull the trigger and it goes bang. Alright. So, pretty standard. That's, uh, that's how it's supposed to work. Alright. So, last year I spoke at DefCon about side channel attacks on high security electronic safe locks. And so, you know, that, that happened and it went well and I cracked some safe locks and that was great. And so, then I was looking for what to do next. And I, I kind of thought back to this thread. This was a, a thread on a, a very pro gun forum, um, about a review of the RMAX FP1 back when it was released around 2015. And the, the people in there were, were kind of, uh, you know, maybe mocking it. Like one person in particular, this guy named, uh, Skyhawk said, yeah, could you imagine what the guys at DefCon could do to the, uh, IP1? And so I thought, well, I'm a guy at DefCon, I guess. And so, you know, let's, let's see what happens here. So, um, I got one and I thought, ah, you know, I wonder how hard it will be to hack a big, big, big, good challenge. And so, then I, I hacked it three ways. So, um, we are going to show all three of these today. So, the three hacks were to defeat the proximity restrictions. So, instead of being within a foot, you're now able to, uh, extend that range significantly. Secondly, to be able to prevent the weapon from being fired even when it is otherwise authorized. And third, to fire the weapon without authorization. So, the first of these, the proximity restriction is, uh, normally 25 centimeters. Uh, again, about a foot. And to understand what this is, we have to look at how the weapon, how the pistol communicates with the watch. And it does this on two different bands. One is in the 900 megahertz ISM band. And then the other is down in the 5.35 kilohertz using inductively coupled communications. So, you have two coils essentially. One is in the pistol and one is in the watch. And, uh, when the pistol wants to signal the watch, it will generate, uh, signal a carrier at 5.35 kilohertz that will be coupled through from its coil to the watch's coil. And that looks like this. If you hook up a coil, another coil to an oscilloscope and place it near the pistol while it's attempting to signal the watch, you'll see something like this. It's a 5.35 kilohertz burst for about one and a half milliseconds. Uh, carries no information on its own. It's just a pure carrier. And so, all this does is signal the watch that it wants to communicate on the higher 900 megahertz band. Now critically, this is how it knows that it's close to the watch because the coupling, you know, only happens within about a foot. Um, it, it falls off much quicker. It's not, it's not a propagating wave or anything. So, I thought, well, you know, that sounds like we could just make a, you know, classic relay attack. So, I, you know, whip that up. Um, this is a block diagram of the device I made for that. So, to kind of walk you through it, on the one, there are two parts to this device. So, there are two devices rather. One goes near the pistol and the other goes near the watch. On the pistol side, you have a tuned coil, tuned to 5.35 kilohertz. And the coil there listens for the signal from the pistol. When the pistol has its backstrap squeeze, it will, uh, generate a 5.35 kilohertz tone which will be coupled into the coil, which will go into a band, pass filter, amplifier, go to the microcontroller, and eventually be, uh, make its way into an NRF-24, which is a, a nice little 2.4 gigahertz transceiver. Really easy to use, cheap, all that. That signal, that trigger is in, uh, transmitter over the 2.4 gigahertz backhaul to another 2.4 gigahertz device, another NRF-24, which goes to another microcontroller, and this time goes to a coil driver. So, essentially, it's going to transmit at 5.35 kilohertz into another tuned coil, tuned to LC circuit, LC tank. And from there, that couples into the coil in the watch. The watch receives that signal, thinks, hey, I'm, I'm talking right to the pistol, and generates the token meant for the pistol to authorize it for firing. And, um, that gets transmitted back in the 900 megahertz band. Now, the 900 megahertz band is a, a true propagating, uh, has a true propagating wave, so it gets, uh, much further than the 5.35 kilohertz wood, so it can go directly from the watch to the pistol, um, at least about 3 meters. So you've extended the range from about 25 centimeters to about 3 meters. Alright, so, um, the hardware itself, uh, pretty simple, kind of, uh, it's the, I built the, the red boards down there, uh, you know, whipped up on an afternoon. Uh, not, not too hard. I, uh, the way I designed it is to have the hardware be reusable for both the pistol side and the wash side, and just populate different components to, uh, to, to enact to the different functionality. Um, those NRF 24 little receiver boards, those are, are great, and they're super cheap. They're like 5 bucks a piece off of Amazon. So if you're looking for like something like that, that's great. Um, use a little PIC 16F 18, uh, 324 microcontroller, you know, it's like less than a dollar, super capable, love that too. And, uh, circuit boards also, man circuit boards are cheap these days, like, you can get those from China for nothing. Like, uh, I just, you ripped up a design, some of the Gerbers and, uh, a week later they're in my hands and it's super cheap. It's amazing. So 20 bucks for the relay for the, the custom hardware and wrote some firmware for it and all that. Alright, so, um, let's