 Thanks for coming. Are we good? Okay. So this is our 45-minute presentation where we sum up a full year of research on a Linux powered rifle. My name is Runa Sandvik and this is Michael Auger. Why are you covered a lot of stuff about this research and what we found? So in this presentation, we want to try and focus a bit more on how we actually did the research, how we found the different issues. We got some cool demos to show and we also got some bits and pieces that wire didn't cover last week. So tracking point was widely covered in the media over the past two years, three years. It's a Linux powered rifle that allows you to actually take accurate shots even if you've never shot a firearm before. And it has mobile apps and all sorts of cool things to go with it. Journalists in CNN last week asked me why we decided to hack a firearm and I told them it's because cars are boring. But in reality, it's because we can't because it's fun, the technology is there and it seemed like something that was worth poking at. So the platform we decided to work with was the tracking point TP750. It's just a Remington 700 308 bolt action is the base firearm. The hardware, the piece that tracking point actually designed and made is the scope. The platform on ours is called Cascade. They do have a smaller platform called Aries which is on some of their shorter range rifles. A lot of the things we found here, there's a very good possibility and very high likelihood that they also affect Aries as well. The hardware itself, it's running a modified version of angstrom Linux, the same distro that used to come with the BeagleBone Blacks. The hardware itself is also very similar to a BeagleBone Black. So it's a 255 mega RAM, 600 megahertz ARM CPU. There's 16 meg flash storage that holds Linux kernels. Then there's a 4 gig flash chip that holds the file system. The way the system is intended to work, there's two modes. There's a traditional mode which is now just a rifle with a fancy scope that has a range finder on it. So you can tag a target, it'll tell you how far away it is, you have your crosshairs, you can then make adjustments manually do what you're going to do. You can push a button and kick the scope into advanced mode. And in advanced mode you have what they call tag track exact. So the first frame here, you're lining up to your target, you push a small button in front of the trigger and it tags that target. The scope then calculates the ballistics to hit the target where you've tagged it and the crosshairs will move accordingly. So then you hold down the trigger and the gun will not fire. There's a trigger interaction between the scope and the trigger that holds the firing pin. So you hold down the trigger, you line up the shot as soon as the crosshairs are lined up on the tag that you have on your target. The firing pin releases and it fires with a very high likelihood of hitting the target where you tagged it on the first shot. So there's a couple of things to keep in mind about the research is that our tags do require the wireless network on the rifle to be on. It comes off by default. You have to turn it on for any of us to actually work. We cannot fire the rifle remotely. We can do a lot of fun things like lock the trigger so you cannot fire, but we cannot fire remotely. And lastly, the TP750 is a firearm even without the scope. So if you break the scope, if the owner just decides not to actually boot the scope at all, you can still use the TP750 as a standard rifle, but you have no good way of actually aiming at that point. So when we were putting together this presentation, we were trying to figure out how we wanted to tell the story and we really wanted to focus on how we did the research. And so it really came down to sort of three different rounds where we tried a lot of different things. So for round one, that was basically when we bought the rifle we got it, we took it out of the box. And this is what the scope that sits on top of the rifle looks like. So you got a couple of physical buttons. There's focus. There's wind. Zoom. A couple of other things. There's two USB ports as well and it also has a microphone. So when you're in advanced mode and you're tagging your targets and you're firing, it will record a video and also audio at the same time and save it on the scope. So that's what that is used for. So what we did after just looking at the sort of the physical buttons and trying to figure out what was there, we started it up and we did a port scan, as you do, when you have a rifle with a Wi-Fi. And we found it runs two services. There's a web server on port 80 and there's a streaming service that runs as well. And that was it. We tried a lot of different things like assigning ourselves a different IP address and doing another port scan just to see if maybe something else popped up. But we can never really find anything interesting. It seemed like these are the two services that are running and that's it. So after that, we jumped to looking at the two mobile apps that TrackingPoint created for use with this rifle. There's one called ShotView, which is just the stream. It allows you to see exactly what the shooter is seeing inside the scope. But it doesn't give you any controls whatsoever. The