 So yeah, Defcon has a long standing tradition and uh you know if it's a speaker's first time on stage then um they do a shot. So it's not about uh alcohol although you know yeah it's uh it's a tradition that is intended just to honor our speakers and uh Defcon you know from times of viewer. So anyway um this is Matt Wixie and uh he's going to do a shot with us. Cheers. Alright so please welcome Matt Wixie. Hello Defcon. Uh so this is um Cenoevil here in Oevil. Hacking invisibly and silent with light and sound. Uh my name is Matt Wixie. I lead the vulnerability research function on uh the pen testing team at PWC UK. I also run something called the Dark Ought Lab which is a research blog looking at the more kind of esoteric aspects of security research. Uh I've been at PWC for about a year. Uh prior to that I worked in uh law enforcement in the UK for about eight years uh leading a technical research and development team. So today's talk is split into four parts. Um first I'm going to show you three custom tools I've developed to uh use light and sound to jump air gaps. I'm then going to talk about uh laser microphones, two different kinds of uh infrared motion detectors and different ways you can disrupt and disarm them. Part three, bands. Um I'm not sure if that term has made it out of the UK um but it roughly translates to lulls. So it's kind of stuff I've found during the course of the research that um has made me um laugh more than anything else um rather than kind of being of practical use. Um and as you'll see throughout this talk that's quite a low bar um but hopefully you guys will enjoy it as well. And then I'm just going to sum up and give some ideas for for future research. So a couple disclaimers, the views and opinions in this talk aren't necessarily those of PWC. Um all the contents for educational purposes only so please check legislation, get permission and so on. Uh this presentation isn't about uh exploiting vulnerabilities per se. It's about manipulating uh the inputs and outputs of a system in order to have a desired effect. Uh and lastly I am definitely not an electronics expert or a physics expert at all. Um in fact I've only been in security for about six or seven years. Um my bachelor's degree was in uh English language and literature uh which has been really helpful. Um so um yeah so just to give you an idea um I kind of regularly still poke myself in the eye with resistors and burn myself with soldering irons and uh I see magic smoke so much it's not even magical to me anymore. It's just uh it's just I call it routine smoke. Um so this is where I am on the uh the Dunning Kruger curve if you guys are familiar with this. Um so I don't want you guys to think that I'm kind of presenting myself as an expo on this stuff um but what I'm gonna do at the end of the talk is uh put my Twitter handle up on my email address and please do get in touch if you if you think I've got something wrong or there's something that could be improved or you've got any ideas or suggestions that would be great because um that's what Defconn is about at the end of the day right. Um so let's jump straight into it. So the first thing I want to show you is this. This is an example of LIFI, a data transmission through light. Uh in this case the data is music and this is uh adapted off a schematic on github and the uh that will be in a the references part at the end of the deck. Um but it's basically uh what we've got here is a phone that's playing music. The headphone output goes to a breadboard of LEDs which are gonna modulate the music data that's going through it and then you have a photo diode hooked up to a speaker uh that's gonna play the music. Yeah so that was my impression when I actually worked for the first time uh and then I did the same thing uh with infrared LEDs as well. So exactly the same setup even the same song it's just infrared LEDs instead of white LEDs that are modulating. So that kind of got me thinking about air gaps in different ways you can jump air gaps and uh I'm gonna assume that everyone here is kind of familiar with the concept of an air gap. Um there's been a lot of research on how to jump them and they all come with caveats. So um the first caveat is that we assume the attackers will be managed to infect at least one host with a bit of malware. Um that the attack has physical or near physical access to that infected host because we're talking about quite primitive inputs and outputs to a system. So we're talking about like heat, sound, light, um EM radiation that kind of thing. And then linked to that um the exfiltration of air gap systems is gonna be really slow and it's gonna be quite small pieces of data because typically we're talking about two bit channels um so high or low states. So this is some of the research that's been done in this area you guys will be familiar with a lot of this already probably um all the way from Van Ek freaking back in the 70s which is EM radiation from uh CRT monitors. Um there's been some great work done by guys at Ben Gurion University in Israel on