take a look then at what the relay attack looks like. Okay, so a little bit of context here. Um, what I'm doing right now is I'm picking up the pistol and I don't have the watch on. You'll notice the watch is down in the bottom on the table. Make sure you can see, yeah, on the table. And, uh, it's well out of range, normal range. So it's about 3 feet away when I go to shoot it and as a result when I pull the trigger, it's just gonna go click. So we'll see that happen. Alright, so just click. Now what I'm doing is I'm taking the one half of the relay, the part that goes near the pistol and I'm gonna hold it up to the pistol and you'll see right next to the watch on the table there already is the other half of the relay and that's going to communicate that, that trigger signal to the watch then. So when we hold it up to the, the pistol and pull the trigger, this time it goes bang. So there we go. Defeated the, uh, range, uh, restriction with a, with a relay attack, classic. Um, yeah. So let's see here. Thanks. Now part of the reason why this works is because it has a, a very lax timing requirements. Um, with the system I built it, it actually tolerates at least 630 microseconds of delay and, um, that's kind of surprising. I was expecting a much more, a much tighter, uh, timing requirement. But like here, this, this also, uh, screenshot, you can see the blue trace, which is when the pistol is transmitting its, you know, normal 5.35 kilohertz tone and then you have the, uh, the relay generated tone down below and that is separated by about 630 microseconds and it seems to handle that no problem. So one of the things I could do to kind of improve on this is really enforce tighter timing requirements. Um, you might not, the, the distances involved here like a foot. I'm so sure that you're talking about like sub nanosecond times for the speed of light, but you could at least tighten things up in terms of tolerance. Um, if we, if, if say if it had tolerated a microsecond of delay, that would have been much harder to, to mount an attack on. So, uh, even better approach would be to not rely on RF at all. Uh, if you need a proximity, um, if you need to sense proximity, you might want to use something that has physical contact. It ends up being a, a tricky problem. Actually applicable to a lot of industries. You'll find this a lot with cars, for example. Uh, and you'll see other talks, including here at Defcon this year, where they talk about relay attacks in, in other contexts. So a classic relay attack, it's kind of a hard problem to, to defend against, but you know, it still requires you to have access to the watch and that can be kind of tricky and you have to kind of like have contrived scenarios where that would be relevant. But I got to, you know, build some hardware and write some firmware. So I was like, you know, yeah, I got, I was pretty happy about that. Um, so, the next attack is denial of service. So we've, this is when you want to fire the gun and you are authorized to fire the gun, but you can't fire the gun, uh, because of some external influence. So you can kind of imagine a couple different scenarios here where this might happen. Perhaps an adversary wants to prevent you from firing your gun, or perhaps there's somebody who say doesn't want any guns fired within a, an area, or perhaps there's not intentional at all. Maybe it's just somebody's grandmother blabbing on the, the, the cordless phone and nobody knows why she still has a landline, but you know, it's there. Or maybe a BNB monitor. There are actually a lot of devices that operate on this 900 megahertz ISM band. Um, and a lot of them have, uh, modulation schemes that will potentially interfere with what the IP1 uses. And so to, uh, to test against this, what they should be doing during development prior to releasing this product, they should be doing what's called EMC testing. This is electromagnetic compatibility. And this tests for two things. Uh, especially for part 15 devices like this. One, you want to make sure that this device doesn't interfere with another device. And two, you want to make sure that other devices don't interfere with your device, to the extent possible anyway. And so, uh, one of the great things about this testing in FCC certification is that you can go look up all this information online. It's all, it's all public record. So on all these devices that have, uh, FCC IDs, you can go to the web and enter in that FCC ID and pull up all sorts of useful information about the bands that the devices operate on and things like internal photos, sometimes schematics. And, uh, fortunately for this one it was, it had just a, a wealth of data in the FCC's certification database. Including, uh, some great photos from the, uh, of inside the pistol and the watch, which is useful because it's otherwise a pot of an epoxy and it would have had to kind of destroy the, the gun to extract it. That showed the transceiver that they use. They, they use a transceiver from a company called Marata, now, uh, part of RFM. It's the TR-1000. And so this transceiver operates at 916.5 megahertz. Uh, it's a fully, uh, kind of integrated transceiver, but, um, it's not too advanced. It supports like on-off keying and amplitude modulator, which is an amplitude shift keying. Um, when you want to transmit data, you would feed it a bit stream, kind of a, a baseband signal. And when you're trying to have received data from it, you'd receive