second app and the more interesting one is called TrackingPoint. That's the app that will allow you to change wind, temperature, the type of ammo used. It will allow you to download medias or the videos off of the scope and it will also allow you to do software updates from your phone. So we downloaded the app from the Google Play Store. We decompiled them. We tried to figure out exactly what the communications between the apps and the scope looks like. There's a WPA2 key for the wireless network. That's a default, very guessable key, but it's still there. We found that the apps to communicate between your phone and the scope is HTTP only, which isn't that big of a deal when you have WP2. We got really excited when we saw that the TrackingPoint app uses HTTP to pull software updates from TrackingPoint's website from TrackingPoint.com. But then we realized that the updates are encrypted and signed with GPG with a pass phrase that we don't have. So that didn't really seem like a big sort of problem either. When we then took a closer look at the mobile apps, we sort of found this public API. That's all the options that you have available to you within the mobile app. Which you can set when, you can set temperature, you can set factory defaults and a couple of other things, but it seemed fairly locked down. It also seemed like the app was validating the input that we were trying to give it, so you can't set a sort of crazy value for wind, for example. So at this point, we were sort of, we were hitting a wall. It seemed like a fun project initially. It seemed like something that would be fairly easy to do, but we got to this point and we just couldn't seem to find a way in. So we did what you usually do. We tried a lot of different things. We tried the port scans. We tried to poke some more at the different apps. We tried to push all sorts of random buttons on top of the scope. We also quite literally tried the Konami code with the buttons trying to do something. It did nothing. We couldn't really find a way in. So after all of this, the sort of random one findings is that the SSID for the wireless network contains the serial number of the firearm. So in our case it was TP750 underscore the serial number. And you cannot change that. The WP2 key to get onto the Wi-Fi is a very easy to guess for us anyways, key that you cannot change either. Any RTSP client can stream the scope view, but that's not a massive problem. We found that the API is unauthenticated in that anyone who can get on the wireless network can actually change values and use the mobile app the same way you would use it. But it does validate input. So if you try to change the type of ammo used, for example, for our rifle you'll get a drop down box with only two values. If you try to pass it a value that aren't either of those two values, the scope will just reject it because there is something on the back end that is actually validating the input. We found that for advance mode, when you want to jump into the tag and track mode, you can set a four digit pin so that when you boot the rifle before you can even, when you boot the scope, before you can even get into advance mode you have to enter this four digit pin. But four digits is pretty easy to brute force. And we also found that the API call set factory defaults will reset the lock. So if someone's got the lock set on the rifle, you can just use that API call and it will just reset it. And yeah, the updates are dpg encrypted and signed as well. A quick note on the pin lock as well. When you're loading up the tracking point application on the phone, the first thing it does is check to see if a pin is set. If one is set, it won't even let you into the app. But again, when you just do that set factory defaults, it ignores all of that and just resets, you're good to go. So at this point we've been kind of treating this as kind of a black box, right? We've been poking at it, seeing what was available. There wasn't really much there. The footprint was very small. There's not much to attack. So it's time to dig into it a little bit more and start looking at the hardware. So the first thing we did was start doing some recon, kind of digging around on tracking point's website to try and get some idea of what to expect once we tore this open before actually tearing it open. This picture here came just right off the website as part of their marketing. Looks an awful like a CAD diagram. If you look at there, there's some screws. You can see pinouts, a couple other little things. Dig around a bit more. Found a white paper that they put out with the same type idea. It looks like a CAD diagram but from the other side. You can see the cable that goes down that interacts with the trigger. You can see the trigger assembly in the PCB as well as that red button that used to tag the targets in advanced mode. So once you actually tear it open, looks an awful lot like those CAD diagrams. They actually used them in their marketing which was useful. It was nice to have some idea of what I was actually jumping into when pulling things apart. Digging around some more on tracking point's YouTube channel. They have a video that actually shows some of the fab process. So you can see these five PCBs laid