 Here to tell us all about the subject is Niden El Rubin. You may know him from his various sessions on Trashing Pearl. The Pearl community loves him for that. He also recently co-founded the company Vultra. And with no further ado, I'd like to help you to help me welcome him on to the stage to talk about Smart Cities. Thank you. Thank you. Thank you. Hello, CCC. It's been great to be here. Let me start with a little apology. I'm feeling a bit sick today, so if I start coughing or spontaneously dying, just bear with me, forgive me. Thank you. And today we are going to talk about something that doesn't work for you. We're going to talk about the smart industry. Now, basically, what we'll do today is talk about how the smart revolution is changing all of our lives without us knowing. As a disclaimer, we in Vultra, my company, are developing security solutions for the smart industry. I'm just putting it out there. So let's talk about Smart Cities. Smart Cities are popping everywhere, in Amsterdam, Singapore, Barcelona, and in many other different cities around the world. But what exactly are Smart Cities? Now, well, in Amsterdam, they decided being a Smart City means they'll have birdhouses that offer free Wi-Fi. And in Kansas City, they decided to take the concept into a more American approach and implemented gunshot sensors, among other things. Now, it is very clear to everyone in the industry that Smart Cities are nothing but a mere concept, an idea of sorts that means absolutely nothing. Because each city is implemented ideas fit for their own culture, their own atmosphere. In order for us to understand the industry and understand who gains the most out of this technological advancement, we need to look at one specific market, the smart energy market. Smart energy is basically a concept allowing utilities, energy utilities, to better connect with their end consumers, as well as municipal authorities, the cities themselves. I know it sounds complicated, but it's really not. Now, energy utilities gained a lot from this whole smart revolution. Using smart energy, they managed to implement devices that allowed them to define different tariffs for different hours, allowing them to earn more money on peak hours. They could also connect or disconnect consumers' electricity remotely, if, for example, they are overdue on their electricity bill or ran out on their electricity prepaid car. They could also receive consumers' electricity usage instantly without having the need to send someone over physically. All in all, utilities gained the option to better manage their electricity grids, and in some cases, save over 15% of their expenses in that area. So basically, energy utilities have a lot to gain from this whole revolution. Basically, when we're talking about smart energy, we're actually talking about the smart grid, containing all the utilities' devices. And the main appliance that makes it so smart is the smart meter. Smart meters are ordinary electricity meters with two extra features. The first is that it allows the utility to monitor and communicate with the meter remotely using PLC or 4G networks. And the second, which truly makes the smart meters smart, is that it allows the utility to communicate with consumers' home appliances with your home appliances. So you are now probably asking yourselves, wait, wait, wait. These things can control my home devices. The utility can control my home. Well, not only they can, but communicate with your home devices is just the first step. In the future, these things will create a massive mesh network all over the city, allowing them to communicate with the city's smart appliances as well. The entirety of the electricity grid, your home, your city, and everything in between will be in control by your energy utility. And that's a bit scary. But how does the smart meter communicate both with the city and your home devices? One word, zigbee. Nice. By now, most of you already know zigbee is an extremely insecure protocol, exploited many times before. But for now, I'll just say that if you thought zigbee is insecure in regular smart houses, just wait and see how it's implemented in the smart energy industry. Another important point is who develops these smart meters? Currently, there are about 60 different smart meter manufacturers, but the top three covering about 30 to 40% of the market are Eitron, Landis and Gear, and Elster. Remember these names as they will pop up a bit later. For now, what you need to understand is that smart meters are offering a lot of benefits for utilities and cities. They have so much to gain. By installing these meters, the utilities are now forcing smart meter installation in a wide range of cases, even though it is costing them billions upon billions of dollars. But utilities aren't the only ones trying to implement these devices. Governments all over the world are pushing it even further. We can see a very sharp increase in positive regulation all over the world, in the Middle East, in Australia, in Japan, and all of East Asia in general, in the US, but the key region for that industry, the one with the most progressive regulation and goals is actually Europe. The European Union has declared it aims to replace at least 80% of all electricity meters in the region with smart meters by 2020, three years from now, with a total investment of approximately 45 billion euros, 72% of all European consumers will have a smart meter for electricity, 72% from all of all the people in the crowd, for that matter. That extreme push, both by governments and by utilities, has made it so that over 100 million smart meters are already installed today all over the world. And if you thought that the installation of smart meters doesn't concern you, you should think again, because these are the countries that will replace at least 80% of their meters in the near