Another year, another CCC. As every year, I went to Hamburg to appreciate all
galactic life forms in their diverse multi-dimensional environment. My goal this
year was the usual meet ups with friends I haven't seen in a long time, get
inspired for new research directions, to catch some talks, and, ideally, play a
bit of CTF if there was time.
This year, we also had a talk on the first day, so quite a bit of time went into
preparing and rehearsing. Luckily, the talk went smooth and we had a lot of time
afterwards to achieve all the other goals.
The congress is a bit like coming home. Every year I feel incredibly welcome.
There's lots of blinking lights, diverse music playing, a few bars with Mate,
coffee, and beers along with enough time to chat, explore, and hack. The
congress is a way for me to recharge and get ready for the next year.
I have two hearts beating in me. The first is an academic that tries to improve
security at a global scale by developing new techniques and analyzing
weaknesses. The other is a hacker that is driven by the curiosity of how systems
tick. At the congress, I can live the hacker heart.
As last year, a bunch of my group explored the congress alongside and it was
also great to meet a few former HexHivers.
Same as each year, I attended a few talks and, given the 14,000 attendees did
not make it into the rooms for some of the other talks. The rest of the blog
post highlights some of the amazing talks and gives a small summary.
Day 1: Quality Talks
Liberating Bluetooth on the ESP32:
Anton reversed the proprietary BT stack for the ESP32 and liberated it, now
allowing an open source implementation that gives developers direct access to
low level traffic, per channel scans, arbitrary BT RF traffic and lots of low
level features that are otherwise hidden behind the HCI stack.
Opening pAMDora's box and unleashing a thousand paths on the journey to play
Beatsaber custom songs:
thimstar presents a wild story on glitching AMD cpus to tease out internal ARM
cores, extracting boot ROMs and trying to get code execution way before the x86
cores start to execute. Extremely interesting deep dive into glitching, mod
chips, and the exploration of the dark arts.
Of Boot Vectors and Double Glitches: Bypassing RP2350's Secure Boot
stacksmashing and nsr give an overview of the Raspberry Pie RP2350 processor
that combines a nice ARM core and a RISC-V core with glitch detection, one time
programmable memory and a bunch of other security features at an unbeatable
price point of 1$. They discuss the results from the bug bounty along attacking
the OTP PSM, forcing a vector boot, laser fault-injection, OTP read double
glitch and FIB antifuse extraction to read the 16 byte secret hidden in the OTP
memory.
To sign or not to sign: Practical vulnerabilities in GPG & friends: 49016 and
Liam presented some of their research into GPG signature verification. During
the talk, they demonstrate a few issues with signature parsing along with
violating signature checks, wrong signatures and even a few memory corruptions.
Apart from the awesome vulnerabilities, this talk highlights some of the issues
with old open source projects. Many of these projects have strong leaders that
struggle with assessing security issues. Liam and 49016 had a hard time to
convince the maintainers to assign CVE numbers despite being able to fake
signatures.
Escaping Containment: A Security Analysis of FreeBSD Jails:
ilja and Michael Smith target a slightly different angle this year and look at
FreeBSD jails. In particular at the remaining attack surface of the kernel and
how to abuse it to break out of the jails. By enumerating the attack surface and
thoroughly exploring it they found several severe bugs. An interesting
observation was that there are still quite severe memory corruption
vulnerabilities in the FreeBSD kernel. Compared to Linux, this was somewhat
surprising as the kernel there is thoroughly fuzzed through syzkaller.
Die Känguru-Rebellion: Digital Independence Day
<https://media.ccc.de/v/39c3-die-kanguru-rebellion-digital-independence-day>:
Marc-Uwe Kling and Linus Neumann talked about a digital independence and called
for digital sovereignty in a fun way. This talk, apart from the comedy aspect,
highlighted the need for Europe to create, manage, and deploy our own
independent services, ideally built on open source.
Not To Be Trusted - A Fiasco in Android TEEs
<https://media.ccc.de/v/39c3-not-to-be-trusted-a-fiasco-in-android-tees>
in our talk, we presented a chain of bugs that results in a full compromise of
Beanpod TEEs. I blogged about our talk earlier.
