 talk is called Knock Knock, who's there? Is your door locked? Are you sure? So when a video entry system allows unauthorized access, Jeroen will tell you about it. Please give him a round of applause. Thank you very much. I'm indeed Jeroen Hermans. And let's start with page one from theory and presentations, a little bit of audience participation. So I hope you're all ready for this. So let's start with Knock Knock. Doesn't matter. I'm already in. Very good. So yeah, let's first talk a little bit about me, who I am, and how I ended up here. As I said, my background is in electrical engineering. That's what I studied. And in 2002, I started my own company as a technical consultancy. And it is a bit difficult to understand what it is exactly what I do, because in a word cloud, you can see it is a lot. A lot of different technologies. And this is because I usually go to mostly non-technical companies, and I solve their technical questions. About 10 years ago, I also started a telecommunications company. And as far as I know, and please do correct me if I'm wrong, I am the only telecommunications company in Europe that can actually deliver emergency services 112 in every member state in Europe. If you want to talk to me after the talk, you can find me in the Swiss village, which is exactly there. So that is very convenient. So let's talk a little bit about how this talk came to be. Well, as everyone during COVID, I was slightly bored. And everyone knows that a board hacker is a very bad thing. So I was walking through my apartment and I saw this on my wall. And I thought, interesting, what's in there? And how does it work? So about five seconds later, it looked like this. And I thought, huh, it gets even more interesting. So I thought, let's zoom in a little bit. So I did. And now four warriors coming there. Well, two of them from my doorbell. So that was not too interesting. But the other two are from a bus. And I thought that is interesting. I want to know more about this bus. Every sticker in this device says Comalit. And I was not familiar with the company Comalit. So I thought, who is it? And I went on the website. And I saw this screenshot from their website. They make video entry technology. So basically the device that you just saw. And one of their motors is design, technology and security in that order. I thought that's interesting, too. So there's a lot of interesting stuff going on now. So I thought, okay, so I'm going to have a look at this bus system. And I found a few things on this bus. It has DC power on it to power all the different phones in the apartment building. It has audio baseband on it. That is interesting because you could basically hook up a USB audio card on it with the Raspberry Pi and record all the audio on the bus. Then at 25 kilohertz, which is probably chosen because it's a lot higher than the audio. There is binary data. And I'll show you a little bit later how that works. And the video is also on the bus. It is frequency shifted, but it is baseband video. Okay, so now we know a little bit of the signals that are on this bus. So I'm going to dive a little bit into this. First, the audio. What is baseband audio? So it's pretty much as easy as taking the bus, low pass filter it, put an amplifier on and you can use a headphone or evil recording device to use this audio. It's extremely easy, but I also think it is, yeah, it's very personal data. Someone rings the bell and asks my neighbor, do you want to open the door? And they potentially tell their name and stuff like that. So yeah, I should not be able to receive this. So let's have a look a little bit at binary data. This is an actual scope picture of the binary data on the bus. And there's a lot going on. So let's first see where it starts with. This is a so-called preamble. The preamble is a 25 kilohertz tone. This signal is 25 kilohertz. It lasts for three milliseconds. Then it's 17 milliseconds. It's quiet. And then the address starts. And after the address is the actual command sent on the bus. And then there's a checksum. Now, you probably already saw that I say address 48, but 48 is not 4 times 011. And that is because it is a least significant bit system. I'm not entirely sure why they did this. It might be because they're using a specific type of processor or maybe they thought it was because of frustration. I'm not entirely sure. But this is how they do it. The checksum, that is basically the number of ones in the packet. So in this particular situation, the green signal, the green part is the address has two ones. The red part is the command has also two ones. So the checksum is 4. And if we take 001, that is actually 4. So the checksum is correct. After the packet that has been sent, you can see four bigger pulses. And those are the acknowledged basically from the far end. Okay. So we know pretty much what sort of signal is on there. Now we need to recover it because there's a 25 kilohertz signal on there. And you know, it's pulse length encoded. We still don't have all the data. And I think it is as easy as this. It's a PLL, a phase locked loop. And what we basically do is we run a voltage control oscillator at 25 kilohertz. And it is constantly pushed in the correct frequency by the input signal, the VI. If we take the output of the loop filter, that is