Chaos Communication Congress 38C3 - Illegal Instructions

Chaos Communication Congress 38C3

Illegal Instructions

Ralph Meier
by Ralph Meier
on January 23, 2025
time to read: 30 minutes

Keypoints

My experiences from 38C3

  • The Chaos Communication Congress is considered one of the largest conferences in the hacker scene
  • 15,000 people took part over the four days
  • There were three main tracks with various talks in different areas, plus smaller stages and self-organised sessions
  • The installed infrastructure with the DECT system, area-wide WLAN, own mobile network, Chaos Post, all the logistics etc. is huge and interesting to experience

In this article, I’ll give an insight into my first visit to a Chaos Communication Congress. Until 38C3, I wasn’t really experienced in security congresses, aside from the last two Area41 conferences in Zurich. The Chaos Communication Congress is an annual conference organised by the Chaos Computer Club, which takes place at the end of the year between Christmas and New Year’s Eve. At 38C3, around 15,000 people have participated from December 27 to December 30, 2024. The Chaos Communication Congress has been held since 1984 and is one of the largest events of its kind together with the well-known DEF CON in Las Vegas.

Day 1

Due to several Christmas parties, I decided to arrive on day 1 of the congress. When the 38C3 timetable was published, I already realised that I would probably miss the first talk on my list ACE up the sleeve: Hacking into Apple’s new USB-C Controller as well as the opening ceremony.

The timing didn’t look too bad when I dropped my luggage off at my accommodation and set off for the Congress Centre Hamburg (CCH) with Hamburg’s public transport system. At the time, I didn’t realise how long the queue was at the entrance to the congress, where I could exchange my ticket for the congress wristband. There were about 200-300 people in this queue. Although I had been informed of this beforehand by an experienced CCC fellow. Fortunately, almost all the talks were recorded and can be viewed in the media archive. I was also able to watch this particular talk afterwards in the media archive.

When I finally received my congress wristband and was able to enter the CCH, which extends over four floors and has a total area of 36,000 square metres.

Congress Center Hamburg

First I had to find my way around. So I ended up in the ZIGZAG room, where I was able to listen to the talk Police 2.0: Peaceful activism is terrorism and fakenews are facts by Frank van der Linde and Lori Roussey to the end.

Afterwards, I attended the talk Liberating Wi-Fi on the ESP32 by Simon Neuenhausen and Jasper Devreker. They talked about how they developed their understanding of the Wi-Fi stack through reverse engineering and dynamic analysis with the help of a Faraday cage, and how they were then able to expand the Wi-Fi stack. Building a Faraday cage was a challenge in itself as the ESP32 required power and a connection to the internet for their purposes within the cage. A fibre optic cable was used for an Internet connection in the Faraday cage, and they used rechargeable batteries for the power supply. The use of a microwave was also mentioned online, but the presenters did not recommend this, as calls or Wi-Fi signals could still penetrate to the outside or inside. Therefore, signals from external devices were also recorded inside the microwave. One of the extensions presented was Ferris-on-Air an asynchronous IEEE 802.11 stack programmed in Rust.

The next talk, which I was able to attend from the very beginning, was about the upcoming electronic patient file (ePA). Incidentally, as it turned out later in the course of the entire conference, the topic was quite popular in various talks. The talk „Konnte bisher noch nie gehackt werden”: Die elektronische Patientenakte kommt – jetzt für alle!, held by Bianca Kastl and Martin Tschirsich, and both shared their knowledge at the Chaos Communication Congress several times beforehand. The ePA is to be introduced throughout Germany in mid-February 2025, in an opt-out procedure. So anyone who does not take action will automatically receive an electronic patient file. First, there was a review of the vulnerabilities that have been discovered, reported and fixed in recent years. These included SQL injections as well as some very curious vulnerabilities. One example from 2020 was when connectors in doctors’ offices were connected the wrong way around. This would have allowed full access to the ePAs of the affected service providers from the internet. In 2022, video identification was added, but this was also bypassed several times. After that, both explained the current situation regarding card issuer portals, which were affected by SQL injections. These led to full access to ePAs. Card readers could be purchased on Ebay Kleinanzeigen (a German online classifieds service), sometimes even with cards that still had valid certificates and thus allowed access to patient data of the respective practice. This was a kind of recycling of the certificates. The medical practice IT was vulnerable on a large scale.