out. Those yellow strips in between there are a flexible, basically cap tape, same type idea. If you use that for 3D printing or anything else that allows the circuit boards to take different shapes beyond just a flat circuit board. So when this is fully assembled, here's kind of a view of what that looks like inside. It doesn't necessarily come through here very well. But all of the circuit boards are double-sided. And they're in this 3D assembly, meaning simple things like, oh, I'm just going to probe this pin and see what it does. I'm just going to see what it does. It starts to become very difficult because even getting to them requires hours of desoldering. Here's a close-up of one of the sides. On the left side there you can see the little patch of pins underneath the focus knob. There's about 20 or 30 pins there. Underneath the ribbon cable there's another about 20 pins that are even smaller. And then there you see that red and black wire. All of that has to be desoldered in order to get this PCB assembly out. And there's so many watchdogs and other things in the system that are present, it doesn't function anymore. This thing I need is in present and shuts down. So the only way to test things is having everything hooked up. So just very simple tasks that normally I'm going to probe this really quickly become very long, intense tasks. And if it works, awesome. If it doesn't, you're like, oh, I get to spend another two hours fixing it and trying something else. Looking at close-up of this, tracking point was nice. They labeled pretty much everything on this circuit board. So with this silk screening here, we can see this patch of 40 pins. There's two pins labeled TX and RX. So we looked at that and we're like, hey, that looks like it could be UART. Hooked up to it with a bus pirate. Loaded up a terminal. Turned on the scope. And this is what we saw. It was a very exciting moment. It takes a minute to boot. It's going, we're like, yeah, this is great. We've all seen those projects where people hook up to UART route shell. We're like, yes, we're in. Then it finished booting and came to this. Here's a close-up for those that can't quite see that. Straight to a password prompt. So that was an emotional roller coaster that moment. Tried all the things you would expect. You know, blank password, password, the top 10 most common passwords. Tried a bunch of, they say this on their website. Let's try that word. None of that worked. So we also found with the UART it was running UBoot. Probably can't see it in there, but basically there's a thing in there that says press a key to interrupt to dump into UBoot. With UBoot, there's a function to actually download memory, to dump memory. So you can put in a set of address space that will dump out the memory with some projects. If the memory that it's pulling from, the file system that it's pulling from happens to be the file system as well, you can dump everything that way. It is somewhat of a tedious process. But it does end up working. So we were trying doing this. Did I mention this runs off of batteries? So tried the first time and it's running and it's running and it's running and all of a sudden it's off. We're like, oh, that's not good. And we look at the size of the dump and it's 15.5 meg. And the full dump is 16 meg. So that was very, very unfortunate. So ran to the electronic supply store, bought a bench power supply, hooked that up. No batteries required anymore. We're able to get the dump and looking at the dump, we're like, ah, sweet, we've been walking on it and find the file system extracted. We'll get in. And all we see is four Linux kernels. Nothing else. Not to mention 16 meg seems awful small for a file system for something that's recording videos. So it turns out this is when we learned that there is another chip file system on it. So round two findings, the console access is password protected and just initial cursory stuff. The kernels are on one chip and the file system is on a separate chip someplace. So time for round three. At this point we've been nice to it. At this point we've been trying not to break anything and tried to be gentle. After banging our heads against walls repeatedly, it was time to get a little break. So we ended up pulling the whole thing out. Went up and met up with Bobby Givati. He was nice enough to desolder some stuff for us, spend quite a bit of time, spend a weekend with us working on this. You notice that big chip on the top there's an FPGA, there's an empty slot next to that or empty square. There was a chip there that when we were looking at it, we could see another chip and we're like, oh, that's another memory chip, file system chip. So we had to read the data sheet and not comprehend that 512 megabits is not 512 megabytes. So yeah, 32 meg chip which just programs the FPGA that's sitting there. So as fun as that was to pull that off and dump it did absolutely nothing for us. Looking at this nice torn apart lovely piece of circuitry here, you can actually see the file system chip in here. I'll give everybody a moment to try and find this. That's where it's sitting. It's underneath a massive capacitor. So on its own, also made it interesting to try and find because it was very well hidden unless