 Ich muss ja sagen aus persönlicher Erfahrung, dass der Kongress für mich gerade deswegen so schön ist, weil er so traumhaft familienfreundlich ist. Wir sind diesmal wieder mit zwei Kindern da und da ist natürlich das Kidspace absolut gold wert. Aber, und das glaubt man gar nicht, dieses Ding hier, das Decktelefon, das macht diesen Kongress auch für mich extrem kinderfreundlich, weil wir eben schon vor vielen Jahren unseren Sohn mit so einem Decktelefon einfach laufen lassen konnten. Okay, so der Speaker ist telling an Anecdote, about how he's giving his kids a Decktelefon from this conference's phone system, that enables the son to walk around on its own, because he can always call his parents. And I'm just a user of the system, but the people that are on stage now will tell us what is possible with this technology. We are greeting civilian and ST, which are parts of the event phone system. And LaForge as a guest hacker will show you this talk that is called hashtag me fail or with Giga set this wouldn't have happened or the subtitle is decked is correct. This talk will be translated by the C3 lingo team. You can leave feedback for the translation on Twitter at C3 lingo. Well, thank you, we are very surprised. We thought this would be a kind of niche translation. We thought this would be like 20 people. Now it's more like 40. Actually, it's probably a couple of hundred. Yeah, so we, the presentation is kind of done. So what will we do? We have to hurry up because it's actually a lot. We'll talk a little bit about the POC. We will talk about the technologies that we are using. And that's why we will show you the hardware live on stage and how it works. So the next thing will be the problem we're having, the security variation that we found. And LaForge will describe that in detail. And we will tell you about how the manufacturer handled it and what we built with it. And how we use the security variability for more features and can do more for our users, in fact. Then we will continue with metadata and how we actually gained that. And then we will show you live on stage how to get unwilling devices to become willing. And then we will show you some plans for the future. So, let's start. What even is the POC and the event phone? So what does the internet say about this? The internet says the phone operation center is an integrated hard and software project, which enables to use phone systems on big events in a big area. That's how Wikipedia puts it. And in fact, that is the case. And we also think it's nice that event phone is a relevant operator of wireless communication for big events. This, of course, makes us very happy. And now we will continue to our one-pager. What are we actually doing? We provide infrastructure for wireless phones. Who of you in the hall has a decked phone? It's probably about half. And then we operate phones for rent for organization and infrastructure teams. We provide them earlier. We ensure that they will work and make them operable. And we also disinfect them, of course. Then we have SIP and premium SIP that we operate. Premium SIP actually does have different functions. For example, the cert, the emergency services here on the congress have more rights and more is more stable connection. Then we operate the EPVPN, which is a phone system that also works outside of the events that we integrate with the events. Then the calling and token handling, which is the connection of phones to the system. Then the guru, which is the generic user registration utility, the web portal where one can register numbers and connect devices, which is also operated by us and is also the link to the GSM team, whose numbers we operate as well. Then the dial in and dial out, which is the connection to the outside phone system. We also offer special services, which is the connection to the chaos operation. There are some games, the time and the automatic reception for noise complaints. Also, we have a new section, which is the education about media competence, which is where we show all of you how to look at everything critically and don't take everything for granted. And for the truth, what you see on the internet and here. Und und und this talk also Eventphone turned 18, which is the age that is required in Germany for doing all kinds of legal things. And I have to say something about this. There is one person that actually is doing this since 18 years and has participated in on every event. Not just the Congress is also every summer who always was there. Wenn er nicht krank war, war er immer engagiert in dem Phonesystem, und das ist Sacha, und wir wollen einen besonderen Dank für die 18 Jahre des Phones für dich sagen. So, okay, das ist es, um es kurz zu sagen, wir sind immer reachbar, auch in der Bedrohung. Wenn ihr das nicht kennt, könnt ihr es sehen unter dem QR-Code. So, was ist das Talk not about? At the 35th C3, we talked a lot about how Eventphone came to be, and how it actually works, and some stories. That's not what we will talk about at the Easter Hag. We explained the new Phonesystem in detail, and why we switched from the old Alcatel system to the new Meteor system. What was part of that, that's also not what this is about. You can see those on the Internet. Today we are only talking about this red line, the connection between the Open Mobility Manager, the