essentially a, a simple bit stream. Um, but it isn't like decoding it down into, probably like, at the, like the packet layer or anything like that. So, uh, to kind of understand this, what it gives you back on the receiver side, which is then to understand why we can attack it. I'd like to understand a little bit about how, how the IP 1 encodes data. And, um, this is about, this is Manchester coding. Manchester coding is all about the edges, about the transitions from like low to high, that'd be a 1, and from high to low it would be a 0. Uh, it has some great aspects. One is that it is, it has a 0 DC value, so that simplifies a lot of design. Um, one thing, though, is that you have to have a good slicer level to decide what is high and what is low. And if you have the slicer level set incorrectly, you might miss a transition and then you lose a bit and then of course your data is corrupted. So here's kind of an example of that. In the top we have a slicer level that's set sufficiently, even though our second little rise there is a bit of a runt pulse. It still gets high enough above the slicer level that we can see that edge and decode the bit stream into a 1, 0, 1, 1. Uh, in contrast in the bottom, the slicer level is too high and we miss that, that transition on that runt pulse. It goes high but not high enough and we, we totally miss that bit. So we are not able to decode that bit stream successfully in that case. So with that background of mine, here is what a, an actual authentication token from the watch to the pistol looks like. It's 19 bytes long and you can see each of the individual bytes kind of grouped in these, these little bursts, uh, these little jagged bursts. And most of this data is, uh, combination of constant and static data. About half of it is constant, half of it is dynamic. And the dynamic data contains a, uh, a time dependent token and that will allow the, the weapon to be fired. They have to have synchronized clocks. And then also importantly it has a checksum. There's a checksum not a CRC and it, notably it's not a error correcting code. All it can do is detect errors, it can't correct them. And if it detects a, a error it will retry about 400 milliseconds later. Or rather if the pistol doesn't act the watch, the watch will retry 400 milliseconds later. Um, but if you, if both of those are corrupted then you're, you're kind of up a creek. So I looked at that for a while and I came up with a, what signal it would be most susceptible to. And this looks, this is a pulse data. And it is, this is a view of it on a spectrum analyzer set to a, a zero hertz span. This is kind of a way to make a spectrum analyzer behave in the time domain instead of how it normally operates, which is in the frequency domain. Uh, can be pretty useful. And so the, uh, the signal, the baseband signal I found to be useful what has a 33 microsecond period of carrier followed by a 300 microsecond, uh, period of no carrier. And so the full period then would be 333 microseconds. And if you're saying, well, you know, where that, where those numbers come from that seems oddly specific, the answer is the 33 microseconds is about one bit width in the, uh, in the, the token being sent from the watch, the pistol. And 333 microseconds is a little bit shorter than one byte width. And so, or one byte period. And so if you overlay those two, you can see that the, the, the very steady repeating pattern is the, the test signal and the kind of smaller pattern is the, the token from the watch. And if you overlay those, you can see that the, the test signal happens to hit at least once in every byte. Um, and so that's important because of the different ways that this test signal can interfere with the signal from the watch, the, the, the desired signal. Um, couple different scenarios. So we have three different scenarios, uh, regarding relative signal strengths. So, first scenario, interference is much greater than the signal, much, uh, much stronger. What will happen in this case is the TR-1000 will set the slicer level to a point 6 dB down from the, the peak of a recent signal. Uh, so does it automatically. Um, and one of the things that even the TR-1000 datasheet notes is that it will do that incorrectly in the face of pulse interference. So we're making some pulse interference and setting that slicer level incorrectly. Uh, what will happen then is we have our slicer level way too high and it's well above all of the desired signal. And so we totally miss all the transitions in the desired signal. So we totally miss all of the bits in that signal and so we don't get the token. The second scenario is when the interference is roughly the same as your desired signal. In that case, the interference would fill the gaps to the signal because again, we have this pulse happening about once per byte. And what will happen then is you're filling in gaps. So you are causing again missed transitions. You're still seeing some of the transitions because the slicer level is set correctly this time. But whereas, uh, since Manchester encoding relies on those transitions, you're filling in the gaps. It sees no transitions and so you lose those bits again. As before, you lose even one bit. You lose the entire byte. You lose the byte. You lose the, the packet and the token is no good. And the gun does not fire. So this third scenario is when the interference is somewhat less than the signal, uh, one kind of strange aspect of the, of the