jumping air gaps. Um particularly using heat uh Vizysploit which um encoded data as a kind of QR code flashed it up on the screen and the attacker would then film the screen um and be able to decode it. And Hassan and others in 2013 gave a really good overview of some of these techniques um and one of the things that they proposed was using ambient light sensors for mobile devices to be able to control smartphones um by flickering overhead lighting that kind of thing. So the first technique I want to show you is using ambient light sensors. Um so ambient light sensors are um essentially hardware components. They're found in the frames of laptops, smartphones, monitors, that kind of thing. And they're normally um uh photo resistors, photo diodes, something like that that increases or decreases resistance according to the amount of light that hits it. Uh and the idea is that you adjust screen brightness according to the amount of ambient light. So it's quite a um benign uh thing to have. Um and you can interact with it programmatically um through the Windows API. So um my plan was to create malware that could read in light intensity values from an ambient light sensor on a Windows workstation. Um and then execute different commands according to the amount of light that was hitting the ALS and the kind of changes in uh frequency, sorry, in changes in intensity. So a couple of problems is that um you have to try and make this like a covert activity because you can't just shine a massive flashlight um uh uh laptop. And you need some kind of exfiltration capability as well right because um being able to control malware is fine but for an air gap system ideally you want to concentrate on uh exfiltration. So uh I'm going to be brave and try and show you a live demo of this. So I've got a laptop here um that's got an ambient light sensor. The ambient light sensor is just here and what I've got here is an infrared torch. So if I turn this on you should be able to see anything other than like a red glow but for unfiltered cameras um they'll be able to see that. So I'm going to run the malware on this laptop and then introduce high values through the ambient light sensor and that then uh pops up uh calc on the screen. Okay so in terms of exfiltration um optical channels um for air gaps are quite difficult um optically um there have been some things suggested so VizzySploit like I mentioned earlier that relies on the uh attacker having a camera um inside what is probably a secure area. So I came up with this instead um so the idea here is that the malware when it wants the exfiltrate data it will read in a file uh convert it to bits uh and it will then make very subtle changes in the screen brightness um to represent that which can be then picked up by an external sensor. Um so the easiest way to um make screen brightness changes is with WMI um unfortunately that requires uh admin privileges. However changing gamma values in displays doesn't. So you can use a set device gamma ramp in the Windows API um and you can make very very small changes uh in the gamma value of a display. So the the device I've got here um is a light to frequency converter and this is much more sensitive than a typical photo diode or photo sensor. Um it can actually pick up changes in the bioluminescence of bacteria um it can read light intensity changes through through your hand um and it's connected to an Arduino Nano here. So what I've got here is a um the circuit connected with a micro SD reader writer module and I'm just going to do a test of this exfiltration function. So the malware is going to read in a file and it's going to make very small changes to the gamma value of the display. Uh what the malware actually does it takes like a baseline before exfiltration then it makes changes um uh increases or decreases according to whether it's a one or a zero and then after exfiltration is finished it will return it back. So you might be able to see that um the very kind of slight changes there um but from the attacker's point of view it's actually quite obvious whether it's a one or a zero that's being transmitted and then what you can then do is demodulate um the data and retrieve the the original bits. And uh that's not particularly covert kind of just plonking a breadboard down to a screen so this is a more uh covert application um so what you have here is the same uh light sensor, light to frequency converter, an Adafruit Flora board so they're conducted with a conductive thread and then you have the same SD reader writer as well. Um so the idea is you could exfiltrate data with an attacker could exfiltrate data just sitting in front of a screen and wearing that tie. So the second thing I want to show you is Dread Phone uh so Dread Phone is command and control using near ultrasonic sounds. So by near ultrasonic um what I mean is sounds that are um typically not able to be heard by most adults. Um so the the theoretical range of human hearing is 20 hertz to 20 kilohertz. In practice most adult humans can only hear um up to about 16 kilohertz. So 16 