Another year, another CCC. It's been a long road from Berlin to Leipzig and
Hamburg. Each year, I repeat the ritual of going to the "Kongress", the most
amazing hacker get together in the world. The Kongress is special, hackers of
all denominations meet, engage, hack, and enjoy a few mellow days towards the
end of the year.
I was amazed by the large amount of assemblies and enjoyed the CTF assembly with
the flying shark, all the lights and constructions throughout along with the
secret party in a hidden restroom (one had to enter from a side door at one of
the halls, go to a lower floor and then discover a club built into a restroom
with lights, speakers, good music and a whole bunch of people) and the even more
secret club (apparently called something like the Hutzelwutze but don't blame me
for the spelling) further down hidden somewhere in the basements of the congress
center.
This year, around 10 HexHivers were present. Some of us gave a talk and many
joined the 40 Organizer/Polygl0t players for the CTF. Overall a good showing
from Switzerland and we'll certainly be back next year!
Same as each year, I attended a few talks and, given the 14,000 attendees did
not make it into the rooms for some of the other talks. The rest of the blog
post highlights some of the amazing talks and gives a small summary.
Day 1: Quality Talks
ACE up the sleeve: Hacking into Apple's new USB-C controller by stacksmashing.
Stacksmashing explained us how he reverse engineered the new Apple USB-C
controller by first targeting and understanding the previous model. The talk was
deeply technical but fun. Especially the firmware extraction, analysis, and
mapping was a massive amount of work. Stacksmashing made it sound easy but
overall this was a very cool talk that is highly recommended to those interested
in USB-C firmware and potentially the discovery of bugs.
Investigating the Iridium Satellite Network by sec and Schneider. I'm old
enough to have seen the first talk they did on Iridium a few years ago and this
talk was an amazing continuation. The Iridium satellite network is getting a bit
older but still hides some secrets. Sec and Schneider went into some low level
signal details and how the text messaging system sent unencrypted text messages
through "beams" to different places. They speculated that Iridium could be used
as a positioning system, replacing GPS or other services. But they also
highlighted privacy implications of these services that are usually running in
clear text for both audio and text messages. Surprisingly, a lot of the
audio/texts they decoded were test messages, posing the question about how much
Iridium is actually still used.
EU's Digital Identity Systems - Reality Check and Techniques for Better
Privacy by Anja Lehmann and socialhack.
I explored this talk due to the upcoming Swiss ID system that shares some
aspects with the EU one. Anja and socialhack gave a great overview of the
underlying technology and highlighted some risks. Even tough the underlying
cryptography is rather complex, Anja managed to explain it in a straight forward
manner that was understandable to anyone with a basic background in computer
science. Towards the later part of the talk, they also highlighted possible
extensions towards future proof extensions and argued for "a leap of faith"
towards new research, allowing them to build better privacy preserving tools
that can be used in these ubiquitous identity systems.
Wir wissen wo dein Auto steht - Volksdaten von Volkswagen by Michael Kreil
and Flüpke. As it turns out, Volkswagen had a datenreichtum where they left
large amounts of data publicly accessible in an AWS bucket. The discovery
started through a simple enumeration of web endpoints and the underlying
framework left the heap dump feature enabled, allowing the hackers to download
the full heap "for debug purposes". In this heap dump, they discovered general
tokens that allowed them to impersonate any user and get access to the AWS
storage. The storage dump contained full information about the owners such as
email addresses and sometimes phone numbers but also GPS traces over long
periods of time. This massive breach of privacy and trust was substantial. It is
unclear why Volkswagen collected this information in the first place and deeply
concerning that it was openly accessible.
We've not been trained for this: life after the Newag DRM disclosure by
Michal Kowalczyk, q3k, Jakub Stepniewicz. This follow up from last year's talk
discussed how the researchers were SLAP'd with frivolous lawsuits to silence
them. Last year, these hackers from Dragon Sector talked about how Newag added
DRM to their trains along with geolocking to undermine competitors that were
interested in servicing these trains. Instead of admitting fault, Newag went all
in and started suing people left and right, including the hackers who reverse
engineered the DRM (including discovering the magic unlock code where you have
to press the SOS button in the toilet as part of the sequence) and the geo
locks. While they presented it lightly, it must suck massively when companies
pull such shit moves and start suing security researchers. Not sure Newag
understands how hackers work.
Fnord-Nachrichtenrückblick 2024 by Fefe and Atoth.
This year Frank could not make it to the CCC, so Fefe had to find some
replacements. As each year, the talk highlighted some of the fuckups and
screwups throughout the year and was entertaining as ever. Recommended as an
alternative review of the year in tech and tech politics.
Day 2: Moving to Eastern Time
As always at the CCC, there is a massive intergalactic time shift. This day, we
therefore had breakfast in Eastern time, moving roughly 6 hours after Central
European time. Still, we managed to sneak in and get some breakfast.
From Pegasus to Predator - The evolution of Commercial Spyware on iOS by
Matthias Frielingsdorf. Great overview of different iOS exploitation vectors and
how the spyware evolved over time. Unfortunately the room was full and I could
not make it in, but I marked this talk for later consumption.