you're at the right angle. And then you see these five character string there which is the short code that Micron uses for their BGA packages. Unfortunately because this was a BGA package our initial plan was once we find the file system we can tap onto the pins and then we'll be able to dump it that way. We don't have much knowledge, not so much. I mean there's all sorts of obscure ways to try and do that but it's not easy. So at this point we were just set let's just pull the stupid chip off, dump it that way. We know this can be done. This will get us what we want. It may not work when we're done. Don't care. Got to hold some people in Portland. They basically were like yeah we can help you do that but you are aware it may not work. Totally don't care as long as we get what we need. So we packed all our hardware than we did. So they saw this silk training and said hey these pins look familiar. These look like actually EMMC access pins. So that DA0 to DA7 it maps directly to accessing a EMMC chip. They called around a couple of their friends after trying a few other things to try and get it. One of their friends happened to have this. Ali Baba Special $118. It's an EMMC to USB adapter. So the socket that's on here is actually worth probably about $100 on its own. It comes in this nice package. If you do desolder the chip, you can drop it in that socket, plug it in. You now have just a really clunky USB thumb drive. But there's also these pins in between the socket and USB port which map to that DA0 to DA7 command. So we hooked it up. We were able to dump the file system this way, plugged it in. We got all five volumes of it. It was a very good day. So first thing we did, short of looking at the Etsy password file, which did nothing for us, was look at the root for the web server. And there's a whole admin API that we hadn't been able to find yet. This isn't all the commands we found, but some of the stuff in here that's interesting. This set Wi-Fi actually lets you change the Wi-Fi AP name and the password. SSH accept. That sounds pretty interesting. So running that actually works for you. So one of the admin API calls that we also found allows you to communicate directly with the system backend. The part of the Linux system that actually does the ballistics calculations for the rifle. It actually connecting to it requires that admin call which just opens a port in the firewall. You can then just connect to a standard socket and talk to it there. While the mobile apps will validate the input, so like I said, if you're trying to select the type of ammo, you will only have two options. The system backend will happily accept any value you set. So when we did the demo with wired that came out last week, what we did there was instead of the default value for the bullet grain or the weight of the bullet, we said that we changed it from 1775 to 500,000 and the system just happily accepted that. If you do the math on that, that's like 72 pounds, by the way. People also happily take negative values. There are options in there that are for sort of future feature type stuff that we can't use but it's definitely in there. We can do things like tell the scope that it's attached to a different type of rifle or a different type of firearm. We can tell it that the solenoid is disconnected so that you cannot fire. It also has this one option for just fault or seg fault which just reboots the whole thing. It's really fun to do when somebody's playing with it, lining up for their shot and it just reboots. So when you're interacting directly with the system backend, you can make temporary changes to the system. You can do anything you want within that system backend but that's only for the part that does the ballistics. It's not really the full Linux system. So we have a demo. It's pretty similar to the one that was wired but it's shot from a couple of different angles. So this first video is normal operation. So we'll be tagging the target, lining up for the shot, taking the shot. Let me get the target on the right here. So here it goes. Waiting to line up. There we go. We got the tag, the crosshairs drop, pull down the trigger. Once we're lined back up, it fires. So there we go. Hit pretty much exactly where that tag was. Nice and easy. That's from about 50 yards. Which is fairly easy with even out this. But for the sake of wired filming, we were at 50 yards. So here's what happens when you set that bullet weight to 500,000 instead of 175. So they may get the same target on the right, but watch the crosshairs. Quite the difference in ballistics there. So lines up, takes the shot. Come back in. We can see, I don't know if you can see it in the back, but there's now a white dot on the target on the left. So we'll do these side by side so you can see them a little bit better. So again, the first one here is the one on the left. It's going to be normal operation. It takes the shot. We pull the trigger to line up. Now the second one calculates a whole different ballistics. Now we line up, both take the shot. The one on the left hit where we were aiming. The one on the right hit the target on the left instead. So we've essentially controlled, from the shooter's perspective, they thought they were aiming at the