kilohertz to 20 kilohertz is like near ultrasonic. And whilst most adults can't hear that it's perfectly within the capabilities of a normal uh laptop sound card uh speaker and microphone to transmit and receive audio uh in that range. So there's been previous research on this um Tosted and others and Hans Back and Gertz did something similar. Uh one problem they've come across uh is this. So this is uh a recording of near ultrasonic sounds being played. So while you can't hear the tones there what's actually happening is that there's electrical discharge on the sound card uh which makes those kind of clicks and pops. So um what I did with Dread Phone was I pre-prepared 16 WAV files. Uh each one represents a different ultrasonic tone uh in increments from 18.5 kilohertz up to 20 kilohertz. So 16 in total. Each one representing a hex uh character. Um I applied multiple fade ins and fade outs to those. Um so it kind of smooths the uh the input into the sound card and then amplified it and you end up with this. So this is Dread Phone running on two laptops. Um this is the victim. And the attacker is here on the left. So uh this is monitoring the the microphone input. So what the attack is gonna do here is just tell the victim to pop count. Um which means it's gonna send it a sequence of those pre-prepared WAV files. And the victim then um executes that. Okay so the the next thing um is exfiltration. So this is uh a text file. In uh so Batman would be a really different movie if Bruce Ray was actually true to type and communicated with people at 45 kilohertz. Um so the attack is gonna exfiltrate this uh this text file. So it's just gonna send the exfiltration message. And I'll stay with the attacker here and what you'll see is a different tone start to come back. Now there is a case study of this technique being used in the wild. Um I haven't got a copy of the malware so I haven't been able to verify it. But bad BIOS you guys heard of that. Um so that um whilst it infected the BIOS um of um machines it also communicated other infected hosts. Uh there you go. Um using near ultrasonic tones. So um Dread Phone's fine for like small bits of data and small strings and stuff like that. But if you want to exfiltrate um uh more content say images for instance. You're a bit more limited. But you can actually use a technique that's been used in popular music before. Um and it involves spectrograms. Uh so a spectrogram is a visual representation of the frequencies in a piece of audio. Um and what the uh what these musicians have done is they've read in an image file. They've iterated through the pixels. Got the pixel values. And then they've written out uh frequencies uh to a way file that correspond to those pixel values. And when you view the audio as a spectrogram uh you end up with a an approximation of that original image. Uh so in this case you have a face on the left and a cat on the right. So these are both um uh examples from popular music. Let me try another demo. So let's say I have an image like this that I want to exfiltrate. This is a spectrogram tool that does that. So it reads in the image and then you can specify a minimum and a maximum frequency. So I'm staying with um near ultrasonic again. If I generate that it writes out a wave file. If I try and play that wave file you shouldn't really be able to hear anything unless you've got really good hearing or you're uh younger than I am. Some of you might be able to hear it. Um but if I view that in a spectrogram you can recover uh the original image. Now that the um there are tools out there already that will let you do this. So coagular, spectrology that kind of thing. Uh what spectrogram also does is it lets you merge your secret file with a legitimate audio file. So um in case you have got your kind of younger people working your environment they're able to hear that. Um so I've got a normal uh wave file here. So it just plays kind of ordinary music. And I can merge my secret file with that. And that writes me out a new wave file. If I play that um you just hear the ordinary music. You can open that merge file and still recover uh the original image. Okay so in terms of mitigation for this kind of stuff for jumping air gaps in general. Uh you're looking at things like tempest standards. Um removing or disabling ambient light sensors if they're not required or covering them up. Um privacy filters for laptops do a really good job of muting uh screen brightness changes. Um and in terms of the ultrasonic stuff um you could look at things like white noise or ultrasonic detectors. Um but ultimately uh if you've got any kind of input and output to a system that's not necessary or not integral to the operation of that particular piece of equipment uh you're probably better off just disabling it. So part two uh surveillance and counter surveillance. Um so the first thing is a laser microphone. Um just a quick hands up who's heard of a laser microphone before. Okay quite a few people um so uh for those of you who haven't I'll just quickly explain what it does. So imagine