futures. Austria, Denmark, Estonia, Finland, France, Greece, Ireland, Italy, Luxembourg, Malta, the Netherlands, Poland, Romania, Spain, Sweden, and the United Kingdom, almost all of Europe will take part in this massive technological revolution. But what's the problem with that? Progress is always a good thing, right? The problem starts when governments, agencies are forcing the installation of appliances that can interfere and communicate with civilians home appliances. The problem starts when there's a product with a market so huge it is installed in hundreds of millions of homes worldwide. The problem starts when that product is accessing the internal network of both the utility and the consumer. You, the problem starts when this product, forced by governments, installed everywhere with critical access points, is also dangerously insecure. But why are smart meters so critical? Let's have a look at what a hacker can do if he'll hack your meter. First of all, he could see exactly when and how much electricity you're using. He could know when you're in the house if you have any expensive electronic equipment that might be worth stealing and obtain a lot of information about you and your family in general. The second thing he can do is basically a billing fraud. He could set your billing amount to whatever amount he'd like. Whether it's one euro or 10,000 euros, you're going to be in a world of pain just by having to explain to the utility why their meter is faulty, why you didn't use 10,000 euros worth of electricity. If you even catch that in time, of course. But these scenarios aren't that frightening. Sure, an attacker can make your life miserable, but it's not really dangerous if you'll see when you turn on your TV. The scary stuff begins when you think about the power these meters have over your electricity network. If an attacker will hack your meter, he will have complete access to all the smart devices connected to his meter. Whether it's your air conditioner, your fridge, or your door lock, an attacker will be able to control each and every device. This will have very severe consequences. The more your house is connected to the grid. Just imagine waking up in the morning just to find out you've been robbed by a burglar who didn't even had to break in because he could control and open your door through the meter. But even if your house doesn't contain any smart appliance, you are very far from being safe. Smart meters are positioned in a critical point in the electricity grid. Because of the high amounts of voltage, the meter is handling, one faulty line of code could cause serious damage. An attacker who controls the meter also control the meter's software, allowing to literally blow the meter up, just cause it to explode and start a fire where it used to be. And these aren't just imaginary scenarios. Puerto Rico has just suffered from a massive amount of billing fraud attacks causing the energy utility to lose $400 million. And in Ontario, smart meters has literally caught fire and exploded without a cause to be found. Allow me to quote one of the firefighters who responds to the event. It's your hydrometer. You have a smart meter. If your house had been a wooden structure and not a brick structure, you wouldn't be alive today. And just so you realize how extremely dangerous these fires are, this is an image of the damage an exploding meter caused in one case. So let's get technical. How do you hack a meter? First off, there's the physical way. There's always the physical way. In order to tamper with a meter physically, you have to have physical access to it, obviously. Which isn't very viable most of the time and is very easy to detect. Anyway, even if you did have access to the meter, there are tons of physical anti-temporary mechanisms inside the meter hardware, ranging from actual locks to flash anti-reading mechanisms. So the physical approach isn't really going to work. Trust me, I tried. Unfortunately, smart meters also support a wide range of wireless protocols. Protocols like ZigBee and GSM are considered standard in the industry and are used practically everywhere. These wireless protocols have been left in the dark with little to no security and doesn't require an attacker to be physically present near the meter in order to exploit an implementation vulnerability. These protocols also allow an attacker direct access to the smart meter firmware, which allows him to exploit many types of high-level bugs like memory corruptions, for example. So naturally, we've focused more on this wireless protocol in our research. So how does the smart meter communicate? Well, in order to communicate with the energy utility, the meter often uses regular GSM. Sometimes, especially in crowded cities and skyscrapers, the meter communicates with the closest electric box using PLC, which then transmits the data back to the utility using GSM. So far, nothing too proprietary, just ordinary GSM operating on 3G or 4G networks. But what about home appliances? How does the meter communicate with them? Well, this is where the notorious ZigBee protocol comes into effect. In order to communicate with home appliances, the smart energy standard has declared ZigBee smart energy should be used whenever possible. So the utility is using GSM to control the meter and ZigBee smart energy is used to control your home. So why won't we use GSM to control the meter? Well, let's talk about encryption. What prevents attackers from using a GSM broadcaster near the meter in order to control it? Well, nothing. Some utilities are not implementing any kind of encryption but the standard on their smart meters. This has been discussed even at 28 C3 five years ago by Dario Carluccio and Stefan Brinkhaus, I hope I pronounced it correctly, yet many utilities didn't quite get a message and left their communication protocols completely unencrypted. But let's assume our utility is very security oriented and