The next talk was What the PHUZZ?! Finding 0-days in Web Applications with Coverage-guided Fuzzing. In it, Sebastian Neef talked about searching for vulnerabilities in PHP web applications with partially predefined fuzzing. There is a lot of research on fuzzing binary applications, but hardly any on web applications. This is partly because it is difficult to trace the results back to the fuzzer. The fuzzer PHUZZ was developed from his research. It consists of several Docker containers, including a browser, a crawler, one or more fuzzers, and the web server with the PHP web application. To use PHUZZ, the source code of the web application is required. In addition, the user must manually pass the endpoints to be tested and the parameters to be injected to the fuzzer as a HAR file. PHUZZ then performs random byte-level manipulations. The byte level was chosen because the error rate at the bit level would have been too high due to non-representable characters. Sebastian showed that PHUZZ performs significantly better than comparable products with scanning and fuzzing functions, such as BurpSuite, ZAP, Wapiti and WFuzz, based on various vulnerable web applications. When testing for 0-day vulnerabilities in the 183 most popular WordPress plugins, PHUZZ performed at a comparable level to BurpSuite Pro except in the path traversal category, where it far exceeded the BurpSuite Pro scanner. PHUZZ has definitely sparked my curiosity and I am excited to see how it will develop in the future.

Before the dinner break, I stayed to listen to the talk From fault injection to RCE: Analysing a Bluetooth tracker in the ZIGZAG room by Nicolas Oberli, a security researcher from Switzerland. His talk was about analysing and exploiting vulnerabilities in the Bluetooth tracker Chipolo ONE. Using fault injection techniques such as voltage fluctuations and electromagnetic fault injections, instructions could be skipped during the boot process. This allowed the RAM to be dumped and analysed later. Unfortunately, the chip of the first test object broke after a few unsuccessful attempts. This can certainly happen during so-called glitching. It can also lead to a reset of the device. If there is insufficient glitching, in which case nothing happens. Nicolas Oberli then talked about analysing the firmware and searching for vulnerabilities. By adding his own melody to the Bluetooth tracker, he was able to detect and exploit a buffer overflow vulnerability.

After a one-hour dinner break, my programme continued in Room 1 with BioTerrorism Will Save Your Life with the 4 Thieves Vinegar Collective by Dr. Mixæl Swan Laufer. This was about “hacking” and producing affordable medicines such as epinephrine autoinjectors, Narcan (a medicine to prevent opioid overdoses), nitroglycerin (a medicine for heart attacks) and others. In addition, methods were presented that can be used to easily check the correctness of basic materials with a test kit or to exclude the possibility of dangerous substances.

After that, several defragmentation processes were carried out. A defragmentation consists of all people in a row of seats sliding to the middle, thus freeing the outer seats and filling existing gaps in the row. When room 1 was then full to the last seat, the talk Der Thüring-Test für Wahlsoftware started by Linus Neumann and Thorsten Schröder. In their talk, they defined the Thüring test for voting software, which consists of the following seven requirements:

Thüring test for voting software

These vulnerabilities were all discovered in the voting software PC-Wahl in 2017.