basically a DC signal, or DC-like signal. And that is the bits of the signal. So it's very easy to recover the 25 kilohertz binary data from this bus. Okay. So now we have the audio baseband. We can listen to it with a headphone. We have the binary data so we can see, okay, someone rang the doorbell for apartment five. So we have to get a little bit into the security part. And you probably still remember this part of the screenshot, the design, the technology and security. So obviously I rang Comalit. And I asked him for a reaction. And the reaction was, we are going to the police because you are a hacker that wants money from us. And I said, no, no, no, I don't want any money. But, you know, discussion became a little bit sour. So I went to the police and I said, please don't spend any resources to find for three weeks a evil hacker that is trying to extort Comalit. It's me. And you know, just call me. And they actually really appreciated that. So basically this bus system, it's unauthenticated. There are no users. It's unauthorized because there are no users. You can also not say this user is allowed to do this. It's unencrypted. As we just saw, I can just see who is sending which packet. It's a broadcast system. So on the bus I can see everyone's signals. So I can see who opens the door. I can listen in on their conversations with the person at the front door. And if I would shift the video signal, I could actually see the video with a, for example, USB video grab on. Another interesting thing is it has no sender verification. So for example, if you have an apartment building with 10 apartments and I just send a signal on this bus, hello, apartment 200, and please open the door, it will actually open the door. So it actually doesn't care who's on the bus. So yeah, I asked Comalit about this. And I said, so yeah, about a year ago. And I said, so do you want my help on this? Are you going to change anything on this? And I said, well, basically, we don't think it's very important what you found because it's not a security product. So this is not a big deal. And I thought, really? Let's have a look at how Comalit markets this product. So I found on the website of Comalit a press release from 2020. And it actually says Comalit achieves secured by design membership. Well, I've used this wording more often here. And I thought, that's interesting. But then again, during my talk with Comalit, I also said this. And I said, yeah, yeah, but we have newer systems. This is a system from the 90s. And it's old. And I said, oh, really? So which percentage of the of your systems that you are selling is still using this system? And they were like, it's more than 50%. So it's still very current. It's very, still very used. And this bus system is called a simple bus. And they will zoom in a little bit on this press release. Yeah, you can see the two of the entry systems of Comalit are certified for this in the UK, apparently. And one of them is the two wire is simple bus. So there's something interesting going on here. Either the board of directors of Comalit Holland don't know about this press release, or yeah, let me put it politically, something else is going on. So I think definitely in this system, there's room for improvement. Let me put it mildly. And funny enough, today I looked at the website of Comalit. And I think they now think the same. So if you are looking for a job and I can give you a few hints on what the job will be in the next two years. Okay, back to the why. So I asked Comalit, why did you build it this way? Because it's not that difficult to put some of the restrictions in there. I mean, in the 90s, it's possible to make encryption or do sender verification. And I asked them and they said, well, this is basically because of the Baobus light. So this is a Dutch, I don't want to call it a law, but it is a document that describes how you build a house. And I said, if we build our system better than is needed in this Dutch law, the Baobus light, then we will be more expensive than our competition and we won't sell any systems anymore. So this is the real reason that we are doing it this way. So I thought let's have a look at the Baobus light and here it is. It's a Dutch website from the government. And it directly stems from article 6.51 and I've translated it for the English-speaking people. It literally says prevention of common criminality in a building for living. And this document does indeed not speak about any security for the systems that are meant for security. So there's definitely some improvement there. I think it should be. We have seen in Holland in the past few months definitely a few incidents also with ministers. So yeah, lots of organizations are using the Comilette system and safety and security should be at the top of the list, I think. So digitally and analogously, there is some improvement possible, but surely physical security in this system is better. So I looked at that too. And here we are. So this is an actual Comilette system. And at the right side you can see the under part of the doorbell, I'll call it that. And you can see that it does not have any special screws in there. You can just use a five cent screwdriver from any building material shop and just open this up. Two little screws and you're in there. That's the left