OMM, and the RFPs, the radio fixed parts, which is the antennas basically. Then the tech boys will use a lot of abbreviation, and to explain those quickly, OMM, as we saw in the earlier slide, is the Open Mobility Manager, that's the piece of software from METAL, then RFP, that's the radio fixed parts, the antenna base stations, then the PP, which is the portable, that's a decked lingo, it's everything that's mobile, everything that can move the PP's is portable parts, which is normal decked entities, but also for example the small headsets. Okay, now you know what I mean with those. Then the one abbreviation is the E-Pie, you probably know a little bit more about networks, the international portable equipment identifier, you can imagine it's kind of similar to a Mac address, for the example you can see a part of it is written in cursive, and that's the manufacturer part, just like in the Mac address, it's hard coded, you can see what manufacturer produce the device, and then there's just a counter after that. Also similar to a network is the E-Pie UI, which is the international portable user identity, which is kind of similar to an IP address, it's assigned by a system, by the system that operates the phones at the moment, for example the DHCP server on the knock, is the one that hands those out. And then there's the European Telecommunications Standards Institute, the ETSI, which basically creates the standards for Europe, and especially decked. The E-Pie UI as an example has different formats, it doesn't have to look like this exact example, it's not as normed as it is for the IP system. And now let's have a look at SIP decked on MITO. So civilian will talk about that, and he'll watch it by the camera, alright. How to is the title, so we've been asked a lot how we're doing it, can I help with that at all? So what do I need to do for it at all? Naturally you'll need an antenna radio fixed pad, there are different generations of that. We're recommending Generation 3 Plus, they're easy to identify, because for example they have ventilation on the back, and there's also a USB connector. So if you want to buy something like that and don't know unsure about it, we're recommending Generation 3 Plus. You can get them at the manufacturer, for example, but you're able to get them used as well, it's about 100 Euros. Additionally, you'll need a license, that's not an open source software by MITO, it's a commercial product with a special thing about it. So for small decked installations, you don't need a license, but you're limited to five licenses, to five antennas. If you want a call, not just between decked devices, but also to a SIP, or with a dial out, you also need a SIP server. We also recommend YATE, which we use ourselves. In the slides we also have the cookbook by YATE, you can also find it using the QR Code. That's a little how-to, if you have no experience at all about it, and using that you can install yourself pretty easily. There are two possibilities of using the ... you can either run it on the antenna using Linux, but we never tried that, so we don't have any experience about that. Alternatively, you can use anything running sensory. For example ... For example, the one that we run here at the Congress, there is a little server in the knock that has a VM on it, we sent to us. So if you have the antenna running, then the first one is connected to the other ones via IP, and the other ones then need the connection to the YATE. The downside to this setup is you can at most run 512 end devices on this setup, and if you look at the dashboards, you can see that we are vast beyond that, so there is a hard limit on top, so you need to extend it a little bit. If you do it standalone, then you have a lot more radio antennas, so you can have a lot more end devices. This supports up to 5,000 devices, so we already mentioned it a few times, and the question is how do you get it? The official answer of Mitle is that if you get a device, then you get the relevant credentials and you can download it in the portal and just download it. So if you get the antenna from the second hand market, then you obviously don't get the credentials and you don't have the download links, but the release notes are public for the most part, and if you have the right search terminologies, then you can find them easily. So this is why we put them on the slide. You can just use these and you can get the credentials. So the question is, what do you do with it now? And what hackers do is they just look at things in depth and go deeper than the others, and this is what my colleague is going to tell you about, firmware analysis. So for me it's normal to look at firmware, because, yeah, it's kind of obvious for me. Every device I get my hands on, I'm just going to look at. I want to understand how it works. I want to understand what makes it tick. I want to know what it's built off. For me it's natural to do this. So, I just had an antenna and wanted to look at it, and it was 10 years in the past that I for the last looked at this decked. We had a tool that was called detective. We found a vulnerability in it back then, but that was the last time I looked at it. End decked, which is a pun on discovered, but also decked. And there is a specification for this, and I've been doing specifications for the last 