that you're doing uh surveillance on a group of people across the street from you and those people are behind a window. Um let's say the the glass is soundproofed so you can't hear anything. Um let's say they've closed the curtains so you can't video them and do lip reading and assume you don't have any bugs or anything in the room. What you can do is use a laser microphone. So you sign a laser at the window and you capture the reflected beam with a photodiode or a photosensor. So what's happening is as those people in that room are talking the air is vibrating it makes the glass in the window vibrate which makes your reflected laser beam shift slightly and as that moves across the surface of your photodiode it will cause shifts in voltage which can then be converted back into sound. Uh so on the right here I've got a really cheap laser module um that's hooked up to a 9 volt battery and on the left I have a photodiode um this is actually adapted from a circuit that did something else. Um the output goes to a 3.5 millimeter audio jack. So uh to demonstrate this so I have the laser I've got the listener hooked up to a speaker. Uh the laser is firing at a phone that's playing music very very quietly taped to the back of the speaker is a bit of reflective material and at the moment there's a bit of obstruction between the reflected laser beam and the listener if I remove that. So um so that's obviously like a really cheap really simple model and uh that only costs like 25 pounds the whole kind of setup. Um if you obviously had a bit more budget you could use like interferometry um you could experiment with using infrared lasers to make it more covert um cause nothing says I'm using a laser microphone like shining a really highly visible laser um you could kind of filter interference use a shroud that kind of stuff as well. Okay um so moving on to sniffing analyzing cloning infrared so um I imagine a lot of people here will have done um or will have experimented with like clone and replay attacks using uh an SDR with RF signals and infrared is very similar um so with infrared signals assuming that like fixed codes they um will use things like bi-phase mark encoding, Manchester encoding that kind of thing as well uh they use a carrier wave um normally 38 gigahertz but it can be other frequencies as well. So we need a way to listen to the signal uh then a way to analyze it and then a way to replay it uh and if you guys are interested in infrared there's a really great talk um from Defcoin in 2005 by Major Malfunction who found a way to compromise hotel payment systems by messing around with infrared uh TV remotes and hotel rooms. So the first thing you could do is just use an RTL SDR so these things still have an infrared sensor in them um you can actually use the sniff infrared signals um it just returns you like the raw pulse data so it's completely undercoded um but you could do that. You could use a dedicated infrared receiver component um and an Arduino and then use uh the IR Lib Library and the nice thing about this library is if it's one of um kind of eight or nine popular consumer protocols it will actually tell you what protocol it is and decode it for you. So in this case this is the standby signal for my uh TV remote so it tells me it's using the NEC protocol and it then tells me what the value of um that code is and then you could also use the listener uh for that laser microphone um so that will do it as well and then you can expect the the inspect the signal visually which is quite nice. In terms of replaying it if it's a known protocol at NEC or something like that you can just play it back um so in this case I've used the IR remote library and you can just play it back with a normal consumer protocol uh like RF however if it's unknown um then you have to replay the raw array um that you've managed to sniff. So applying this practically um to uh motion detectors so the first thing I'm going to talk about is a passive infrared motion detector. So these have a passive infrared sensor on them that respond to changes in infrared radiation i.e. uh body heat. So there was a talk um Black Hat 2013 USA by uh Porter and Smith where they talked about different methods to defeat physical security and they mentioned passive infrared sensors and you can do things like move really slowly so that changes in body heat aren't registered by the sensor. You can um coat yourself in a reflective material the most practical approach but um it works um or you can like overwhelm the sensor with heat so with like a flame um so I think in their talk they used a lighter to do it. So here's an example of a passive infrared motion detector um so the gray sphere on it that's the actual sensor itself uh the red window to the top that's actually a receiver for that remote control. So the remote control was used to arm or disarm the main unit um quite why they've used infrared to do that I don't know um as opposed to RF um and then on the right is a circuit board that I can use to do a simple clone and replay attack uh and just clone