I had the pleasure to attend the Chaos Computer Congress 38c3 at end of last year in Hamburg, and it was glorious! Plenty of hacking, awesome presentations, meeting people from all the different communities, and seeing old friends …
The recordings are already online at https://media.ccc.de/ , and while some presentations have been covered extensively in the news (such as the the identified vulnerabilities in the the German health records (ePa) or the 9 terabyte location data leak from Volkswagen ), there was just too much going on in parallel to get the full picture while there.
You can find the agenda for the three main stages at the 38c3 “Fahrplan” , but make sure to also check the self-organized session . Ranking the recordings by view count can also help to identify talks with an impact.
Comparing it with the previous years in Leipzig, the whole event felt really packed with people. Having a large (2D) congress center had its benefit, and the overall 3D layout of the event location in Hamburg made it somewhat tricky to be on time if you wanted to change rooms between talks. Sometimes rooms were full, and left me streaming them either live, or after the event.
Overall nonetheless a really great experience, I can only recommend it for anyone interested in digital privacy & IT security. Some of my favorite presentation were:
Wir wissen wo dein Auto steht - Volksdaten von Volkswagen Link to heading
Impressive presentation - someone identified an Java Spring endpoint from Volkswagen that had the /actuator/heapdump unprotected, and found the AWS credentials where telemetry data is uploaded from vehicles in that heap dump. They accessed the cloud storage and downloaded everything, multiple years of (partially unredacted) GPS coordinates of 800.000 vehicles. Everytime trip, stored by vehicle. It is rather easy to identify with that where people work, where they live, and what they do on the weekends. Obviously presented with German secret services (BND, Bad Aibling), or who visits a brothel. They also found a way to mint JWT authentication cookes, for every user (which is really bad). You can watch the presentation here
From fault injection to RCE: Analyzing a Bluetooth tracker Link to heading
Nice work on reversing a Bluetooth tracker , namely the Chipolo ONE. He used a ChipShouter to bypass the access protection of the tiny Cortex-M0 by Dialog, now Renesas, and got access to the RAM. From there he could read the entire firmware, which was surprisingly NOT loaded from flash and was thus one-time programmable, and piped it into Ghidra. From there he identified that one could upload a custom melody for the tag to play, got a memory corruption, and was in the end able to dump the entire firmware over BLE.
From Pegasus to Predator - The evolution of Commercial Spyware on iOS Link to heading
From all presentations I’ve seen, definitely the one with the highest density of overall information. Basically an overview of all the known commercial spyware samples for iOS, how they operated and how they can be detected. Ranging from Pegasus by NSO Group to I-SOON , and many more.
He gave numerous other presentations with related topics recently which I’ll definitely check out, be it at Blackhat 2024 with a presentation You Shall Not PASS - Analysing a NSO iOS Spyware Sample or at Objective by the Sea .
Databroker Files: Wie uns Apps und Datenhändler der Massenüberwachung ausliefern Link to heading
All the details on how netzpolitik.org members got access to an enormous sample of 3.6 billion user location data within Germany, and have extensively written about last year as part of the Databroker Files . Covered roughly two months and made users trackable anytime they used one of the apps that exfiltrated user location upon usage. For about 14k€, customers of these data broker services can get access to the location data of millions of devices, embedded in software development kits and often uniquely identifyable with the advertisement ID of the device. Even though users can rotate their advertisement IDs, I’d expect that no one ever does this. Its a pity that Apple users have to jump through hoops to get access to their raw advertisement IDs.
Their recent article on 3.6 million mSpy user support tickets is also worth every minute reading it. Its crazy how users thought that surveilling a loved one would be ok.
Going Long! Sending weird signals over long haul optical networks Link to heading
Great talk by Ben Cartwright-Cox on his journey on sending TOSLINK audio signals, known for transmitting the audio at home from e.g. a TV to a receiver, over commercial data fibre. Really funny, because the TOSLINK standard is defined to work for anything <10m, and he managed to make it go 140km between two data centers :) … why would he do that? Because he could, and wanted to try how far he can get.
From Silicon to Sovereignty: How Advanced Chips are Redefining Global Dominance Link to heading
Amazing presentation on how the global chip market works , and why companies such as Zeiss, Trumpf or Synopsis are the hidden champions behind the better known ones such as ASML and TSMC. He also described how the newest ASML extreme-UV lithography systems work. In short: really crazy engineering, and shooting darn powerfull lazzers at liquid tin drops while they are falling down - twice. But its not only that, also the engineering involved in algorithmically determining the masks is breath takingly complex, for steering the UV light onto the wafer using super-flat mirrors. Definitely among the reasons why one of these machines cost 350 million Dollars, and they are the only ones building these. Physics, it works!