byte stream that you could see in the, uh, some of the previous slides is there were kind of gaps between each of the bytes. You can see that it's like bursts and it kind of looked, uh, oddly separated. And what will happen if this interfering signal is low and happens in between those bytes is you'll interfere with the synchronization of the bytes. And so the tier 1000 be tricked into setting the session level a little bit too low and think that the byte is starting and you'll get this, uh, corruption again in the bits because your timing synchronization is off. As before, you lose the bits, you lose the bytes and you lose the token. So, so I built, uh, I had an experiment with all this with using some, some lab equipment using a signal generator and an arbitrary waveform generator to kind of hone in on, on what was the right waveform. And from that built a test transmitter. It's very simple. I didn't bother with a circuit board this time. Just built it on some strip board. So what I used here was actually the, the same module that they used in the pistol and the watch. Uh, it's a Marata tier 1000 again. And driving that with another little, uh, PIC 16F, um, for the baseband signal. So that drives the transmitter and the transmitter drives the antenna and we get a portable little test transmitter to kind of simulate what would happen if you had, um, some, either an adversary or just an unintentional interference. Again, like a baby monitor or, or this one potentially. So, that works actually really well. I'll do at least, up to from at least three meters onto about 10 meters. Three meters rock solid. And this is just that, uh, you know, part 15 sort of output levels. It works kind of reliably at up to about 10 meters. It depends on the relative orientation of the, the, the watch and the, the pistol and the, the transmitter and so forth. But the bottom line at least three meters of, of rock solid, um, interference. So this is, it was kind of surprising that it worked because they should have caught this sort of thing again during the EMC testing when they were testing for susceptibility to external devices, external fields and so forth. So let's look at the denial service attack. So, okay. So what's going to happen here? I'm going to fire it normally. All right. So the gun fires normally. And now what I'm going to do is I'm going to go over and take out the transmitter and turn it on. This is the same transmitter that I was just showing. I'm going to try firing it again. And it doesn't fire. So, so, um, so that, that was kind of interesting. I, what, what could they have done to defend against that? Well, one thing would have been to use more transmitter power from the EMC report about the pistol. And my own direct measurements found that they were transmitting at about minus 20 dBm, which is in round numbers about 20 dB below the part 15 limit. So holding all a sequel, they could have used a lot more power, but they, they chose not to for some reason. Um, the, an easy software fix, well, I mean easy, but a possible software fix would be to use error correcting codes. So right now you have a single bit error and you lose the entire token. You lose the, the, the whole off. So if you had error correcting codes, you might be able to tolerate more bit errors. And as a result, be able to get the token that authorizes firing through without, uh, without failing. And then of course, uh, using more robust modulation might be another approach. Instead of on off king and amplitude modulation, maybe consider something like spread spectrum. Something that is inherently more immune to, to, uh, to interference. Plus with spread spectrum, you can use more power at 900, 900 megahertz band. All right. So, I, so I, I had thought about, um, the third attack. So this would be how to make the gun fire without authorization. And so I was considering all sorts of interesting angles on it and I was thinking like, oh, how can I decode the tokens from the watch and how can I, maybe it's like a replay attack or maybe it can just sort of generate my own tokens or maybe there's some sort of side channel attack or, or something really sexy. I mean, I was, I was going for like really technical and sexy and I, I was really, really gung-ho about that and yeah, making a little bit of progress, but not, not as much as I was hoping for. So I took a step back and pulled up, um, some patents that Armatics had filed and it turns out that they had done a pretty good job of explaining how the gun works in their patents and, uh, you know, kudos to them for filing a patent that they actually used. But, um, in any case, it provided some insight into how the mechanism would be weak and how it could be compromised. So, I'll just kind of go into how, how the gun works internally to give me an idea about maybe where I'm going with this. So internally, if you imagine that you're looking down the slide of the gun, so this is the top part of the gun that slides back and forth. It's the part that has the barrel on it. So imagine you're looking kind of in line with the barrel from behind the hammer. So from the back of the gun. You're kind of looking longitudinally down that and you're looking at the firing pin. Now, ordinarily, the firing pin is blocked. It has some, you can imagine having some lugs on the side and those not matching up with sort of a holes in this, in the slide. And so you might have this mismatch in the lugs to the wards and