the disarm signal uh from that remote. So it's now armed I'll just test it works and then I can use my evil device to just clone the disarm signal and that's now disarm so there's nothing kind of particularly innovative or interesting about that it's just a normal clone and replay attack. I suppose the one thing that is interesting is it's infrared um but there's two big flaws in this approach and the first is how do you get the disarm signal in the first place assuming it's you know because it's infrared you have to be quite close to it um so you're stuck with having to like um have a device in the vicinity or steal a remote somehow and capture the signal and the second problem is how do you get close enough to disarm it once you've got the disarm signal um without setting off the main unit. So I bought nine of these um manufactured by the same manufacturer but sold under different brand names um and I captured the signals from the remotes and here are the signals from the first six. Okay so straight out of the box um regardless of what main unit the remote was first used with it will arm and disarm any main unit. So here's all nine so I just pick a remote up then pick another one up and I can disarm all of them. So I'm almost like embarrassed to present that at Defcon um now so that's the first problem taken care of how do we get the disarm signal the second problem how do we get close enough to the main unit to disarm it without setting off here's the first solution um so this is a drone to clone to PON this is um the disarming circuit powered by the drone's internal USB port the reason you can use a drone is because the lithium battery and it doesn't get hot enough to set off um a motion detector until it's been in the air for about 45 seconds so here's the alarm in the foreground you can see I've dressed up for this video so if I arm this and then try and walk up to it it detects me so you'll shortly see that my drone piloting skills are about on a par with my fashion sense okay so I'm gonna fly the drone over and it won't set it off but it will disarm it okay second solution phone to clone to PON so um this is using an Adafruit GSM breakout board um this is heavily based on uh sammy camcars ding don ditch or digital ding don ditch if you've seen that um some slight modifications so obviously uses infrared rather than RF um it also doesn't use interrupts it just use a time loop and it deletes text messages of the SIM card once they've been read so the idea is you would hide this or pay someone to hide this near an alarm during the day when it's deactivated then after hours when the system is armed you can just send a text to a number containing a certain string and it will then disarm it okay so as usual the first thing I'll do is arm the main unit and then just test it okay and I'll just look quickly at the Arduino sketch which is just checking for new messages every five seconds on that SIM card so I'm now going to send a text to the number that's on that SIM card and in this case the string that the sketch is looking for is new phone who dis and then just looking at the sketch just to make sure so it reads the text message sends a signal and then deletes the message from SIM card now you could combine both those together and do phone a drone to clone to phone um but that would just be absurd so I haven't done that okay uh the next kind of motion detector is this so this is an active infrared motion detector so the idea here is you have two components of transmitter and receiver and the transmitter is constantly sending a pulse of infrared signals to the receiver and if the beam is broken the alarm sounds and if you continually move the transmitter away until you clone the signal from the transmitter and just put it right next to the receiver okay uh so in terms of mitigation for these kind of attacks so for laser microphones um you can get devices that vibrate the glass on windows and to try and disrupt laser mics I'm not sure how effective they are but things like wire screens and coverings on windows um as you've seen with the infrared torchlight I use you can detect infrared light if you're using an unfiltered camera so you could use that to detect infrared lasers um double glazing or curved glass can cause issues with laser mics um as can other environmental conditions like uh rain and snow and that kind of thing um in terms of alarms ideally you want to try and disarm with physical keypads not that that's perfect but it's better than remotes because the signals can be sniffed and if you do have to use remotes you want to go for ones that use like tried and tested encrypted rolling code algorithms and that are paired uniquely to a device you wouldn't think you'd have to say that explicitly um but yeah okay so our last part is bands um so the first thing I want to show you is speech jamming delayed auditory feedback um so this is a technique that's been around since the 50s it's actually um originally used to help people who stutter um the idea is you introduce a latency between someone speaking and them