target on the right. The bullet actually hit the target on the left. So the only indication to the shooter that something's off is, one, the Wi-Fi icon inside the HUD is going to have the number one or the number two depending on how many people have connected. I can say from experience that when I was lining up for a shot, I do not really pay attention to anything else in the HUD aside from where my target was. An experienced shooter might actually see that change. But yeah. You guys want to see the video again? All right. We'll do it one more time. There you go, Sud. Demos are hard. All right. So target on the left. Normal operation. Now on this one, pay close attention to where the crosshairs go. Quite the difference. And that's the other thing. The crosshairs will jump and then you have to readjust. And so again, for anyone who's not a very experienced shooter, you sort of will just chalk it up to just like bump the rifle a bit and have to be aligned. And that's a good indication short of getting on the Wi-Fi. So we got the system back in. We got the sort of demo that was at the top of our list where we wanted to make the shooter miss the shot. But we also wanted to get root access on the Linux system. So we found a way to do that by using the software update functionality. Once we got access to the file system and we had to look at the update script, we had to look at the UGBG keys. One that it holds at HQ, I guess, and one key that is on the scope. And the update script will verify the signature of the package, but it will not check to see which of the two keys actually signed it. So if you have access to the private key that is on the scope, you can create a software update that will be verified by any tracking point firearm out there. For the private key, we decrypted the software updates that we had already downloaded from Cracking Points website, modified them, re-encrypted and signed and just pushed it up to the scope and the update script was happily accepting that. So with the software updates, we can make permanent changes to the system. We only need access to your Wi-Fi once to do this and we can then change everything. All the ballistics values and all the things that we can do on the back end, changes on the Linux system and we can get root access this way as well. So here's a demonstration of that. So this first part here, we're going to try an SSH to the scope as the user hack here. Probably nobody in the back can see this or the front because I can barely see it. The first call that it's doing here is hitting that SSH underscore accept. This is basically having the scope literally pass an IP tables command to open up port 22. This is the scope and it comes back 59 as expected. So now we're going to upload that package update, run that and this is what you see in the HUD when the update is happening. We modified a few other things instead of just adding a user. The package is finished applying, the scope will reboot. No sound output on this, we don't have the audio for it, but when the scope is actually booting, it does basically a trigger check so it pings the solenoid. So the gun is booting up and it goes click click. It's really interesting when we're working on this. The gun was up, we're both doing things and all of a sudden we hear click click and right click. Was that you? Did you do that? What just happened? So that was pretty entertaining. That was the second part. So here we go, scope is back up, we're reconnected to the Wi-Fi. We hit SSH underscore accept again. Opens up port 22. Now we SSH in as the user hacker and no password we're in. Now who am I? Running is root. Can anybody actually see or read any of that? Everybody in the back you're screwed. You should have gotten here earlier. So yeah, using this package updates, full root access to the gun. So to sort of summarize round three, we found that the admin API is also unauthenticated. You need to be on the wireless network and you need to know about the admin API calls, but that's it. So these API calls are present on any tracking point firearm. So if you know about them, you can use them on any of them. The system backend is unauthenticated. Again, full access to anyone who actually knows about them. It does not validate any input. So whether you tell it that the bullet weighs 500,000 or minus 500,000, it will happily accept that information. And the GPG key on the scope and sign updates that other tracking point firearms will happily accept and apply as well. So at this point, you know, the greatest is to get root, the attacker would have to have had access to one of these guns, dumped out this GPG cert, made their own package. We weren't really happy with that. So worked with some really smart people in Portland, Kenny and Jesse. So we got one more thing for you. I don't know how many of you have ever made a firearm routable on the Internet, but we have. Kind of awesome. So they're working in Portland. We're sitting in DC working. And we have full remote code execution now. So leveraging the package update. Again, everybody back there, you're screwed. But leveraging this full package update, we have a shell script that basically passes some commands to it. You run it. It tells you to open a Netcat