After a three-year hiatus due to the pandemic, the Chaos Communication Congress is finally back at an onsite venue. For those that don't know, the congress is the biggest hacker Conference in Europe. It is known not just for deep technical talks and amazing hacks but also for political talks and a positive and inclusive community. This year, the congress moved back from the Messe in Leipzig to the CCH in Hamburg. After outgrowing the congress center in Berlin (with around 3000 to 4000 attendees) the congress quickly expanded in Hamburg, reaching 12,000 attendees before relocating to Leipzig due to lack of space. After three years of sadness, we're back in Hamburg. The CCH was finally renovated and offers a bit more space, larger lecture halls, and more room for assemblies.
After arrival around noon on December 27, the first impression was somewhat disappointing. Compared to earlier years, there were much fewer installations and much less (for lack of a better word) "spirit". While the congress always was and always will be chaotic, this year there seemed to be much less energy. Luckily over the next couple of days, the spirit picked up and people started building and constructing things. Let's hope that the community rediscovers the energy that made the congress such an amazing experience.
Day 1: Familiarization
The first day usually follows a slow start to get into the congress mood. Assemblies are still built up, people find their place and bearings, and the first talks are being watched. This year, I arrived a little late but quickly got settled so that I could start with a couple of fun talks.
Apple's iPhone 15: Under the C: stacksmashing talks about difficulties with new iPhones where the connection to the system is now over USB-C instead of the proprietary cable. This change made a lot of reverse engineering tools useless. After a short background on the past of iPhone hacking, he goes into detailf how to uncover hidden interfaces when interacting with the new iPhone 15. The talk is recommended for hardware and iPhone hackers and generally, because stacksmashing is an amazing speaker.
Toniebox Reverse Engineering: this talk focused on reverse engineering the Toniebox ecosystem. A Toniebox is an audio player for kids. Using little figurines (with embedded NFC tags) kids can select the story or music they want to play. By tapping left and right the kids can advance to the next song or go back. Similarly, two ears allow the kids to increase and decrease the volume. The hackers completely reverse-engineered the Tonie ecosystem from the "locked" NFC and how to clone it to how they can intercept any interaction of the Toniebox with the backend servers. Interestingly, this allowed them a full compromise of the system including the ability to have an alternate backend server. Apart from fully compromising the Tonie ecosystem (which is an amazing hack), the researchers also discovered that Tonieboxes have extensive logging facilities. Every single button press, Tonie change, and interaction is sent to the Tonie server, resulting in a huge privacy violation. Just for this discussion, it is worth to watch the talk!
Adventures in Reverse Engineering Broadcom NIC: Hugo went on a journey of writing an open driver for Broadcom NICs. In the talk, he focused on some of the difficulties in how the NIC is set up and how the interaction between different parts (and ports) of the NIC works. Apart from lots of details on opaque-box engineering, I found it most interesting that these NICs have chips with several different architectures that interact with each other.
Breaking "DRM" in Polish trains: this talk was one of the highlights of 37c3 for me. A service station for trains discovered that trains from another manufacturer stopped working after being serviced in their shop, only returning to service after the original manufacturer was paid a ransom. The repair shop called on dragonsector, the top Polish CTF team to investigate. The hackers discovered that the manufacturer introduced several kill switches and geo-fencing to prohibit repair from other shops. Luckily, the hackers also discovered some opportunities to get around these kill switches and reinstantiate the functionality of the train. The audacity of the original manufacturer is as mind-boggling as the awesomeness of dragonsector. A must-watch!
Kein(!) Hacker Jeopardy: instead of the beloved hacker jeopardy, Ray tried a different game this year following the 90ies game show "Ruck Zuck". While the people played along, "Hack Zuck" was not nearly as much fun as hacker jeopardy as the audience could not guess themselves. I hope that hacker jeopardy will return next year!
Day 2: Exploration
On the second day, I started exploring the congress center a bit more but also found time for a few talks. The second day is usually the peak as one still has enough energy to push while already having familiarized themselves with the situation. It was good to see several art projects being built up and the congress center slowly turned into a hack center. Apart from watching talks, I also soldered a badge --- the Blinkenrocket --- and played with the badge software a bit.
Why Railway is safe but not secure: Katja gave a nice overview of how "security" is integrated (or not) into rail systems. Railways focus on safety but not security (or privacy) per se. Coming from mechanical and electrical engineering and not computer science, railways focus on physical safety but are somewhat oblivious to computer security. If security standards are defined, they often hardcode ciphers without clearly specifying attack models. Katja therefore called for a rethinking of security for railway systems and more discussion between computer security and railway folks. The talk somewhat reminded me of Stefan Katzenbeisser's talk several years ago which also held up quite well.
Fuzz everything, everywhere, all at once: The LibAFL and AFL++ authors gave a great talk introducing the AFL++/LibAFL framework. Along with discussing hard-to-fuzz targets such as firmware or embedded systems, they also discussed how fuzzers can be customized and improved. Overall a good overview for people not necessarily new to fuzzing but new to LibAFL.