10 years, so they're all rather interesting. It's a bit of a matter of taste, but for me it's very interesting. And decked is still very common, so there's also decked ULE for IoT devices, and I heard that since last year, or maybe a little longer, the Pock is very interested in running a new system, the Mitel system. And last year in November I had to move, and the December Congress was too annoying to take your heart or too much effort, so I sat at home for a while, and I looked at those specifications for a while, and if you look at it, you first start with the hardware in the generation 3, and I looked at the board, what kind of pieces are on it, and you can find an ARM system on chip, and if you look at the firmware, then you can see that it's basically a mainline in the next kernel, and it has two Ethernet ports, so if you can't find it, it's usually very often you can find it in network attached devices, like Shiba Plug, it has two of these Ethernet ports in this configuration, one is the one that talks to the ARM, the one that is being led outside, it has a port on the outside, and there's a second Ethernet port, and my question was, if it's inside what is the point of it, and the point is that they actually attach the deck processor over the Ethernet port, so they actually have two of them, one to the outside, one to the deck port. So, it's a Linux, and it has a password that you can use for the root user, and during the configuration it's being set, and you can actually look at it, because it's being set by the ARM, so it's easy to get access to it, you can log in and then have a look around, so you can see the schema on the bottom, it also has a UART here, there's also GPIO and so on, so now if you look at the user space software, that looks interesting enough, it's basically really a very clean Mainline kernel with very few patches, so in the essence there's nothing really deck-specific in the kernel, it's really normal, no extra drivers, there's only just one program that's called IPRFP, that creates the Ethernet connection to the deck processor, and the whole processing of the deck is being done on the processor. So, there's ... it's a very Mainline, very standard vanilla kernel, and there's not a lot you can see from there. So, interesting, however, is ... you can find some other things, which may be interesting, for example, there's a video for Linux in the kernel, and I was wondering what's the point of that in a deck-basis station, is there a configuration option I haven't found yet, but it's actually what's true is you can attach a video camera to the USB, and if you have a phone that actually is video-capable, you can actually view the video that you see there, very interesting function, and then you find, oh wow, there's also Bluetooth, so you can probably also create Bluetooth-Pictures, so maybe to do location services in a museum or something. Very strange, but it makes sense in the end. Yeah, there's actually use cases for these kind of things. So, you also find binary images for the firmware of this deck processor, for example, a bootloader, which is actually connected to this serial interface between the processor and the out. The firmware is installed automatically via Ethernet, it can install the actual firmware. There's a Macmoni.bin, which is a Macmonitor. I'm not quite sure what it actually does. I didn't look into it further, so once you look at it, you have this Ethernet-Device, but what do you need with it? You'll take a look at the decode file. Interestingly, there are just raw Ethernet-Frames. There are different subsystems for the Ethernet-Types, differentiates between which system is actually speaking right now. You take a look at it with everything you know about decked, so you're trying one thing or the other with a telephone that's attached to it, and you try to understand it. Then I was using a minimalistic Wireshark thing to check the protocol, and from a specific point, where you can find the decked standardised packets. But there's no Wireshark-Desactor for that either, so I started something about it, but it's just very minimal just to confirm my results when I was doing it. And then you're getting ahead and you don't find any Wireshark-Desectors either. So you can see the split of functions on the decked protocol stack. I won't go into detail, but whoever is interested into that further, I had a technical presentation about it at the DOSMO, and you can also find it at media.ccc.de. And this is the split in the ARM. There's the DRC-Layer and the NWK-Layer, and what's above that. And the interface between DRC and MAC-Layer, there's the protocol you can see with these raw Ethernet-Frames. So now I have a general idea of what happens. So, I'm further looking into the IP-Protocol. You can see there's a TCP-Connection that's been created. It looks very random, so there's a big Entropy, so it needs to be encrypted in a way. In the RFP and ARM, we can create a lot of Loggings, so we can take a look at the Hackdumps, but it is in no relation to it, it's still encrypted. If you take a look at the Symbol-Table, you see Blowfish. There's some Blowfish-Functions from US OpenSSL. And this is linked with LDP-Load. You can link other libraries. So, there are two of them. There's one LibTracefish, which outputs Hypertext and Printtext. Plaintext