if you were to strike the firing pin with the hammer, it wouldn't move and the gun wouldn't fire. So, that's kind of what you want ordinarily when you're not pulling the trigger, for example. What happens is, when you partially pull the trigger, you move that mechanism a little bit. Particularly, you rotate the firing pin slightly and those wards or those lugs become closer to lining up with the wards, closer to matching and allowing you to slide, but not quite far enough. So you pull the trigger again, pull the trigger half away and you would get a little bit of movement on the firing pin, but not enough to fully unlock the device. And that's kind of just the scenario you have if you're not authorized to fire. Like, let's say you pull the trigger the full way, nothing happens because you have that mismatch. However, if you do have, if you are authorized to fire, then an electromagnet is turned on by the microcontroller in the pistol and that electromagnet will pull on another piece that's connected to the firing pin. This is a little bit of a ferrous metal, which means that it can be attracted by a magnet. And when the electromagnet pulls on that ferrous material, it will align the lugs with the wards in the slide. And at that point, then the firing pin can slide longitudinally. So when the hammer strikes the firing pin, the firing pin will move, strike the primer in the cartridge, and the gun will fire. So, this is actually a shot of the patent, which was great. It's, you know, patent 8966803. Good tip. If you're looking for patents that companies have filed, they don't always file them in a way that is easily searchable. So what you want to look for, I found, is to search on the company name and then pull the patents they have filed under their name and then pull up other patents that are associated with the inventors on those patents. And sometimes you can get a much greater breadth of information than you otherwise would, even if it doesn't mention the company by name those other patents. In real life, this is what it looks like. This is a view into the gun from the top. This is, I imagine, you've taken the slide off of the pistol and you're looking from the top down into the gun. And so this is, you have the barrel on the left and you have the hammer on the right and kind of in between them, where the arrow is pointing, you have this little circle and that little circle is an electromagnetic. It's the electromagnetic from the diagram. Now that lines up with the components in the slide. So this is the slide and you have two views of it here. The profile view and the bottom view are from the bottom up. You can see there is a little piece that the cam would press on when you pull the trigger part way. When you pull that trigger part way, it will lift up on a linkage and move that piece of ferrous material down a little bit further into range of the electromagnet and then, you know, operate as before. If the electromagnet is on, it will be pulled further, unlock the firing pin and if not, it will just not fire. So one thing you can see easily on this paired view of the profile view and the bottom view of the slide is where the ferrous material is relative to kind of markings on the side of the slide. You can see it's kind of near this detent on the right side. So keep that in mind for a little bit later. You know, I thought, gosh, you know, electromagnetic, I could just put a big-ass magnet next to it, right? They make those and they pull the same way. So I went on Amazon and I'm like, you know, big-ass magnet in there. It's like this huge hockey puck size neodymium magnet. And so I was like, you know, overnight that or two day it. And I got it and I slapped that on the side of the gun and it did not work at all. I mean, it was dead. That was way too much magnet. I think it was, that was just, I could kind of just imagine, like kind of a sucking sound, kind of, of all the components in the pistol being kind of pulled to that side. It was, yeah, nothing, you couldn't pull the trigger at all. You couldn't, like, it was just way too much magnet. So never thought I'd say that, yeah, too much magnet. Yeah. So I went back to Amazon and found some smaller magnets. These are some, again, neodymium magnets about an inch and a quarter by about a quarter inch. And you need about three of them. They come in four packs, but you need about three of them. So you have about $15 with the magnets. I got those together and I picked up some some scrap wood dowel and stainless steel screw, stainless steel so that it wouldn't be attracted by the magnet, depending on the alloy. And this is the magnet tool. This is the $15 tool to defeat the $1500 smart gun. You can see a piece of wood with a screw in it and some magnets stuck on the end. It's kind of good that it needed exactly three magnets because there's no way I'm ever getting those apart again. Like, they are really stuck together. Okay, so the way you use this tool, pretty simple, you just align the magnet right there. If you remember from the earlier slide, you have the ferrous material. It was aligned basically where that arrow is. And so again what you're doing, you're just pulling from the outside, standing in for the electromagnet. And that is most easily done actually at a slight angle. I found that if you had kind of a the magnet just right on the edge, it would kind of pull it too hard. But a little bit of an angle works a lot better. So you slap the