Hacking washing machines
Hajo and Severin started looking into old broken washing machines from Miele and
B/S/H. After some exploration, they moved up to newer devices and reverse
engineered several of the newer connected systems and enabled interesting debug
features.
Bluetooth Headphone Jacking: A Key to Your Phone:
Dennis and Frieder presented their research on impersonating Bluetooth devices.
Their twist was essentially that they could read out the Bluetooth address and
keys by connecting to specific vendor chips to then take over sessions. They
highlighted the attack vector of the HFP (hands free) profile that allows to
take calls and redirect them over Bluetooth to hijack second factor validation.
Day 2: All about the social interactions
Don't look up: There are sensitive internal links in the clear on GEO
satellites
Nadia and Annie expanded on their earlier research of unencrypted satellite
backend communication. The presented some new findings, including military
operations conducted in the clear. One of the difficulties that lead to this
security breach is that users have no (legal) way to pentest this backend.
Xous: A Pure-Rust Rethink of the Embedded Operating System:
bunnie and xobs presented their work on an embedded Rust operating system along
the design of a microkernel. While the OS was pretty standard stuff, they also
presented a new RISC-V devboard that we got to play with. While bunnie only
spent a few slides on the technical details, I was impressed by the way how he
snuck a RISC-V chip alongside a fused-off ARM chip to safe on royalty fees.
The rest of the day, I spent mostly socializing and talking to other people in
different assemblies.
Day 3: A few more talks
Build a Fake Phone, Find Real Bugs: Qualcomm GPU Emulation and Fuzzing with
LibAFL QEMU
Romain who is still pushing on his PhD at EURECOM is telling us how to target
Qualcomm GPUs through a libAFL driver on Android. This talk is a great intro
into libAFL usage and how to write fuzz drivers for not-too-easily-reached
targets. Overall a great intro into GPU fuzzing as well. And Romain found lots
of cool bugs, so definitely recommended.
The Angry Path to Zen: AMD Zen Microcode Tools and Insights
Benjamin builds on earlier research on reversing the AMD K8 and K10 microcode
and ports it to get into Zen. In this talk he quickly introduced the concept of
microcode patching and discussed, at length, how he built an extensive toolchain
to create your own instructions.
Rowhammer in the Wild: Large-Scale Insights from FlippyR.AM:
Martin, Florian and Daniel gave an overview of RowHammer and presented some
studies of rowhammer in the wild where they distributed USB sticks to thousand
participants and got them to run the code on their systems to test for Rowhammer
flippable bits according to diverse patterns.
Von Fuzzern zu Agenten: Entwicklung eines Cyber Reasoning Systems für die
AIxCC
Mischa and Annika introduce the audience into fuzzing, LLMs, and how they are
used as part of a cyber reasoning system at the AIxCC. The goal of this DARPA
competition was to develop an end-to-end cyber reasoning system that finds bugs,
creates exploits but also patches them. They discussed the common approaches
used by the different teams along with some limitations. Great overview and
introduction into this topic.
Gen.Polyb.io workshop: This year, there was a fun new game at the congress. One
could register a simple NFC card at a base station. After joining a fraction,
one could "capture" other base stations, redirect energy, and gain points for
their team. This was a super fun treasure hunt to find all the different
stations and kept us up one night. On the third day, the developer of the
stations gave a workshop on how he built the system, what software was running,
and how to make it tamper resistant. Overall a cool insight into low level
hardware.
Departure
On the last day, I grabbed a quick breakfast and headed towards the airport.
After a stroll through the harbor area, I did a quick stop to explore some
caches and then caught up with some emails at the airport.
I'm sure that I missed many great talks but that's part of the congress
experience: you live in the moment and randomly pop into workshops and talks
while missing out on some others. Luckily, most talks are recorded and I'll be
able to catch up later, so let me know if I missed your favorite talk in my list
above.
We'll be back next year with hopefully another talk, renewed energy, cool hacks,
and lots of time to talk to people. So long, see you next year at the congress,
and hack the planet!