listener on a specific port. You go back and hit any key. I can jump that command. And it dumps a remote shell back to the Netcat listener. So now instantly root on any tracking point rifle. No access previously required. Dumps in. Now I'm root. I can make a new user across the board. So it's not all that bad. I say after having remote code execution, software updates and direct access to the system back in. But when you compare what tracking point did to what a lot of other vendors of embedded devices do, tracking point did do a lot of good things in securing the system. So early on I mentioned that the scope has two USB ports. Well, they're disabled during boot, so you can't do anything with them. The media that is on the scope, so if you've been out, you've tagged targets, you've fired a couple of shots. The media is deleted from the scope as soon as you've downloaded it onto your phone. So if you at any point have to send your back to tracking point, there's not going to be any media on it. There is a WPA2 key, even if it is a guessable and even if you cannot change it, it is still there. The API validates user input. We sort of have a star next to it because the API, the one that you're interacting with when you're using the mobile app will verify that the input you're giving it is within this allowed range. The only part of the sort of public API that does not validate the user input is the software update functionality where instead of giving it a package, you just tell it to execute a command. Console access is password protected and software updates are GPG encrypted and signed even though the implementation isn't as good as we would like it to be. So we'll just get better for tracking point. We did reach out to them starting in April to talk to them about the stuff we were finding. We had zero replies up until Andy Greenberg wrote the wired piece at which point we pretty much immediately got a phone call so as he got off the phone with them, one of the tracking point founders called us up said we were doing great work. We knew somebody would do it eventually. He was happy to work with us so they are working on a patch for all of this. As far as vendor goes, they've been great to work with. So some way you probably saw this on Twitter but a couple of years ago, Tracking Point updated its website with this little notice that just says that they are working with us in fixing the issues which is great. It also says that your gun can only be compromised if the hacker is physically with you and then it goes on to say that you can continue to use the Wi-Fi if you're confident no hackers are within 100 feet. So we've all seen the Wi-Fi shootout which hits 50 miles or something like that at this point or if somebody using the gun has a compromise device on them, that could do it as well. But at least they're trying. So I got a lot of photos of Pringles cancer in my Twitter feed after posting this screenshot. Overall as an industry, vendors need to level up. People have been saying this in the industry for a long time but it's still true. The issues found here with this project they're not unique to this product. Too many vendors are ignoring the low-hanging fruit. So things like patchwork protecting UART for example. Things for vendors to do and most of them are not doing it. Really simple things that are overlooked. We tried to find some resources to recommend to people that are doing embedded system design or security on embedded systems. There currently is nothing that we could find. The best things we could find currently are build it securely. Which has a lot of just general device around building systems securely. And then the OWASP IoT Top 10. Given that this has the API and all of that a lot of these issues would have been discussed. So if anybody is adventurous, there are people like Joe Grand and a few other people that give trainings and things like that. They talk about things that you should be doing when you're thinking about it but there's no solidified resource. So if anybody works some place that has a lot of sway in these areas, that's something that definitely needs to be out there and more vendors need to pay attention to. Huge thanks to everybody on this list. Couldn't have done this without these people. And I definitely recommend to anybody who's thinking about doing something but not sure if they can, go ahead and do it anyway. Start reaching out to the community when you start hitting walls, asking people. People are really great about helping out. So just because you may not know how to do something end to end, don't let that stop you when you're trying to do something. Yeah, I just want to add that when we started this project and we reached out to these people, most of them I had never met before this project. And they were just happy to take the time and work with us and help us put together a great presentation and actually complete the project and get the info that we wanted. So thank you. So this is everything we've got for you guys. Any questions? We're happy to take those. Yeah. So we'll get a microphone if anyone's got any questions. What's that? Get on the mic. Get on the mic, Hans. So I got a question. Have you tried to put it on any other things? Like adapt