Nintendo hacking 2023: 2008: PoroCYon introduced us to the Nintendo DSi and its peculiarities. After discussing the hardware details and previous hacking attempts, he went deep into the weeds of the different subsystems. Using glitching, PoroCYon managed to dump the firmware and discover interesting attack points which allowed him to finally build a modchip for the DSi. Great low-level talk with lots of embedded systems and ARM details.
Demoscene now and then: amazing talk about the demo scene with lots of demos. Must watch as entertainment and to get into the scene.
ARMore: Pushing love back into binaries: Luca's talk on how to efficiently rewrite ARM binaries statically. After discussing the challenges of rewriting aarch64 binaries, Luca explained how he solved them using a combination of a rebound table, execute-only memory, and careful rewriting. The live version of the talk was a bit broken due to a continuous silent fire alarm that turned off the audio for about 1/3 of the time. Watch for an introduction to ARM assembly and rewriting.
BLUFFS: Bluetooth forward and future secrecy attacks and defenses: Daniele introduced his recent BLUFFS attacks against the Bluetooth standard compromising forward secrecy and future secrecy. Attacks against the Bluetooth standard are universal and work on all implementations (that faithfully implement the standard), they are therefore extremely severe and hard to patch. Oddly, the Bluetooth standard so far did not discuss forward and future secrecy and therefore missed protecting against those types of attacks. Daniele mentioned that he discovered these issues while playing with older attacks, replaying them, and fiddling with bits in the protocol setup. It's somewhat surprising that such heavy attacks exist in the Bluetooth standard despite the large consortium and many researchers analyzing the protocol. Very likely, there are many more such bugs lurking, so this may serve as a call to action for other researchers!
FNORD Jahresrückblick: The FNORD news show is usually a great review of the past year. This year, Fefe and Frank tried to review the past four years to highlight the main themes and issues. The first hour was quite entertaining but then the news got a bit repetitive. Maybe I was too tired or reviewing four years is just too much? In any case, I look forward to the next show next year that only covers one year!
Day 3: Exploitation
Fuzzing the TCP/IP stack: Ilja is known for great talks and deep knowledge of software and systems security, this talk was, therefore a must for me. Especially as Ilja wanted to talk about fuzzing TCP/IP stacks, I was even more excited. Sadly, Ilja did not get too far into details. He gave an overview of simple fuzzing techniques and highlighted the need for stateful fuzzing for network stacks. Unfortunately, he could not finish the implementation of his fuzzer and therefore wasn't able to highlight any cool findings. Overall a topic with lots of potential but I was a bit disappointed by the talk.
Full AACSess: Exposing and exploiting AACSv2 UHD DRM for your viewing pleasure: Adam gave an amazing talk about breaking DRM. Contrary to the title, this talk did not just focus on AACSv2 but Adam started with earlier systems such as CSS, and how they were broken. The team fully broke AACSv2 using a combination of reverse engineering, protocol analysis, and lots and lots of patience. Apart from all the cool technical details, a highlight for me was the primer on SGX remote attestation and how it can be broken through side channels. They even demonstrated how they can extract the core keys for the whole DRM scheme using an attack against Intel SGX. Watch this talk for details on DRM protocols, SGX remote attestation, and lots of breakage. This was my second favorite talk of the congress.
Finding vulnerabilities in Internet-Connected Devices: The two researchers focus on the Poly ecosystem of smartphones (for Zoom and MS Team calls) and demonstrate the insecurity of the IoT ecosystem. By focusing on a simple example, they highlighted some of the cool attack vectors along with their thought process. Good introductory talk into IoT hacking.
Writing secure software: Fefe's talk about how to write secure software using his blog as an example. In short, the key takeaways can be summarized as (i) good threat modeling, (ii) reducing attack surface, (iii) compartmentalization, and (iv) append-only storage. I enjoyed the talk even though some parts felt a bit artificial.
What your phone won't tell you: Lukas talks about how to discover fake base stations. Using a query service and a set of simple rules, phones can detect if fake base stations are nearby and potentially alert users. The rules seemed a bit simplistic but likely will work reasonably well. As it turns out, crowd-sourcing measurements and sharing data of observed base stations can be used nicely to mitigate potential attacks.
Day 4: Departation
After three days full of talks, the fourth day focused mainly on non-technical talks. As I was not interested in them, I enjoyed the opportunity to socialize, connect, discuss, mingle, and hack. While the talks at the congress are always amazing, it's important to focus on the social aspects as well. In my opinion, the congress provides this amazing opportunity to interact with the hacker community and to learn.
The congress is always more than just the talks. It's about meeting friends, forming connections, hacking some code at 4 in the morning after dancing in the club, and watching the occasional talk. I'll see you there next year with new talks, renewed energy, and lots of community spirit! So long, and see you next year at the congress!