38c3: Hutzelwutze in Hamburg

Another year, another CCC. It's been a long road from Berlin to Leipzig and Hamburg. Each year, I repeat the ritual of going to the "Kongress", the most amazing hacker get together in the world. The Kongress is special, hackers of all denominations meet, engage, hack, and enjoy a few mellow days towards the end of the year.

I was amazed by the large amount of assemblies and enjoyed the CTF assembly with the flying shark, all the lights and constructions throughout along with the secret party in a hidden restroom (one had to enter from a side door at one of the halls, go to a lower floor and then discover a club built into a restroom with lights, speakers, good music and a whole bunch of people) and the even more secret club (apparently called something like the Hutzelwutze but don't blame me for the spelling) further down hidden somewhere in the basements of the congress center.

This year, around 10 HexHivers were present. Some of us gave a talk and many joined the 40 Organizer/Polygl0t players for the CTF. Overall a good showing from Switzerland and we'll certainly be back next year!

Same as each year, I attended a few talks and, given the 14,000 attendees did not make it into the rooms for some of the other talks. The rest of the blog post highlights some of the amazing talks and gives a small summary.

Day 1: Quality Talks

ACE up the sleeve: Hacking into Apple's new USB-C controller by stacksmashing. Stacksmashing explained us how he reverse engineered the new Apple USB-C controller by first targeting and understanding the previous model. The talk was deeply technical but fun. Especially the firmware extraction, analysis, and mapping was a massive amount of work. Stacksmashing made it sound easy but overall this was a very cool talk that is highly recommended to those interested in USB-C firmware and potentially the discovery of bugs.

Investigating the Iridium Satellite Network by sec and Schneider. I'm old enough to have seen the first talk they did on Iridium a few years ago and this talk was an amazing continuation. The Iridium satellite network is getting a bit older but still hides some secrets. Sec and Schneider went into some low level signal details and how the text messaging system sent unencrypted text messages through "beams" to different places. They speculated that Iridium could be used as a positioning system, replacing GPS or other services. But they also highlighted privacy implications of these services that are usually running in clear text for both audio and text messages. Surprisingly, a lot of the audio/texts they decoded were test messages, posing the question about how much Iridium is actually still used.

EU's Digital Identity Systems - Reality Check and Techniques for Better Privacy by Anja Lehmann and socialhack. I explored this talk due to the upcoming Swiss ID system that shares some aspects with the EU one. Anja and socialhack gave a great overview of the underlying technology and highlighted some risks. Even tough the underlying cryptography is rather complex, Anja managed to explain it in a straight forward manner that was understandable to anyone with a basic background in computer science. Towards the later part of the talk, they also highlighted possible extensions towards future proof extensions and argued for "a leap of faith" towards new research, allowing them to build better privacy preserving tools that can be used in these ubiquitous identity systems.

Wir wissen wo dein Auto steht - Volksdaten von Volkswagen by Michael Kreil and Flüpke. As it turns out, Volkswagen had a datenreichtum where they left large amounts of data publicly accessible in an AWS bucket. The discovery started through a simple enumeration of web endpoints and the underlying framework left the heap dump feature enabled, allowing the hackers to download the full heap "for debug purposes". In this heap dump, they discovered general tokens that allowed them to impersonate any user and get access to the AWS storage. The storage dump contained full information about the owners such as email addresses and sometimes phone numbers but also GPS traces over long periods of time. This massive breach of privacy and trust was substantial. It is unclear why Volkswagen collected this information in the first place and deeply concerning that it was openly accessible.

We've not been trained for this: life after the Newag DRM disclosure by Michal Kowalczyk, q3k, Jakub Stepniewicz. This follow up from last year's talk discussed how the researchers were SLAP'd with frivolous lawsuits to silence them. Last year, these hackers from Dragon Sector talked about how Newag added DRM to their trains along with geolocking to undermine competitors that were interested in servicing these trains. Instead of admitting fault, Newag went all in and started suing people left and right, including the hackers who reverse engineered the DRM (including discovering the magic unlock code where you have to press the SOS button in the toilet as part of the sequence) and the geo locks. While they presented it lightly, it must suck massively when companies pull such shit moves and start suing security researchers. Not sure Newag understands how hackers work.

Fnord-Nachrichtenrückblick 2024 by Fefe and Atoth. This year Frank could not make it to the CCC, so Fefe had to find some replacements. As each year, the talk highlighted some of the fuckups and screwups throughout the year and was entertaining as ever. Recommended as an alternative review of the year in tech and tech politics.

Day 2: Moving to Eastern Time

As always at the CCC, there is a massive intergalactic time shift. This day, we therefore had breakfast in Eastern time, moving roughly 6 hours after Central European time. Still, we managed to sneak in and get some breakfast.

From Pegasus to Predator - The evolution of Commercial Spyware on iOS by Matthias Frielingsdorf. Great overview of different iOS exploitation vectors and how the spyware evolved over time. Unfortunately the room was full and I could not make it in, but I marked this talk for later consumption.