it into a bow or something? Sorry, into what? Adapt the scope into another device. Like a bow or... Dude, you could put it on a grappling gun and then you're like, totally Batman. It definitely could be done. You're just going to have to adjust all the ballistics for the things that you're using it with. So given the access that you have, it's definitely doable. Cool, thank you. What ballistics value were you changing to achieve the offset to the left? You talked about changing the grain size of the bullet which seems like you'd get a horizontal adjustment rather than an ice and windage is what you were doing. So that was, yeah, so we discovered that was happening. We were basically using the shot of you looking through it and I could get access to the back and I'm like, oh, can you adjust these variables? And you adjust them to the crosshairs jump live. You set the variable and it jumps. So when I adjusted the weight, I was expecting exactly that. I would go up and down and all of a sudden it's like we adjusted 1,000, not much for you. 10,000 jumps to the right. That seemed awkward. There's been a couple of people that have reached out nicely or otherwise to explain that we're idiots for not looking up how ballistics calculations and done and Coriolis effect and gyroscopic drift and all these reasons to which I'm like, that's cool. I'm really curious about that. But in the end, I don't really care that much because I got it to do what I wanted regardless. But yeah, that was the exact train I thought we had. Thank you. Had you said that the key from the rifle could sign updates for any other rifle or just it? For any other rifle. So the GPG key that is on the scope, they use the same key on all the other scopes as well. Okay, thank you. That's right. Good question. The question was, why would they do that? Because they can. I don't know. So had you guys made any attempt to figure out what the algorithm used for the SSID as well as the WPA2 key? So algorithm, there isn't one. It's a hard set key value. It's literally just some words. The way we found it, we didn't have to crack that. We have the manual, so it's like use this key to connect. So previous to making these weapons, they did make the Remington 2020 which is just a scope you could buy for any weapon or any rifle. The way that the SSID is generated for those is like REM underscore and then the last four digits of the serial number on the gun. So then it's unique to each scope and things like that. And then the WPA key was a similar type idea for those. So they definitely know of ways to do it better than what they did. You want to make it as easy for them with the fewest barriers possible to actually use the product. So you have definitely one of the things we looked at when we first saw that was oh, this is so horrible. Then we did the risk models on it and it's like, well, it's not really that bad. But as far as any algorithms there is none. It's just a hard set like that. Thank you. Was someone wanting to replay a video? Was it the update video? Replay it. Here you go. This is the software update one more time for those that missed it or that really like Duck Hunt either way. I think we can take questions at the same time. Okay. You said earlier that you could not make the rifle fire without the user input, right? Without pulling the trigger. Why? Is there any mechanical interlock that prevents you from doing that? So it's not mechanical lockout. The way a gun trigger mechanism works you need a mechanical interaction and the way that they're interfacing with that it doesn't remove that need. So the way they're interfacing with it you have the trigger assembly and when you pull the trigger normally the firing pin would release. They've got a solenoid that stops that release from occurring so you pull the trigger and instead of it releasing it's held by a solenoid instead of by the trigger. But then couldn't the rifle be left in a say pre-tribber mode and then make it fire for example? So the solenoid that they use is normally open so unless there's power it's going to stay open. If you were to switch it around and put a solenoid that's regularly closed and requires power to open it then it would have that effect. Thank you. Actually I kind of had the same question heated but what in the software is stopping you from actually firing the weapon? Yeah, nothing in the software. Okay. We could prematurely cause the solenoid to release if somebody is already doing it but still at that point somebody is already trying to take a shot so they're lined up hopefully in the direction of the thing that they're trying to shoot anyway so while it's a surprising behavior for somebody that's trying to take the shot it's still not particularly bad and it's not going to cause any major issues. Okay. You said you looked at the public API documentation to look at the HGP calls and did you also man in the middle the app with the mobile app? Yeah, so less about documentation and more about decompiling the apps and sniffing what was going on in the network. And the fact that it was all HTTP made our lives a lot easier. Also got to learn how to decrypt WPA traffic in the process of doing this which was fun. Any other questions? Nope. Okay. Thanks again.