they are using encryption. What kind of encryption are they using? Well, most if not all smart meters around the world only supports the A5 GPRS algorithm in order to communicate using GSM. I already heard left from the crowd and you're completely right because the A5 algorithm has been known for many years to be relatively broken but still kind of secure so attackers can just brute force the encryption key and encrypt all communications. But what about hijacking? What happens if an attacker use some kind of a GSM test station and force the meter to use it by broadcasting stronger than the original base station? Well, in that case, the meter will not only connect to the station, it will also try to authenticate itself using its hard-coded credentials, allowing the attacker to hijack the GPRS traffic and completely take over the meter. But, you know, that's just one meter, right? Why can't attackers do that to all meters one at a time? Well, not only they can, they won't have to because all meters of the same utility is using the same APN credentials. If an attacker would gain access to one meter, it will have access to all. One key to rule them all. The sad thing is that this whole security fiasco could have been avoided. If utilities were using proper encryption in their GSM traffic, an attacker wouldn't be able to hijack it. If utilities were segmenting parts of the network instead of using one giant LAN, an attacker wouldn't be able to access all the meters. And if utilities were actually monitoring their smart meter network, they would stop an attacker way before it could compromise their entire network. All in all, in its current state, the smart meter network is completely exposed to attackers. But that's just how we attack the meters. What if an attacker doesn't want to use GSM? What if he wants to take over your house? Now's the time to talk about Zigbee. Zigbee is a communication protocol used in home area networks, as in the local networks used by your smart appliances. Now, this protocol has been standardized in 2003, a year in which the term information security made a little sense as electing Donald Trump president, for that matter. Now, keeping that in mind, Zigbee also supports a huge amount of different devices, ranging from a simple light bulb to the most complex air conditioner. In order to do that, hundreds of hundreds of specifications has been created and implemented in the application layer of the protocol. This created a situation in which sometimes two different devices serving the same purpose, say two toasters, had the same features implemented in a completely different way. On top of that, because of all the various use cases smart devices serve, the Zigbee protocol have 15 different flavors, including home automation, healthcare, and of course, smart energy, among others. This unique situation in which a mandatory protocol covers an enormous amounts of possible use cases is so difficult to implement, vendors actually chose what they want to implement. And when vendors choose what to support, they more often than not completely skip security. So how do you use Zigbee in order to hack a meter? I'll split this question into three parts. The first is design problems. What misguided design decisions can we try to exploit? The second are implementation bugs. How was the protocol implemented inside the meter firmware? And lastly, management. What mistakes does utilities do regarding their meters? So let's start straight with design problems. When a smart hub, not a meter, acting basically as a router detects a new device that wants to join the home area network, it prompts the user to approve it before starting any form of communication with it. That way, only approved devices will be able to access the private network. Seems very logical. That is important because the entire home area network is basically using the same network encryption key. This means that if an attacker is able to obtain that key, he could access and mask itself as any device. For example, he might mask himself as the hub itself and send different commands to devices around the house. Thus, this network key is a very important thing. That's why Zigbee smart energy networks are using AES 128 bits in order to encrypt its communication, which is my emails are encrypted with 2,000 bits, but sure. Now, in regular smart hubs, the only way an attacker might be able to steal that keys by sniffing the network traffic the exact moment the device is added, which is kind of difficult. This is because whenever a device is approved to the network, the hub sends it the network key. I'm abstracting the whole process a bit, but that's the bottom line. Smart meters, on the other hand, are very different from smart hubs because that's a bit amazing. Whenever a device wants to join the network, the meter does not try to make sure it actually should and just replies with, sure, there's the key. This means that if we'll disguise ourselves as a new smart device, we will be added automatically to the home area network, granting us the secret network key. Using that network key, we could impersonate ourselves as the actual smart meter. We could communicate and control any device around the house from way across the street. For example, we can open up locks, try and cause a short in the electricity system, and basically, you know, whatever we want. Now, another thing we can do is start communicating with the meter itself by communicating with the meter we are actually granting ourselves a vast attack surface, the entire ZigBee handling mechanism. This is not dangerous by itself, but leads us directly to implementation bugs. Now, today, smart meters are based either on ARM Linux or plain proprietary ARM embedded systems. Keep in mind that smart meters are supposed to be cheap. Thus, they are often lacking both CPU power and memory. Because these processors are so modest, so