Another year, another CCC. As every year, I went to Hamburg to appreciate all galactic life forms in their diverse multi-dimensional environment. My goal this year was the usual meet ups with friends I haven't seen in a long time, get inspired for new research directions, to catch some talks, and, ideally, play a bit of CTF if there was time.
This year, we also had a talk on the first day, so quite a bit of time went into preparing and rehearsing. Luckily, the talk went smooth and we had a lot of time afterwards to achieve all the other goals.
The congress is a bit like coming home. Every year I feel incredibly welcome. There's lots of blinking lights, diverse music playing, a few bars with Mate, coffee, and beers along with enough time to chat, explore, and hack. The congress is a way for me to recharge and get ready for the next year.
I have two hearts beating in me. The first is an academic that tries to improve security at a global scale by developing new techniques and analyzing weaknesses. The other is a hacker that is driven by the curiosity of how systems tick. At the congress, I can live the hacker heart.
As last year, a bunch of my group explored the congress alongside and it was also great to meet a few former HexHivers.
Same as each year, I attended a few talks and, given the 14,000 attendees did not make it into the rooms for some of the other talks. The rest of the blog post highlights some of the amazing talks and gives a small summary.
Day 1: Quality Talks
Liberating Bluetooth on the ESP32: Anton reversed the proprietary BT stack for the ESP32 and liberated it, now allowing an open source implementation that gives developers direct access to low level traffic, per channel scans, arbitrary BT RF traffic and lots of low level features that are otherwise hidden behind the HCI stack.
Opening pAMDora's box and unleashing a thousand paths on the journey to play Beatsaber custom songs: thimstar presents a wild story on glitching AMD cpus to tease out internal ARM cores, extracting boot ROMs and trying to get code execution way before the x86 cores start to execute. Extremely interesting deep dive into glitching, mod chips, and the exploration of the dark arts.
Of Boot Vectors and Double Glitches: Bypassing RP2350's Secure Boot stacksmashing and nsr give an overview of the Raspberry Pie RP2350 processor that combines a nice ARM core and a RISC-V core with glitch detection, one time programmable memory and a bunch of other security features at an unbeatable price point of 1$. They discuss the results from the bug bounty along attacking the OTP PSM, forcing a vector boot, laser fault-injection, OTP read double glitch and FIB antifuse extraction to read the 16 byte secret hidden in the OTP memory.
To sign or not to sign: Practical vulnerabilities in GPG & friends: 49016 and Liam presented some of their research into GPG signature verification. During the talk, they demonstrate a few issues with signature parsing along with violating signature checks, wrong signatures and even a few memory corruptions. Apart from the awesome vulnerabilities, this talk highlights some of the issues with old open source projects. Many of these projects have strong leaders that struggle with assessing security issues. Liam and 49016 had a hard time to convince the maintainers to assign CVE numbers despite being able to fake signatures.
Escaping Containment: A Security Analysis of FreeBSD Jails: ilja and Michael Smith target a slightly different angle this year and look at FreeBSD jails. In particular at the remaining attack surface of the kernel and how to abuse it to break out of the jails. By enumerating the attack surface and thoroughly exploring it they found several severe bugs. An interesting observation was that there are still quite severe memory corruption vulnerabilities in the FreeBSD kernel. Compared to Linux, this was somewhat surprising as the kernel there is thoroughly fuzzed through syzkaller.
Die Känguru-Rebellion: Digital Independence Day <https://media.ccc.de/v/39c3-die-kanguru-rebellion-digital-independence-day>: Marc-Uwe Kling and Linus Neumann talked about a digital independence and called for digital sovereignty in a fun way. This talk, apart from the comedy aspect, highlighted the need for Europe to create, manage, and deploy our own independent services, ideally built on open source.
Not To Be Trusted - A Fiasco in Android TEEs <https://media.ccc.de/v/39c3-not-to-be-trusted-a-fiasco-in-android-tees> in our talk, we presented a chain of bugs that results in a full compromise of Beanpod TEEs. I blogged about our talk earlier.