hearing themselves speak and when used with people who stutter enables them to speak more clearly if you use it on people who don't have a stutter it dramatically inhibits their capability to speak and it causes like mental stress so there were some um researchers in 2012 who came up with like a hardware version um I built a software version called double speak and I tested it out on some colleagues because I didn't want to look stupid myself so so what these guys are doing is they're reading a paragraph from a website about delayed auditory feedback uh while my tool is running on that laptop and they're wearing a pair of headphones delayed auditory feedback also called delayed sight tone is a type of auditory feedback that consists of extending the time between speech and auditory perception delayed auditory feedback also called delayed side tone is the type of all the would observe your feedback they consist of extending the time between the speech and the auditory perception Delayed auditory feedback, also called delayed side turn, is a type of altered auditory feedback that consists of extending the time between speech and auditory perception. And here's the voice in headphones a fraction of a second later. Some DF devices are hardware, DF computer software is also available. Most delays produce a noticeable effect of between 50 to 200 milliseconds. Daff usage with 175 millisecond delay has been shown to induce mental stress. Joy, this is stressful. So on the face of it that doesn't seem to have much practical application to security. One way that we came up with that you might be able to use it is say you're on a network and your goal is to kind of sow disruption and discord but in a very subtle way. You could find out when a very important conference call is taking place and use this and kind of affect the decision outcome of that conference call without kind of having to do anything and to blatant. Okay, next thing, demotivating malware analysts. So this is inspired by Christopher Domas who's speaking tomorrow I think. And he came up with this awesome thing in 2015 which was he created fully functioning malware which when looked at in a disassembler in a flow graph represents an image under his control. So he can basically choose the image that a malware analyst has to stare at all day long, which is awesome. So I used my spectrogram tool to come up with something similar albeit a lot cruder. So let's say you've got malware and when you run it it plays really weird music like this. So the first thing you do is disassemble it in this case it's .NET so it's very easy and you look at what's causing that sound. So in this case it's a wave file that you can then extract from the main binary and you're playing that wave file and trying to think what is this? Is it some kind of encrypted communication? Is it trying to exploit something? What is it? And you would spend ages and ages looking at it until eventually it occurs to you to look at it as a spectrogram and then you see something like that. Okay, do we have any Gilmore Girls fans in the room? Okay, so to give you a bit of background on this my wife is a huge Gilmore Girls fan. She watched it all when it first came out. They streamed it like two years ago and she's watched since then she's watched like season one to season eight. I've lost count and in that time I've gone from kind of passive indifference and thinking you know this is okay but I can't really see the appeal. It's a kind of active loathing of this program. So I came up with Kilmore Gilmore which I think on reflection is probably the best thing I've ever done. So Kilmore Gilmore is it comes at its two parts. It's a Python script and an Arduino device. Now the Python script uses an open source music recognition library called Deja Vu which is on GitHub. Again, the link will be at the end of the talk. And what Deja Vu does is it lets you write MP3 files to a database and it fingerprints them. I believe using a fast Fiora transform and it then compares audio coming into the microphone to what's in the database. So my Python script here is comparing audio coming into the microphone to the database. And if it gets a match for the Gilmore Gilmore's theme tune it sends a serial byte, it sends a byte sorry over the serial port to the connected Arduino device which clones the power off signal for my TV. So I have a video of this unfortunately because of possible copyright issues I've had to mute it but after the talk if you look at my Twitter feed I'll upload it somewhere with a full audio so you can see it. Okay so this is like the pre-credit sequence so there's no music here. So what the script is going to do is just listen to 10 seconds and it will conclude that the Gilmore girl isn't playing at the moment. Okay and then the theme tune starts. Okay and the last thing I want to show you is this. So this is Astro Drone so this is using echolocation jamming against ultrasonic altimeters in drones. So I've demonstrated it with a parrot just because I had one handy. It's not picking on parrots specifically