und Syphatext. So, you can get the plaintext on the other side to correlate the encrypted with the plaintext. So, many of the raw Ethernet-Frames that you can see are just one-to-one passed. They are getting encapsulated on the TCP-Protocol, but that's mostly it. We'll talk about that more later. Some other people looked at that a little closer. What's important about this is that we can disable this encryption, but this Detachbar that is known from something else, he looked at the encryption a little more with Blowfish and saw that it's pretty clear that there's one CLEE that is globally statically distributed for all devices. And that's, of course, bad, because when one has one identical global key that can maybe be extracted from that firmware, that would mean that one can decrypt the communication from all the other devices, which brings us to this de-decked protocol. So, as LaForge said, it's just one static key that is used for all instances, which is kind of critical, because if somebody is capable of carrying out a man-in-the-middle attack, he can read and potentially manipulate all of the data passing in-between. And then we thought about how could one get to this man-in-the-middle position. So we have a photo here, there's a red circle there, for those of you who can't see. And then we zoomed a little closer. This antenna is hanging fairly low. So sometimes they're way higher, for example in hardware stores. Then you might even need a ladder. But these four black points there, those are just philishead screws. And then when you screw them open, there's somehow a lot of space in there and a RJ45 plug. Something might be possible there. So, when one doesn't have the motivation to Google about it, there are also devices that are used indoors, for example in hotels. They're hanging from the ceiling in hotels. The problem there is, this photo is from a hotel near Paris, so this is not a problem, only existing in Germany. A lot of these bases have a very wide installation base. They are used in many, many kinds of ways, in domiciles, in events, in hotels and lots of spaces. So this led us to the thought that we can't leave this standing that way. If we can hack this, other people can too. And so we learned that of course we do responsible disclosure, we tell the manufacturer and give them the possibility to solve this. We even got a CVE number for this. So how did the manufacturer respond? We have to make this transparent, a short timeline. First contact tries were in the beginning of October. We called the MITRE support because we only found an e-mail address on the website. That looked kind of generic. So we dialed ourselves through the telephone menu. We got a walker there and told them that we wanted to talk about the security on ZipTech. And then they said, ZipTech, I don't know, I know what that is, but I don't know anything about security. So as an alternative, we contacted a MITRE partner that we have a good contact to. And we told them that the KS Communication Club should tell them before they hold a talk about this. And then we got an e-mail from the communication manager for wireless. And we had a long talk with them. And then this meeting happened a week before this. And we presented to them with the things that we have on this table. That there is a security problem and where it is in our views. And we talked about how to maybe solve this. We explained to them very complicated what Eventphone is. And waited. And a month later we asked again. And then we got the confirmation that yes, they have a solution that they are testing in the lab. And there will be an update for Congress. So you won't be affected. And then one day later we met them at their office and talked about their solution. And the solution was you get a custom firmware that has a different static key. So, of course, we didn't like that. So we thought about it a little. We explained our own solution idea. And we got a yes. And they said, yeah, okay, you'll get a proper update, but only in 2021. And so we said, okay, so that won't solve our problem, but it might be okay. And then on the 20th of December, they said it will be before the Congress. The incident response team from Canada apparently looked into this. And apparently the problem is bigger than expected. So since two days, the update is available. It's available on the download center of Mitel after you enter the credentials for that. There is also a security advisory on the website. And we explained to the manufacturer that we want to give them the possibility to explain things from their view. So we have two slides from Mitel. Wait, did I turn this off? Wait, there's a hack. Use the keyboard. Okay, so from the view of Mitel, the problem only exists when you have a manager middle position that you can gain, which is apparently hard in company networks. And then here again, an update is available, which can be downloaded. And there is a download link there, which, and then there's another link for the security advisory for those of you that don't understand English. Here it is again in German. And if you have any questions, you should contact Mitel and their technical support. So another thing we have to say in sub 90 days from reporting to a bug fix is for such a big company, actually not that bad. We have seen worse things. So in the