to speak, the embedded code handling ZigBee communication is often shortened and optimized. This sounds nice, but in reality, this leads to code that often lacks security checks, like buffer size checks, for example. But successful exploiting a buffer overflow attack in a meter might prove to be a very tough thing to do. That's why you don't actually have to do that in order to break the meter. A simple segmentation fault will completely crush the meter, causing an electricity shutdown at the premise. On top of that, some crashes will actually cause this, if you remember. So all you have to do in order to burn someone's house is send a very long header string. Putting memory corruptions and exploding meters aside, the other very severe weakness often found in meters and basically a lot of other devices are hard-coded credentials. Most meters have at least one debug port available for technicians. These debug ports are often using the same credentials over and over again. In one case, we saw the credentials for a very popular vendor that's called it Litron. SmartMeter wore root as the username and Litron as the password. Not surprising, though, as they don't think anyone will actually try and communicate with it. They're not making any effort to make it secure. The other very important point about implementation problems is encryption. As we saw earlier, each utility is using only one GPIS key in order to control its entire network of smart meters. But what about the ZigBee network? If it was impossible to inject a new device and hijack the key, like I showed earlier, will it still be possible to bring the encryption? Yes, because, and you won't believe it, the 128-bit ASK I was talking about, it's not really made out of 128 random bits. Instead, the key is derived out of each meter's installation code, as in the code the manufacturer assigns each meter, which can be as high as a 16-bit random string, but as short as six. Meaning the maximum amount of random bits is indeed 128, but because the standard allows it, most keys are only made out of six random bytes, meaning 48 bits. This is exactly what happens when you let vendors decide for themselves which parts of the standard to implement. Security is often neglected, which leads us directly to bad management. Smart meters are already implemented in a very wide scale. These security problems are not going to just go away. On the contrary, we are going to see a sharp increase in smart meters hacking attempts because they are such an easy target. Yet, most utilities are not even monitoring their network of smart meters, let alone the smart meters themselves. Utilities have to understand that with great power comes great responsibility. For their infrastructure, for their municipal, they operate in, for their customers, for you, just as they monitor their other private networks, they have to step up and protect this one too. And in order to do just that, we as a community have to act fast. This is why we at Voltra are releasing, in the upcoming weeks, our own meter fuzzing tool, so you will have the power to inspect smart meters legally by yourself. You need to be in charge again, discover new bugs and vulnerabilities and report them, mail your government officials, arrange debates on a national level, inform the public of the dangerous of neglecting security. We are giving you the tools to regain control, reclaim your home, or someone else will. Thank you very much. I'm scared already. So we have plenty of time for questions. We have, I think, eight microphones here, one there, one there, one there, one there, and two up there. If you can make your way up to the microphone, we will take your questions. Make sure they actually are questions. Preferably. I'll start with one. Yeah, you raised a number of very good points. Thank you. I have been designing electricity meters for five years, and two years ago I started designing a smart grid myself in the Netherlands. As an IT security personnel, or an actual software developer? Yeah, as a security person in the digital grid. Right. I want to make one notice, and that is that exploding meters using software is simply not possible. They simply do not have hardware that can explode that you can control with software. It's as simple as that. So don't be scared about your meter exploding because of a hack. It's not going to happen. If I'm not mistaken, if I'm not mistaken, the Ontario government officials will probably disagree because their meters did explode. Now, in the official report, you know, developed right after these explosions, they couldn't figure out how exactly they exploded. They said the same thing, you know, that the meter isn't capable of exploding because it lacks the hardware. But later, they found out that if one of the chips had electricity short, I think, it could cause the meter to mishandle the entire voltage, you know, passing through it, and just overheat and then explode. Like, the chips just overheat and explode, you know, in that case. They didn't just burn, they exploded because the amounts of voltage was so great. So, you know, it is possible that the Netherlands doesn't have any exploding meters, but, you know, we'll see. I've seen plenty of exploding meters, but never because of anything related to software. It's usually because the installer forgot to tighten the screws and they overheat. Yeah, that's what I'm talking about. I'd like to take a microphone 8 next. That is somebody standing up there, isn't it? Yeah. My question is, is it possible to attack the vendor of the power plants via those smart meters if you attack the smart meters via the Zigbee? The vendors probably won't be a target because they are not using smart meters. The utilities will be a target, you know, because of that. That's why vendors doesn't really care about security because they're not, you know, the ones affected. So, you can hack the