Fearsome File Formats by Ange Albertini. This talk was concurrent to the MacOS talk but knowing Ange, I also marked it for later watching.

MacOS Location Privacy Red Pill: A Rabbit Hole Resulting in 24 CVEs by Adam M. As this talk was not recorded, I managed to sneak in and check out Adam's talk. He highlighted the new MacOS TCC privacy framework that restricts how applications can access privacy-relevant data. He discovered that applications often leak private information such as location data or other details through side channels. An unprivileged app can therefore leak this information from privileged apps. Overall, this talk was not super exciting as the "fail open" approach where untrusted applications still have incredible access to log information or the file system seems ultimately at conflict with security and privacy. Also, the presented CVEs were all 1-2 years old and seemed a bit stale. I learned later that this talk was already given several times at other venues, so not the best use of my time overall.

10 years of emulating the Nintendo 3DS: A tale of ninjas, lemons, and pandas by neobrain. Neobrain is a key emulation hacker and has vast experience with the different 3DS emulation platforms. He shared some political insights into how to make a thriving community around emulation development but also some design aspects how to make efficient and performant emulators. Key is to select the right emulation abstraction. While the underlying ISA is fairly straight forward, one must select a reasonable abstraction layer to implement the different services. The three main options are to emulate the raw hardware where it is difficult to translate between the different peripherals, to emulate at the micro kernel interface to abstract away the low level devices, or to emulate at the high level of services. Neobrain explained how he moved from a high level emulator to a mid level emulator and had massive success and speed ups. Great technical talk overall with some fun sprinkles of politics. And, as you may know, I'm always a sucker for some cool binary analysis and translation.

io_uring, eBPF, XDP and aF_XDP by LaF0rge. Harald Welte, known from Osmocon, told us some technical details about how to write high performance I/O stacks that read from thousands of file descriptors. A key overhead with I/O is that many small reads result in massive amounts of transitions between user space and kernel space and lots of copying of data. The new io_uring interface in the kernel makes this much faster as I/O becomes asynchronous and the user-space program can send and receive at the same time by filling data into a ring buffer. Harald highlighted the different pros and cons and overall gave a nice introduction.

Hacking yourself a satellite - recovering BEESAT-1 by PistonMiner. A few years after its launch, BEESAT-1 went silent and stopped transferring telemetry data. PistonMiner took us on a journey on reverse engineering the firmware, discovering a few bugs along the way and speculating about the original bug that killed the flash page with the configuration of the telemetry data (a concurrency bug during the update of the boot parameter). Overall a super entertaining talk with some insight into the programming of Cube sats. Highly recommended!

Day 3: Arriving in Pacific Time

The time dilatation continued and we arrived in Pacific time. It was a slight struggle to get up as we spent quite some time in the club and only got a few hours of sleep.

Dialing into the Past: RCE via the Fax Machine - Because Why Not? by Rick de Jager and Carlo Meijer. After getting some big $$$ at pwn2own, Rick and Carlo wanted to have some fun and thought that a printer can be pwned not just through by printing a document but also remotely by receiving a fax. Surprisingly, the fax interface allows sending different formats, including print documents that are then processed by the printer. They used their Jpeg2000 bugs to trigger an RCE through the fax subsystem and ultimately ran DOOM. I later had some fun playing with the DOOM interface on the printer as well. Super cool hack.

Beyond BLE: Cracking Open the Black-Box of RF Microcontrollers by Adam Batori and Robert Pafford. Another talk I sadly missed but heard lots of good things about. Added to my watch list for later.

Ultrawide arecheology on Android native libraries by Luca and Rokhaya. Luca and Rokhaya have been working on Android apk analysis for a while and they used this opportunity to present some cool insights they found when downloading lots of APKs and trying their best with modern machine learning solutions. As it turns out, downloading large amounts of APKs is hard in the first place. Surprisingly, many apps have native libraries and most of them are downloaded from Maven and other repositories. Developers rarely compile their native libraries and just dump zip archives into their code (which is a security nightmare as well but alas). When evaluating the binary similarity machine learning solutions, they discovered that these tools don't scale to realistic datasets. While they could be useful for tiny datasets where function comparison is necessary, they will not be useful for large scale analysis.

Ten years of Rowhammer: A Retrospect (and Path to the Future) by Daniel Gruss, Martin Heckel, and Florian Adamsky. Another talk I missed but according to the coverage, looks like it was super fun! I'll definitely watch the recording.

Departure

On the last day, we enjoyed a final breakfast and headed to the harbor. As it was the first time in Hamburg for several HexHivers, we had to stroll through the fish market, get a tasty Matjes sandwich, walk the Elbtunnel and then it was already time to get to the airport and back to Switzerland.

We'll be back next year with hopefully another talk, renewed energy, cool hacks, and lots of time to talk to people. So long, see you next year at the congress, and hack the planet!

links

social