beginning, ST already talked about RFP proxy. So what is that? That's a transparent two-way encryption machine in the Mitel proxy. So if you're doing it, then do it correctly. It can decrypt and encrypt several types of communication. It takes care of reking in these protocols, exchanging the blowfish keys often. It's able to manipulate selective messages. You can inject messages. You can remove messages and to guarantee the stability. There are several types of processing, for example, at our event. So to take a look at it, that's the way it looks normally. You have an antenna, which has a TCP on port 12,621. In our installation, we also have an RFP proxy on a different port in our installation. So there's a rule for it, which makes it a transparent proxy in between. So if needed, it can get the communication out through a socket. So, for example, you can attach Motorola, a logging tool, which can write in PCAP, which we'll talk about later. You can also do audio, you can process audio with it or control LEDs with it. So to make things clear, these antennas are stupid. Several deck-specific processing of non-deck-specific processing is running in on. And these antennas are so stupid, in fact, that they don't even know how to turn on their own LEDs. So when you're using this proxy, you still have the problem that there's not just the specific specified deck-centered, but also manufacturer proprietary protocols, for example for LEDs. There's been a lot of reverse engineering efforts and you need a lot of data for that. So, how did we get that data? My colleague Zuckerberg, and I always like to say, so where do you get data from, unless you steal from the users? We took an honest approach. So if we just go to any event and get some data, we might be in danger. So we just did that transparently. Who of you has been on the ESAC? Very few people. So I'll just explain that quickly. We wrote a blog post that we want to use metadata. We want to log all data with all data about all the devices who are communicating, accept the language. If you wanted to use the guru, you needed to confirm that every time. It was not very pleasant, but we wanted everybody to notice. And we really expected a shitstorm for it, for us logging everything with it, so that anyone would say, don't do it. And before we wrote down everything very specifically, we also noted the intent that we wanted to note the data, find mistakes and irregularities, since we didn't know at all what we're looking for. So we just graded a big amount of data to look through it. Using this tactic, it actually worked. So with a SIP, you could create a station with falling from SIP to SIP, which didn't use any metadata off. So all the data we collected extra. We secured them and encrypted them on a secured file system. So very few people had access to it from Pog. It was recommended very precisely. We wanted to do it in a way, which we would expect if somebody's handling our data. So in the end, we thought about how do we get rid of it. And our big maximum was maximum transparency. So maybe somebody saw an event. We also had a video about it, but we don't have. We're not able to show it sadly. So there's a screenshot and a QR code, if you want to watch it. There's the principle for eyes. I'm an actual. I made sure that the developers deleted the data responsibly. And we thought about what we could do about it. And in the end, we wanted to throw it all away. And right now we can't even say how much data it was anymore. And I believe we handled it responsibly. And I wanted to still bank all of the users at EasterHack. And it helped us a lot. It was really informative. And we could actually create new features. And because we were able to analyze them against that test data. And the first new feature, my colleague is going to show now. I already mentioned that these software can control their own LEDs. There's four LEDs that are attached to the base stations that can be turned off and on according to different passwords. And it's being controlled by the OMAM. And what we realize is that if you make one of them a blank red and green, then the third LED, then if you let it blink red and green, then it doesn't just do that. But the fourth one also starts blinking. So there's also functionality that is being controlled via the LED. The fourth LED is usually used for the wireless. But this is not allowed for us to use because that's the domain of the knock. And why is it blinking? Because in the setup decked was a tool that uses Morse code, but we don't use it anymore. Ja, ihr könnt ja mal schauen irgendwo. Yeah, you can have a look. There's probably a few other blinking LEDs. The only problem is that you can only blink with one hertz. So you need to have a bit of time. Do you want to switch back to the slides, please? Genau. Okay, the second interesting feature is the media tone. If you listen to the headset and there's this sound that you hear, this is generated within the antenna. There's a specific message dedicated for that, that he says what frequency to use in which order it is being used. It has up until 256 entries. It can do four frequencies at once. It can do loops. So we were wondering why would we use the boring sounds. So there's a MIDI converter that you can use to generate these dial tones. And it has loop detection and