utility through the smart meters. It has been proven, both by us and other researchers, but the vendors are probably out of the picture for now. Thanks. Two, please. Yeah, I used to work at an IoT company and it seemed like the problem with a lot of this is that there's not motivation for people installing these devices to make it secure. And even when some of us as developers said this is broken, it was usually ship it because we have to. So, how would you recommend us as engineers addressing the cultural problem of shipping shitty IoT devices? That's a great question. I think, you know, every software engineer has come to a point where he asked himself that very question, but, you know, bottom line is management decisions. You as software engineers can't really spend that much time on security unless you're told so. So, the problem should be solved from the top, not from the bottom, in that case. You know, in my opinion. All right, internet. There was a question from the internet just before. Are these searchable via Shodan or other methods? Well, if they're connected to the internet, then the answer is yes. But, you know, most often they're not there. They have their own LAN network and they are not really connected to the internet. If you do happen to find some, please let me know. That will be interesting. Two, please. Hi, thanks for the great talk. We'd like to ask after what you present, I know the talks present in here regarding mass surveillance, everything about it, what do you think if all these bad design decisions are made on purpose so we would be easily tracked? We are looking at it, you know, as bad design decisions because we're, you know, security people. We do security and for us, it's bad. But for the government, it's actually very good. They want to know what you're using. They want to know when you're using it. They want to predict what you will be using. There's a very obvious reason as to why this whole industry is booming right now. And that is definitely control. I don't know if surveillance is the correct word, but better understanding civilians is definitely on the topic here. Number one, I'm just asking, is there actually a central patch management or stuff for that? Because we saw, you know, some weeks ago that because of shitty implementation of a home router, like a big part of Germany was offline because of an attack. And if I think about, you know, you just shut off whole smart meters and nobody has a way to patch them, it would be quite bad for a country. That's a good question because, first of all, they do have a sort of patching system. They do have firmware upgrades, all right? But the hardware itself is not going to change. The meter's, you know, life cycle is approximately 25 years. So, you know, even with the best firmware upgrade in the world and the best encryption keys in the world, the meter can support, you know, up to a certain level. So we'll see what happens in about 20 years and if the patching system, you know, really worked. I'd like to take a question from the internet again. Why roll out smart meters on home level anyway? Would it technically not be enough to roll them out on street level to adjust the power in the grid? It will be enough, you know, if the cities themselves would be the only ones wanting smart meters. But utilities are wanting smart meters. Utilities want to control each and every consumer's home. So, you know, setting them up on the street can be effective to a certain point for cities. But to utilities, they have to have a meter for every consumer, for every house, for every apartment. Microphone 3. In Germany, we have the situation that the smart meters are becoming mandatory over a couple of years, which is a bad thing in my opinion, but they also go through a very rigid certification process, which is a good thing, although it is not open source and verifiable by the CCC, for example, not so good. However, what is the status in your community and your sphere like, are they becoming mandatory and are there plans to certify them before they can be put online and put into operation? Well, part of the German specifications is online, you can read it, I did so myself. Anyway, the whole, you know, German standardization is often taking security as a recommended thing to have. Both the Germany and the US and, you know, all Europe in its entirety are just recommending utilities to implement security, but once you recommend something to these large organizations, they often won't really implement it. So my hope is that this stock will bring some change. This is why I'm standing here. I want these standards and situation to be changed, but that's gonna happen only if we, as a community, will, you know, act together to make that happen. So microphone 7. Hi. As I'm destined, Europe wants to install it right out everywhere. So they will probably go on by being a good example and rolling out in every public administration and so on. So there might be a bit leverage here if, you know, you go to your administration and, oh, well, the computers don't work anymore because there is no energy. Well, I do not support any legal activities for the protocol. And something needs to be changed and something needs to be done in order for, you know, this large organization to actually change something. How it's gonna be done, that's up to you because, you know, you're Germans, I'm unfortunately not, but I don't know if threatening will be, you know, the key in this debate, but definitely something. Like, I don't want to recommend anything, you know, specific. So microphone 2. Did you look at any data that show the balance between big consumers like factories and shopping malls and offices and households with smart meters and smart devices? The question is, can the controlling of smart devices have a benefit for the managing of the change to renewable energies? Well, of course, smart meters