other drones with ultrasonic altimeters will be vulnerable to this as well. So the idea with an ultrasonic sensor is it uses echolocation right so you have a transmitter that sends out ultrasonic pulses at a particular frequency they hit an obstacle get reflected back to the receiver and based on the width of the pulse that comes back the navigation board can infer how far away is from the obstacle. So when you do this with drones with ultrasonic altimeters because it's used on the bottom of the drone to figure out how close is to the ground eight times out 10 it launches it upwards at quite a frightening pace. Two times out 10 it tries to sink through the floor because you're making the drone think it's either at maximum or minimum altitude. So there's a talk last year at DEF CON by Lou and others against about ultrasonic attacks against autonomous cars against Teslas. So this is a similar technique albeit a lot cruder. So first thing I used was this. So this is an animal repellent alarm so you put this in your garden the idea is you have a passive infrared sensor when it goes high it sends out an ultrasonic tone to scare away dogs and cats and that kind of stuff when you fly a drone over it. So you notice that the drone became like completely unresponsive to commands and just refused to land and in that case you end up with a broken drone. So that was kind of the first part of this and then I thought well let's try and expand that so rather than having the drone fly directly overhead can we come up with something that detects drones in multiple directions and sends out a more powerful signal. So that's a colander because I ran out of money and you have four passive infrared sensors. There's two Arduino UNOS underneath and 18 ultrasonic transducers connected to it. So infrared is one option and then I also used acoustic signatures with the deja vu library again so record the sound of a drone flying and then compare the microphone to it and that works just as well just don't have time to show it but let me show you this one. So we are doing further research on that at the moment and trying to test it against different drones different kind of environmental conditions different kinds of echolocation jamming that kind of thing. So you could use this essentially as like a drone repellent if you wanted to you could use it as a personal drone repellent as well. Okay so I think I have about five minutes left so I'm just going to do a really quick summary if I don't have time for questions then I'll take them in a hall afterwards or you can tweet me or email me or whatever. So this is an overview of the research that I've done on light and sound and you can interpret this in two ways you can either look at it and think yes he had a really careful and comprehensive research plan or it's something he cobbled together this morning to give his talk the illusion of structure. Even one of those is good with me but they all kind of do fit into each other so as an attacker using light and sound for attacks pros are they're great for any environment that uses physical security devices particularly infrared stuff any environment where there's air gap systems they're really difficult to detect and to defend against and they live very little trace and you can as you've seen do this stuff on the cheap a lot of the time kind of at home and test it out. Cons are you need proximity to the systems you're attacking obviously subject to environmental interference particularly things like laser microphones and the range and power of your solutions are very much going to depend on the resources that are available to you. So in terms of mitigation definitely the first step is knowing that these techniques exist and that they're out there and the inputs and outputs could be manipulated so ideally if it's possible or feasible you look to block those inputs outputs completely if you can't you'd have like a reliable failover and lastly yeah chrono replay attacks and you know jamming that kind of thing are as much applicable to light and sound as they are to any other kind of technology. So ideas for future research exfiltration via infrared is something I've wanted to explore acoustic key logging which has been empirically proven to work but I've yet to see like an automated practical solution for it more work on li-fi and then some more work on drone repentance as well. So hopefully in terms of how you feel about this talk you're more on the left than on the right. So just to wrap up the music credits that are used in this presentation are royalty free or creative commons so thanks very much to those people for putting that music out there references I'll let you guys go through as in your own time. So yeah so that's my email address and my sorry that's my email address my Twitter handle so please do get in touch if you have any suggestions comments feedback generally criticisms anything like that if I've got anything wrong during the talk of this presentation you can just keep that to yourself. Yeah so that's it from me thank you very much