picture that you see there. And indeed, again, you see this bus there. But you also see other wires. And the other wires are actually going to the lock. So I asked Comilette, so what happens if I take a papercliff and I bridge the system from the bus to the lock? Does it open? And they said, yes, it does. But who opens this? Okay, fair point. I don't know that, but I'm surely there are some really easy measures that you can take to improve this. So how important is it? How, I mean, is it just people's buildings? People's first front door so you can get in the hallway where the where the staircases are to the apartments? Or is it something more important? Is it actually, can you get into buildings? And specifically, can you get into important buildings? So I looked into that too. So who is using Comilette? It's a lot of buildings. Sometimes it's complete streets. But I made a nice selection here of Comilette systems that I found. And there are some important customers there. You can see UNICEF is using it. If you at UNICEF, you can actually get into the building. So it's not just the first door that you get into. London, it's a holiday park company. They are using that too. And again, you can get indoors there too. But maybe the most important one is on the right side there. Maybe it's a little bit difficult to read, but it actually says reclassering. And maybe the Dutch people now say, oh, because this is an important company. It is actually the Dutch probation service. So it is actually tied to prison system in Holland. So last week, I called them. And they thought it was really important. And they are definitely going to look into this. From other companies, I got a less than enthusiastic reply. And they just said, you know, just send an email to the info ads email address. And yeah, we'll see if anyone wants to look at it. But yeah, so that's a lot of negative things. So I thought, is there any upside to this whole story? Well, I can think of one. And well, it would be really easy to connect it to your home automation system. I mean, it's really easy to make your own home automation gateway for this and connect it to any of one of these pieces of software. And you can actually open your door for someone while you're on holiday, you know, that would be needed with your own app without Google or Amazon having to use your data. Yeah. So I would like to end on a positive note. So Cominid did actually manage to build a system that has a really, really open interface. Thank you very much. Okay. As there is still some time left, if you have any questions, you can line up at the microphones in the middle of the room. Okay, front microphone, please and step close to the microphone so that we can hear you clearly. Hi, thanks for the great talk. You saw a number of Cominid systems in the wild. Do you happen to know whether those were the simple bus kind or the new probably maybe better kind? The ones that I had in the presentation here were very likely the simple bus types. You can look it up on the website. They have a very nice pro.cominidgroup.com website and it has all of technical documentation. The newer types are actually IP based. So there's definitely a follow up presentation coming on that. And they are easily recognizable, these IP based ones. And I see another question. Hello. Yes, I do like this. How difficult would it be for you standing on the street to attach something to it so you ring up all the apartments and the video signal is for instance Rick Ashley? I think it would be doable. The audio, that would definitely be doable. The binary data, call all the apartments, that would be doable. Although I don't think that you can actually call them all at once. Probably because if you call the next one, then the connection to the first one is actually cut. Because it's a bus system, you can't send multiple signals. The video, you would actually have to frequency shift it. So it becomes a little bit more difficult, but probably also doable. So yeah, if anyone wants to do that, please do let me know because I would love that. Yeah, we should do that. Do like an open source board where you can go out and then sort of time delay so you're out of the place and it'll just stop, start ringing them one at a time. Oh, fantastic idea. Absolutely. Are there any more questions? Yes, front microphone please again. Do you think that when they use secured screws so that you can't open it that easily from the seat that then the problems are at least mitigated? No, no, it's many, many steps that you want to take. It starts with the screws. You also don't want the door open relay available if you remove those two screws because you could also use a big hammer of course. So it's many, many steps. The bus itself, you want that more secure. Yeah, so it's the whole system basically. I mean, compared to a nice large brick that you can throw to the window? Yeah, absolutely. But then again, if you sell a system specifically, say, security by design and you make a system with these kinds of properties, me personally, I would feel bad about that. So, yeah. I think the most important thing common it has to do is market it very differently now. Right. Thank you. Okay. Anyone else having a question? If that is not the case, please give a one round of applause to the speaker.