also allow consumers to generate electricity themselves and sell it back to the utility through solar panels or whatnot. So there are a lot of reasons for why smart meters are becoming so popular, for why they are being regulated so heavily. A lot of reasons, trust me. Microphone 4. I have a question about the year 2038 problem because you say, well, smart meters are installed for 25 years. Well, if you can sum up this year plus 25, then you come in the area of 2038, is the problem handled and is it a security issue at all? Are you asking about 2038 right now? Yes. I have no idea what's going to be at 2038. I have no idea. Well, because the time will overflow. So, well, will it then just stop or will it just put a wrong date on the data or what will happen or is it handled at all? I have no idea what's going to be at 2038. I understand the question. I think most of them, date-wise, will probably need a software update patch, but they are acting on a, if I'm not mistaken, a 32-bit kind of processor. So we'll see. Sounds like a great debate for Twitter. Microphone 8. See you in 25 years. Yeah, hi. I'm happy that you put this topic to this conference and I think it's very important to talk about this topic, but I'm kind of unhappy that you did this by fearing and I'm not very happy about how you presented it because you simplified a lot and you simplified a lot and I don't think that this is the way we get a better solution and that's what we should aim for. That's a good point. That's a good point. I did frighten a lot. It was on purpose, of course, because we as security experts, we hear something can get hacked and we want to do something about it. We care about these things because when they understand the situation, but common people who aren't in the security industry doesn't really know the effects of someone hacking their meters. So it is mainly, you know, all the frightening points, so to speak, is targeted to them so they will understand what's going on. But yeah, that is a valid point, you know. The internet has another question. Why use wireless protocols and not use power line? They do use power line. I mentioned they use power lines on skyscrapers and so on. There's a very, you know, hard limit to the extent PLC will work. So they are using it for short distances, but when they're trying to communicate with the command and control server, they have to use some kind of wireless protocol. Microphone 2. Hi. Did you look into any other protocols in home automation, not only ZigBee, because it's, I think, many American big thing there in other countries, continents. There are other protocols. Did you look into that? There are other protocols. The main protocol in the smart energy industry is ZigBee and, you know, it powers about 99 something percent of all smart meters in the world. So we tried to focus on that. We didn't really look at other more proprietary protocols. Microphone 3. I have a question about the possibility of controlling local IoT devices, because I'm not aware of many smart makers' designs, but usually these are connected only passively to the power grid. So what are the chances of controlling local IoT devices separately, not only by turning on or off the whole power grid, if it's even possible? Well, let me answer, you know, on a general note here. If the certain device is using certain wireless protocols, then it won't be only possible to hack it. It will be probably pretty easy. But if it won't use any wireless protocol, you know, it's gonna use only PLC or, you know, I don't know, Ethernet or something, it will be more difficult to hack it, just for, you know, because of the simple reason that utilities can detect it more easily than wireless attacks. Okay, thanks. Microphone 8. Yeah, hi. I'd like to know if you had a look at the German way of deploying smart metering, especially the whole hierarchy of smart meters, smart metering gateways, and then up to the gateway administrator. You're talking about Eitron? Sorry? You're talking about Eitron? No, no, it's called the German way of smart metering, because we have quite a different approach to it. If there's Zigbee or no Zigbee, and more like a more centralized infrastructure. In what way is it more centralized? Just, you know, so I get the whole picture. Well, you have your meters, not only smart meters, but also analog meters. They connect to a smart meter gateway, and both smart meter gateways connect to a gateway administrator to deliver all the data. So we have, say, no Zigbee mesh devices in your home. Well, I don't have a definitive answer for that, because we focused on smart meters that do use Zigbee. And, you know, that's a good question. Maybe come later and we'll discuss it a bit further, because I don't want to, you know, steal time from anyone else, right? So I think there was one question from the internet. There are still a couple questions, but I'll start with one here. Since the smart meters are being legislated into being installed, could we also work on improving legislation regarding security? Of course, of course, that's what we should do. We should improve legislation about security. And, you know, that's the whole point, basically, because if we force vendors and utilities to implement better security, they just won't do it. But if the government will force them, it's a whole different story. So we've none, no more from the floor. Do you want to take another one? Aren't the bug ports you talked about protected by seals? In some meters, they are. In some meters, they aren't. It really depends on the vendor, but technicians that, you know, do come physically to the meter will have access to it. So even if it is sealed, we can still communicate with it and, you know, worry about the feeling later. And I think that's the end of the questions. I would like to thank Natty for his great presentation. Thank you very much. Thank you very much.