we want to now demonstrate that. This is not mine. This is mine. Please dial 45. Lieber Mann, vom Audio kannst du mich mal muten, bitte. Okay, please mute me now. Ah, ist klingelt. Ah, it's ringing. Hört ihr das? Can you hear this? Sehr schön. Very nice. Habest du wohl zu weit weg? Okay, you're too far. Ja, die Reichweite ist ein bisschen begrenzt. Ja, the radius or the distance you can use is limited. Please start Tetris. This is a normal telephone connection as you can hear. And I'm going to type Tetris now. Is this missing a tone? Okay, so it's not working right now. Ja, ihr habt das Telefon von ST gerade schon gesehen. Okay, now you just saw the phone from ST. It's a nice Motorola S120X or 1200. And the X is up to the number of phones, headsets in the box. Why this one? Because it's the cheapest one that you can find when you search for decked. It has colors, which is nice. You can have it in Turquoise, in Pink, in other colors. It's important that it has Gap-Compatible. You can get that. This is a feature you can not just attain by writing it on the box. You actually have to implement it. This is, there are a lot of people over the last events that just got that device that we got and they couldn't register it. So this is why we were interested in. We don't have a lot of time, so we still tried it and we could use the proxy to get the traffic from this and we tried to debug the connection request. So when you attach it to the base station, then it sends a message and it gets assigned its identity. That this one ends in DF and when it's trying to ring, then it sends its own identity. It sends the EPUI and it doesn't end in DF. The answer to that is the reject and it gets the reason for it. So in the Etsy-Standard or in the Gap-Standard, it's defined that this is the way the handshake has to work and it refers to the DAG-Standard. There is an access-rise-accept standard message and it has to save it. It probably does it, but it doesn't send it again, we assume. It says that the EPUI is up to 60 bits long, so this is what we saw as an EPUI and it has a 60-bit portable Usernunder. We color-coded it here so you can see it. So the last two bits are the ones that got lost and some of these are special because they're using the EPUI. They use the serial number for the device. And this is still you. And the EPUI has a length of 36 bits. This is defined. And if you look at it now, there are four bits or rather these two zeros that are not being used, at least not at the sub-DAG-Device. And so this was our way of making it compatible to the base station. We basically moved the relevant data to the one byte up. And if it connects, then we move it back and then the Aum is happy. And that's why this year even these phones work on our station. So at the event we realized that... The other way around, sorry. We made sure that it... We wanted to make sure that it only affects these devices, so we moved it back around. So we basically whitelisted for every single device that is affected to make sure that we don't break it for other devices. We also informed the manufacturer, of course. So in September we send it to them via Twitter. They send it to China. And then we asked them again. We heard nothing. Maybe something will happen, we don't know. So at the event we had to realize that this is not the only one that is affected by this problem. So we amended the list of manufacturer prefixes. So that, for example, the Velocomphone has to work, that the Siemens device is working. There's about 20 devices or manufacturers that we know of now, where it doesn't work. Audiovisual marketing. So with marketing we don't really have a thing. But maybe they are good with their phones. AVM. So, last year we had the same problem with AVM phones. The Fritz phones, which is why we always did not recommend them. That they could never show who was calling. They always only showed intern. But ever since we can now not just deliver messages but also read and modify them, we can now actively show who is calling. We also have a positive thing to say about the AVM phones. We also brought Fritzparks. And this Fritzparks can't just do TCP. It can also do D-Trace, the DS4 DECT. And under the given URL we can find this capture interface for all kinds of Fritzparks. And what's interesting about this is that Gigaset phones can actually display the AVM Phonebook. And this does not work on our system yet. But we hope that we can change it at some point. OK. Look into the future. What will we do with this? What are we doing with this? So, people that are interested in DECT in general, people that are interested in the MITER Installation, people that are interested in these kinds of things, we hope we aren't the only ones. And we hope that with these kinds of information you can start getting into it. We hope that the Wireshark Desector will continue to be developed and analyzed more, play with the hardware, play with the software. And there's another thing, right? And, for example, DECT without E. There's another thing. There are EC-Terminals that work with DECT. And our plea for you is that we are still collecting data. And if we also talked about this at Easterheck, we are crowdsourcing. If you know what DECT telephone you have and what model it is and you want to tell us, you can enter it into GURU, which would help