Fearsome File Formats by Ange Albertini. This talk was concurrent to the MacOS
talk but knowing Ange, I also marked it for later watching.
MacOS Location Privacy Red Pill: A Rabbit Hole Resulting in 24 CVEs by Adam M.
As this talk was not recorded, I managed to sneak in and check out Adam's talk.
He highlighted the new MacOS TCC privacy framework that restricts how
applications can access privacy-relevant data. He discovered that applications
often leak private information such as location data or other details through
side channels. An unprivileged app can therefore leak this information from
privileged apps. Overall, this talk was not super exciting as the "fail open"
approach where untrusted applications still have incredible access to log
information or the file system seems ultimately at conflict with security and
privacy. Also, the presented CVEs were all 1-2 years old and seemed a bit stale.
I learned later that this talk was already given several times at other venues,
so not the best use of my time overall.
10 years of emulating the Nintendo 3DS: A tale of ninjas, lemons, and pandas
by neobrain. Neobrain is a key emulation hacker and has vast experience with the
different 3DS emulation platforms. He shared some political insights into how to
make a thriving community around emulation development but also some design
aspects how to make efficient and performant emulators. Key is to select the
right emulation abstraction. While the underlying ISA is fairly straight
forward, one must select a reasonable abstraction layer to implement the
different services. The three main options are to emulate the raw hardware where
it is difficult to translate between the different peripherals, to emulate at
the micro kernel interface to abstract away the low level devices, or to
emulate at the high level of services. Neobrain explained how he moved from a
high level emulator to a mid level emulator and had massive success and speed
ups. Great technical talk overall with some fun sprinkles of politics. And, as
you may know, I'm always a sucker for some cool binary analysis and translation.
io_uring, eBPF, XDP and aF_XDP by LaF0rge. Harald Welte, known from Osmocon,
told us some technical details about how to write high performance I/O stacks
that read from thousands of file descriptors. A key overhead with I/O is that
many small reads result in massive amounts of transitions between user space and
kernel space and lots of copying of data. The new io_uring interface in the
kernel makes this much faster as I/O becomes asynchronous and the user-space
program can send and receive at the same time by filling data into a ring
buffer. Harald highlighted the different pros and cons and overall gave a nice
introduction.
Hacking yourself a satellite - recovering BEESAT-1 by PistonMiner.
A few years after its launch, BEESAT-1 went silent and stopped transferring
telemetry data. PistonMiner took us on a journey on reverse engineering the
firmware, discovering a few bugs along the way and speculating about the
original bug that killed the flash page with the configuration of the telemetry
data (a concurrency bug during the update of the boot parameter). Overall a
super entertaining talk with some insight into the programming of Cube sats.
Highly recommended!
Day 3: Arriving in Pacific Time
The time dilatation continued and we arrived in Pacific time. It was a slight
struggle to get up as we spent quite some time in the club and only got a few
hours of sleep.
Dialing into the Past: RCE via the Fax Machine - Because Why Not? by Rick de
Jager and Carlo Meijer.
After getting some big $$$ at pwn2own, Rick and Carlo wanted to have some fun
and thought that a printer can be pwned not just through by printing a document
but also remotely by receiving a fax. Surprisingly, the fax interface allows
sending different formats, including print documents that are then processed by
the printer. They used their Jpeg2000 bugs to trigger an RCE through the fax
subsystem and ultimately ran DOOM. I later had some fun playing with the DOOM
interface on the printer as well. Super cool hack.
Beyond BLE: Cracking Open the Black-Box of RF Microcontrollers by Adam Batori
and Robert Pafford. Another talk I sadly missed but heard lots of good things
about. Added to my watch list for later.
Ultrawide arecheology on Android native libraries by Luca and Rokhaya.
Luca and Rokhaya have been working on Android apk analysis for a while and they
used this opportunity to present some cool insights they found when downloading
lots of APKs and trying their best with modern machine learning solutions. As it
turns out, downloading large amounts of APKs is hard in the first place.
Surprisingly, many apps have native libraries and most of them are downloaded
from Maven and other repositories. Developers rarely compile their native
libraries and just dump zip archives into their code (which is a security
nightmare as well but alas). When evaluating the binary similarity machine
learning solutions, they discovered that these tools don't scale to realistic
datasets. While they could be useful for tiny datasets where function comparison
is necessary, they will not be useful for large scale analysis.
Ten years of Rowhammer: A Retrospect (and Path to the Future) by Daniel Gruss,
Martin Heckel, and Florian Adamsky. Another talk I missed but according to the
coverage, looks like it was super fun! I'll definitely watch the recording.
Departure
On the last day, we enjoyed a final breakfast and headed to the harbor.
As it was the first time in Hamburg for several HexHivers, we had to stroll
through the fish market, get a tasty Matjes sandwich, walk the Elbtunnel and
then it was already time to get to the airport and back to Switzerland.
We'll be back next year with hopefully another talk, renewed energy, cool hacks,
and lots of time to talk to people. So long, see you next year at the congress,
and hack the planet!