Logo PC-Wahl version 10, source: https://www.ccc.de/de/updates/2017/pc-wahl

This year, there were several glitches in various elections, partly due to faulty software and its operation. The CCC received a donation of the affected election recording software, which was developed by the Vote Group. The election recording software is distributed to every computer via USB stick. Among other things, it includes a custom version of Libre Office and a custom Chromium browser. The election recording software stands out with unsigned configurations, extensive use of Base64 in the signature function and shared passwords in plain text. However, with a bit of luck, there was no exploitable code injection. The final result of the Thüring test of the election recording software in 2024 was as follows:

Result of the Thüring test 2024

Refreshed with a mate, I then moved on to the talk Wir wissen wo dein Auto steht – Volksdaten von Volkswagen by Flüpke and Michael Kreil. A large proportion of the affected vehicles are based on the modular electric drive system and belong to the brands VW, Audi, Seat and Skoda. The data search began with Subfinder, then it continued with a directory enumeration by Gobuster. This revealed a backend with Java Spring, in which the actuator had not been deactivated. To be more precise, the endpoint /actuator/heapdump could be accessed via a browser without a password. AWS access data could be read using VisualVM. With the help of the tool strings, client_id and client_secret could also be read in the heap dump. With this access, the following data could be viewed:

stored vehicle data

Apparently, the misconfiguration occurred as follows:

Pyramid Start of open field observation

The review process is missing!

The pyramid with Beginn der offenen Feldschlacht, which was very recent at the time of the 38C3, was still frequently used in lectures and pleased the audience. The data that was found was then visualised in an artistic way during the talk. This involved 15 million items of enrolment data: chassis number, model, year of manufacture, country and user ID, as well as 600,000 items of user data: user ID, name, email address and, in some cases, date of birth, mobile phone number and address, as well as 9.5 terabytes of event data: status reports including geocoordinates. A total of 807,357 vehicles are affected by the geo-coordinates, more than half of which are vehicles from Volkswagen and Seat, which have an accuracy of 10 cm, while Audi and Skoda vehicles have an accuracy of 10 km. Here you can watch the whole talk.

At the end of the first day, I wanted to listen to the talk we’ve not been trained for this: life after the Newag DRM disclosure by Michał Kowalczyk, Serge Bazański and Jakub Stepniewicz. It was about the year after the publication of identified mechanisms in the train software of Polish trains Newag Impuls, which completely disable the driving function. The publication was presented at 37C3 and is well worth watching: Breaking DRM in Polish trains. In the year following the publication, they were confronted with parliamentary workgroups, criminal proceedings, civil lawsuits and a TV documentary. The talk has great entertainment value and was an ideal end to day 1.

Day 2

My first talk on the second day started with a loud moin and was called Erpressung aus dem Internet – auf den Spuren der Cybermafia by Svea Eckert and Ciljeta Bajrami. The talk started with a real-life sextortion case, which started on the dating platform Bumble. It involved an attempt of extortion of $2,000. During the talk, the story of “Neo’s” abduction to a fraud factory mentioned in the talk was told, his rise there and subsequent escape, as well as the disclosure of the documents and photos smuggled out. In the fraud factory, many abducted people were trained to become scammers in order to defraud people of their money on a large scale by phone or via the internet.

The following talk From Pegasus to Predator – The evolution of Commercial Spyware on iOS was unfortunately already at its full capacity. Fortunately, it was recorded and can be viewed in the media archive.

It seemed that some place were freed again at the next talk, MacOS Location Privacy Red Pill: A Rabbit Hole Resulting in 24 CVEs, which was held in the room GLITCH by Adam M. During this talk, Adam talked about his approach to identify multiple vulnerabilities in MacOS apps, mostly when handling location data.

At 4:00 p.m., the Der CCC-Jahresrückblick with erdgeist, Matthias Marx, khaleesi, Linus Neumann and Constanze Kurz should have started, but the talk was initially interrupted by four masked individuals holding up a banner reading Betroffenen glauben. They apparently did not agree with a decision made by the arbitration board or with the fact that the alleged perpetrator was not banned from CCC events. After the CrewCrew stepped in, the planned talk could be held as planned. Among other things, the presentators discussed the political shift to the right wing parties in Germany, the introduction of biometric passports for children aged four and up, and the introduction of Palantir’s VeRA analysis software. The electronic patient file was also discussed, along with an outlook on the upcoming year, or more specifically, the use of voting software in 2025.