us a lot, actually, because we asked the Etsy for the EMC-List, the Equipment Manufacturer Code table. And so the one that was displayed in cursive earlier, which allows us to see what manufacturer makes this device. And the response was that this table is apparently secret. So, it would be great if you entered your model numbers, because then we could actually find out what manufacturer has made the device. This is all that we want to ask of you and thank you. And is there another thing? Yeah, maybe. Oh, yeah, there is another thing about the proxy. It has not been released yet. And we'll tell you why we didn't release it. So, I already explained it in part. We only, on very short notice, got the response that the tool that the update was deployed. We thought it would be irresponsible to release the tool, because it would be very easy to compromise a lot of systems around the world. We do want to release it, and we are talking to the manufacturer, so you can all use it and play with it. But that current plan is that we do that in the first quarter of next year, as soon as the existing installations have the chance to apply the update. Good. This talk was translated by the C3 lingo. You can find us on Twitter at C3 lingo. Please leave feedback for us also under the hashtag C3T. The talk was translated by Moritz, Kaster, and Oscar. And we will next translate the questions and answers coming in. Okay, so, please go to the microphones one, two, and three, and also questions from the internet will be asked. So, you said there was first an update from MITER that was going to do it, and then they said there would be a better solution. So, what's the new solution, and how's the key being generated? Okay, so, the antennas have to be connected to the system at some point, which is called the capture. And so, what we are assuming is that this takes place in a responsible and to be trusted environment, and the keys will be exchanged in there for the coming communications. So, every decked antenna gets its own key now. Okay, a question from the internet. Did the people know from the hardware store know that there would be an outside antenna being modified? That could even be photoshopped. I can't really deny that or say it's true. All right, microphone two, please. Can we use Tetris in our extensions so we could create a me-melody generator by phone? That might actually be difficult because we only have 256 tones, and those only actually work on the 2G antennas. The 3G antennas only can do six tones because they saved on hardware, which is probably not enough. Okay, a question from the internet, maybe. Yes, there's one coming in right now. So, where exactly can you remember, can you notice your telephone device number? Okay, so in the Google system online, the guru3.eventphone.de, if you log in there into your account, you can see a pencil button there, and you can enter it there. There, press the pen, and then you can edit your handset, and then under model you can enter your model number, and the manufacturer, and you can even give it a name, which has the advantage that when you use it the next time, you can just reuse it from right there. You don't have to re-enter the token at the next event, ideally, the phone will just work. Apparently, one of the microphones got turned off. So, after the question from the network came, this is only for people that actually used the event phone and entered their phone there, so then the phone number is connected to the account. If anyone on the Internet that is not on the CCC Congress, they of course can't do this as a further explanation. That's because maybe people are too lazy to come here. Microphone 3, maybe. If I understood correctly, for you stations, there are no downloads, so how are you going to provide updates for that? I can't answer that, we have no idea. So, the contact data is in this advisory. This would of course be told to the people that need it. Okay, Microphone 2. So, you took a look at the communication between the antennas and the EOM. Is anyone trying to replace the EOM through their own antennas? For example, in the Congress. Ja, maybe, it's a question of time and the number of projects, which is of course growing over time. The number of people working on the project is unfortunately not growing. So, yeah, we would like to do that, that would be great. I'd be the first person to scream yes, but of course we would need people to actually get involved there. And this might actually be a good starting point for later open source development and working with DECT. It would be if people would contribute to the Wireshark DECT Dissektor. This is all kind of part of the DECT specification. You would have to read that and maybe understand it anyway, because if you want to work in that open source context. And then you can express that in the Wireshark Dissektor and then we'd have a great baseline to work from. So, yeah, we'd love to have that. Yeah, contributions are what we need. Okay, so I can't see any more questions, maybe on the internet. No, any either. That's it. Thanks for all of the nice discussion from all three of you on stage and everyone from the event forum. Thanks for all of your work. So, for the last time, this talk was translated by the C3 lingo. You can leave feedback for the translation on Twitter at C3lingo.