Hacking washing machines Hajo and Severin started looking into old broken washing machines from Miele and B/S/H. After some exploration, they moved up to newer devices and reverse engineered several of the newer connected systems and enabled interesting debug features.
Bluetooth Headphone Jacking: A Key to Your Phone: Dennis and Frieder presented their research on impersonating Bluetooth devices. Their twist was essentially that they could read out the Bluetooth address and keys by connecting to specific vendor chips to then take over sessions. They highlighted the attack vector of the HFP (hands free) profile that allows to take calls and redirect them over Bluetooth to hijack second factor validation.
Day 2: All about the social interactions
Don't look up: There are sensitive internal links in the clear on GEO satellites Nadia and Annie expanded on their earlier research of unencrypted satellite backend communication. The presented some new findings, including military operations conducted in the clear. One of the difficulties that lead to this security breach is that users have no (legal) way to pentest this backend.
Xous: A Pure-Rust Rethink of the Embedded Operating System: bunnie and xobs presented their work on an embedded Rust operating system along the design of a microkernel. While the OS was pretty standard stuff, they also presented a new RISC-V devboard that we got to play with. While bunnie only spent a few slides on the technical details, I was impressed by the way how he snuck a RISC-V chip alongside a fused-off ARM chip to safe on royalty fees.
The rest of the day, I spent mostly socializing and talking to other people in different assemblies.
Day 3: A few more talks
Build a Fake Phone, Find Real Bugs: Qualcomm GPU Emulation and Fuzzing with LibAFL QEMU Romain who is still pushing on his PhD at EURECOM is telling us how to target Qualcomm GPUs through a libAFL driver on Android. This talk is a great intro into libAFL usage and how to write fuzz drivers for not-too-easily-reached targets. Overall a great intro into GPU fuzzing as well. And Romain found lots of cool bugs, so definitely recommended.
The Angry Path to Zen: AMD Zen Microcode Tools and Insights Benjamin builds on earlier research on reversing the AMD K8 and K10 microcode and ports it to get into Zen. In this talk he quickly introduced the concept of microcode patching and discussed, at length, how he built an extensive toolchain to create your own instructions.
Rowhammer in the Wild: Large-Scale Insights from FlippyR.AM: Martin, Florian and Daniel gave an overview of RowHammer and presented some studies of rowhammer in the wild where they distributed USB sticks to thousand participants and got them to run the code on their systems to test for Rowhammer flippable bits according to diverse patterns.
Von Fuzzern zu Agenten: Entwicklung eines Cyber Reasoning Systems für die AIxCC Mischa and Annika introduce the audience into fuzzing, LLMs, and how they are used as part of a cyber reasoning system at the AIxCC. The goal of this DARPA competition was to develop an end-to-end cyber reasoning system that finds bugs, creates exploits but also patches them. They discussed the common approaches used by the different teams along with some limitations. Great overview and introduction into this topic.
Gen.Polyb.io workshop: This year, there was a fun new game at the congress. One could register a simple NFC card at a base station. After joining a fraction, one could "capture" other base stations, redirect energy, and gain points for their team. This was a super fun treasure hunt to find all the different stations and kept us up one night. On the third day, the developer of the stations gave a workshop on how he built the system, what software was running, and how to make it tamper resistant. Overall a cool insight into low level hardware.
Departure
On the last day, I grabbed a quick breakfast and headed towards the airport. After a stroll through the harbor area, I did a quick stop to explore some caches and then caught up with some emails at the airport.
I'm sure that I missed many great talks but that's part of the congress experience: you live in the moment and randomly pop into workshops and talks while missing out on some others. Luckily, most talks are recorded and I'll be able to catch up later, so let me know if I missed your favorite talk in my list above.
We'll be back next year with hopefully another talk, renewed energy, cool hacks, and lots of time to talk to people. So long, see you next year at the congress, and hack the planet!