After that, I took part in a self-organised session, or more precisely in a beer tasting on the ground floor in the FoodHackingBase. The selection of beers was gigantic! We started with beer brewed according to the German Purity law, then we moved on on tasting wheat beer, Indian Pale Ale, New England Pale Ale, a Christmas beer and also smoky beer. The tasting was very informative and varied. Funny enough, I met Stök, a Swedish hacker and Youtuber, who I often watched when I started my journey in IT security. There were other very interesting people there as well.

In the evening, I watched the talk BlinkenCity: Radio-Controlling Street Lamps and Power Plants by Fabian Bräunlein and Luca Melette. During the talk, they addressed the discovery of radio-controlled street lamps, the subsequent research into radio control of street lighting and the frequencies used in Europe and the EFR ecosystem. The EFR is a limited liability company that offers energy management solutions in Germany and Central Europe, which are responsible for controlling lighting systems, charging management for e-mobility and load control. The next topic was an attack on an entire lighting system in a large city, how they approached this and tried out various so-called “telegrams” in a self-built lab. They also looked at addressing street lighting and showed a demo video of how to shut down a private photovoltaic system with a Flipper Zero. They then moved on to a possible attack on a solar park in order to activate power that had been switched off at peak times, thus causing grid instability and a possible Europe-wide power outage. They disclosed their findings to EFR GmbH.

In my last talk of the day, I learned about Wie fliegt man eigentlich Flugzeuge? from Christian Lölkes and kleinsophie. The presentation was very entertaining, peppered with funny anecdotes from the lives of a pilot and an engineer at air traffic control. They explained how a plane flies in the first place, and what a briefing entails, with all kinds of information about different flight zones and airports on a flight route.

How a plane actually flies

After that, I tried my first Tschunk, a drink made from rum, mate, cane sugar, lime and ice. As a big mate fan, I was of course immediately impressed.

In the quiz show classic 0, 1 oder 2 – Hackerei und Cyberbrei, I learned, among other things, that a 2-metre-high polystyrene egg with a concrete core has never been lost from the CCC’s logistics team, instead a 7.5-tonne truck has, which has been returned in the meantime. I also learnt that Kaspersky once released a perfume called Threat de Toilette.

Day 3

The weather remained as it was on the last two days: grey and drizzly. It was perfect for spending another day at the CCH. I started the day with an extensive lockpicking session.

After that, I listened to the talk TETRA Algorithm set B – Can glue mend the burst? by Wouter Bokslag and Jos Wetzels, where they talked about the changes in Terrestrial Trunked Radio (TETRA), a European standard for radio relay that is used worldwide by various authorities, police, military and critical infrastructures. Last year at 37C3, they talked about how they reverse-engineered the previously secret, proprietary encryption used and demonstrated various vulnerabilities. This year, they analysed the TEA algorithm set B (TEA5-TEA7) and demonstrated the problems in it. The talk went deep into the technical details and was very interesting.

After dinner, I continued with Knäste hacken by Lilith Wittmann. The presentation began with the various possibilities for prisoners to communicate with people outside the walls, which differs from prison to prison. For example, there are detention centres with corridor telephones, prison room telephones or prison room media systems (HamSy). Phone calls from prisons are expensive compared to mobile phone rates; in 2013, they cost up to 70 cents per minute when calling a mobile phone. Since 2023 however, the situation has improved, and now you only pay about 2-3 cents. In 2023, telio bought up the other provider of prison cell telecommunications in Germany, and is holding a quasi-monopoly in this area ever since. While analysing the components of the telio system that can be accessed on the internet, Lilith found a way for relatives to deposit money for inmates into their telephone account and to determine the 7-digit ID used for this purpose. With the help of a script, she was able to enumerate various real IDs and thus view name, phone credit and, in some cases, further details via this API.