magnets up there. Oh, one other thing to note about this, you'll see this in the video too. There's a red light kind of near my wrist, sort of on this picture, near the back of the gun. When the gun is authorized for firing, it'd be green, but in this photo and in the video we're going to see in a moment, it'll always be red. It'll always be unauthorized to fire, not authorized to fire. All right, so let's look at the demo of the magnet attack, firing without authorization. Okay, again, a little bit of context. I'm going to pull the trigger a few times to show that the gun won't fire ordinarily. So right now I don't have the tone of the watch nearby or anything like that. No relay attack or anything like that in place. And so you'll know it's kind of hard to see, but there the red light is on the back, indicating it's not authorized to fire. So pulling the trigger a couple times, not working. So then we'll take the magnets, put them next to the gun on the right spot and it fires. Thanks. So then you know a couple other instances of this, I've fired it again or I clicked it again showing it wouldn't work, put the magnets up and fires again. You know, how about a first person view? All right, so we're going to go and take that and oh no, it doesn't fire, oh no, oh no. Actually this time it didn't work the first time, but that's okay, we'll just put the magnets back on again and oh there we go, yeah, no problem, no problem. So you take the magnets off, put them back on, no problem. Pretty easy. I actually showed, so I showed a couple people how to do this and they thought I'm pretty fast. In fact for the for the wired video piece, the videographer, I had him had him shoot it too just to show I wasn't you know full of shit or something. So the, yeah, so you know, I know what you're thinking, you know, if I can magnets, how do they work? It's a miracle, it's a miracle, yeah. I, I honestly didn't know what, I had no idea what anybody was talking about and people kept telling me like fucking magnets, like what are you talking about? I had to google that one, I'm sorry, I'm getting old. The magnet defense, however, how do you defend against this sort of thing? So basically don't do this, don't rely on solenoids, don't rely on DC magnetic fields, and we see this thing, this sort of problem repeated again and again, like there was a classic case a couple years ago about century safes. So a particular model of century fire safe was susceptible to a magnet attack. You basically would just put a magnet up on the door and it would move a solenoid inside the safe and the safe would open. So I'm pretty pathetic and they they kind of made the same mistake here, so I would guess that they're probably not the last to make that mistake either, but basically don't use anything that relies on DC magnetic fields. Instead, consider something like a motor drive. So in better safe locks, if the ones I talked about last year, you'll find a motor and it will move like a bolt on an acne screw, for example, and this is much harder to induce from outside of the safe or outside of the gun or externally anyway. And that's one approach. Another option would be to design a system that would detect an attack, so that would have some sort of relocker. Like it would say, oh, there is an external magnetic field and as a result we're going to activate a secondary lock and there are a variety of clever implementations for this sort of thing, but again the the idea is that any external magnetic field would induce some sort of secondary relocking, ideally without any sort of electronic intervention so that it would still work with the power off. So, you know, a few thoughts finally. Again, I'm not against smart guns. I think that if you want a smart gun, you should be able to have a smart gun, but you should get what's on the label. You should have one that actually provides meaningful extra security and I think this fell short. I think the the IP one fell short and it was kind of a little bit of a disappointment. I was expecting a greater challenge. Actually, when the magnet thing happened, I was really hoping for like a deaf contact and I was like, oh no magnets, like that's not going to fly. Like that's too simple. So I was like, I don't know magnets and then, but it's turned to be kind of interesting anyway, I thought. There was also kind of an ethical dilemma and I went back and forth with the media actually about this because they were worried about teaching kids how to do something dangerous. In this case how to fire maybe their parents' gun and you know it's always kind of tricky and you see this a lot with with hacking in so in many contexts because it's better to kind of sit on the information or is it better to share it with the world and I take the opinion that yeah you might be sharing this information teaching a kid how to fire their parents' gun but on the other hand you're telling the parents that this exists, you're getting the word out that these things exist and that we can fix them and then we can make future products better. You know it's probably, I was talking to somebody else about this and he pointed out that it's good that this sort of problem was found now before anybody's died because of it then in the future when somebody might discover it because of some unfortunate accident with the kid. So anyhow if you have any questions I'll be out in the hallway and thanks for your attention and have a good evening.