Using information from the Certificate Transparency Logs, she found out that each prison has its own web address. Using the respective prison web addresses, it is possible to make video telephony requests from the outside with the previously discovered 7-digit ID. When these requests are processed, WebSockets are triggered in the background, allowing the name of the inmate, their internal booking number and other details to be viewed from the system. This was followed by the discovery of a GraphQL endpoint, which could be used to view further data on inmates, such as their current prison block, the exact prison, call logs including the relationship to the person calling, etc. After the disclosure to the affected agencies, the vulnerabilities were patched within days or the service was shut down, and press releases followed. It was also interesting that Lilith found a model of a smart prison in Finland that uses the same software, but with none of the identified security vulnerabilities.

Another part of the talk was about the administration software for juvenile prisons VauZettchenNet. The updates for this software can be downloaded publicly. The software was developed by an employee of the Remscheid prison and contains curious features, such as the selection options for religious affiliation. Since the software is delivered without linked libraries, it took two weeks to find and fix them. After that, Lilith was ready to open a juvenile detention centre. A few vulnerabilities were presented from the source code of VauZettchenNet, along with other bizarre things such as the Knackikopp-Datei. However, the authorities said that the software would soon be completely replaced. Finally, the prison archive was presented, a wide collection of various prison newspapers that can be viewed online.

The next talk I attended was titled Das IFG ist tot – Best of Informationsfreiheit, Gefangenenbefreiung & Machtübernahmen by the head of FragDenStaat Arne Semsrott. Arne did a review of the year’s various requests to the state and the related stories, proceedings and necessary lawsuits. The FrageDenStaat Druckerzeugnis appeared one last time, as this year the Federal Administrative Court ruled that online media also have press rights.

It then continued with 5 Jahre nach Ibiza by Julian Hessenthaler. It was about the political development in Austria after the publication of excerpts from the Ibiza video in May 2019. The video was about a meeting between the then Vice Chancellor and Federal Party Leader of the FPÖ Heinz-Christian Strache, Johann Gudenus (then a member of the National Council and acting leader of the FPÖ parliamentary group), and an alleged niece of a Russian oligarch. The following things were revealed in the discussion: willingness to engage in corruption, circumvention of laws on party financing and, according to Wikipedia, a covert takeover of control over non-partisan media. The publication led to the end of the governing coalition of the two parties FPÖ and ÖVP. Further details on this topic can be found in the Wikipedia article. After that, Julian Hessenthaler spoke about the current political situation in Austria. He drew comparisons with the political situation in Germany and provided an insight into Russian influence in Austria.

The last presentation of the day was, in my opinion, also a show. I attended the keynote Pyrotechnik – ist doch kein Verbrechen!?, which was presented by Felix and Bijan. The day before, during the quiz show 0, 1 oder 2 – Hackerei und Cyberbrei, I already found out that pyrotechnics were allowed in hall 1. The two speakers talked about the development of pyrotechnics, their history and the different properties of fireworks components, the effect of insulation and other things. At the end of the talk, there was a cool fireworks show. Unfortunately, there is no recording of it.

Day 4

The fourth and final day of the Chaos Communication Congress began on the top floor with the Coffee Nerds. In addition to a large selection of coffee beans, you could prepare your own coffee, either with an Aeropress or do a Pour Over Coffee. Right next to it was the House of Tea for all tea fans. After that, I stopped by the Chaos Post again. There you had the opportunity to send postcards during the congress. After that I took a closer look at some other assemblies in the lower halls.

I then sat down in identity theft, credit card fraud and cloaking services – how state-sponsored propaganda makes use of the cyber criminal toolbox by Alexej Hock and Max Bernhard. The talk was about the Russian Doppelgänger Campaign, which is now entering its third year. As part of the campaign, various German, French and American fake news websites have been created. During the talk, the speakers talked about the infrastructure needed to host fake websites, ad campaigns, a chain of redirects and the filtering they contain. By discovering and reporting them to various services, they were able to slow down the campaign somewhat by stemming the spread.

After that, I stayed in room 1 and listened to the talk Find My * 101 by Henryk Plötz. Henryk talked about the technology of various Bluetooth trackers with a focus on Android and iOS Find My networks. He started with a timeline of the release of various devices and technologies. He then explained the functionality of the two Find My networks in more detail, and finally he talked about ways to perform Bluetooth sniffing. I didn’t realise before the talk that Bluetooth Low Energy devices are sending signals more often than receiving them, as this requires less energy.

Later, I took a final tour through the many different assemblies before I sat down for the Security Nightmares talk by Ron and Constanze Kurz. They looked back at the past year in terms of security nightmares and ventured forecasts for the upcoming years. These forecasts were mostly meant to be taken with a grain of salt, for example, the ISO 27001 certifications will soon be filled out with AI. A final opponent this year was ../, which is supposed to illustrate a directory traversal vulnerability. They also did a retrospective of ten years ago, i.e. compared to 31C3. In 2023, about 15% more CVEs were issued than in the previous year. The share of computers in households is now stagnating at 92%, with many in the audience wanting to get rid of the PCs at relatives’ homes altogether. Then came the following statement: Generation Z is three times more vulnerable to cybercrime than boomers. Fewer than 30% of all ransomware victims pay and the trend is downward. The statement was also made: “So that was the worst year or the worst years so far!” Other events included the xz backdoor in SSH, the recall of the Windows 11 recall function and the worldwide outages caused by Crowdstrike. After that, the discussion moved on to the future: will there be a TÜV seal of approval after the hardware best-before date? Will you then have to take your router to the TÜV? One business area that could emerge in 2025 is data centre influencers, for even greater on-premise hype. There may soon be waiting lists for ransom/backup/cryptowallet decryption, as well as a possible cyber service for computer science students in the event of a renewed compulsory military service in Germany.

Last but not least, the final talk 38C3: Return to legal constructions was held by Gabriela Bogk and Aline Blankertz. Together they gave a rough summary of what happened at the congress. They talked about the robot vacuum cleaner controlled by DECT, various assemblies, the worn cat ears, the mechanical piano and the social network GeheimVZ operated during the congress. During the talk, Chaos Post was delivered directly to the stage. The DECT system still forms the backbone of the congress, ensuring for example communication among the Angels. Also, there are probably now very few with a functional ISDN installation like the one at 38C3. This year, the first Blind DECT, a blind dating over DECT, was held. There was also a lot going on outside of the congress. For example, there was a demonstration has taken place in Hamburg against the biometric surveillance. The most important take-away from the congress is: Meet new people, learn something new. It is about trying and not succeeding. A total of 15,000 participants attended the 38C3. 400 of them were young people between the ages of 12 and 18. There were even around 800 children under the age of 12. During the congress, a total of 6,635 shifts were completed by 3,481 angels. Without the tremendous support of volunteers, the congress would not have been possible.

With that, the congress programme had come to an end, and the big clean-up and the subsequent journey home began.

Conclusion

For me as a C3 newbie, the congress was initially a total sensory overload. People were walking around with cat ears or shark plush toys everywhere, and in the lower halls, there were flashing lights at every corner. After getting used to it and finding my way around, however, I felt very comfortable and was able to enjoy the congress to the fullest. After consuming a lot of mate over these four days, my mate rating is as follows: Flora Mate, CLUB-MATE and Kolle Mate. Unfortunately, this was also more or less the order in which the drinks ran out.

The enormous drive at the congress is extremely infectious. The infrastructure that was built just for the four days, a DECT system throughout the CCH, a separate mobile phone network, the chaos post, and the interesting discussions, talks, assemblies and projects impressed and inspired me.

About the Author

Ralph Meier

Ralph Meier completed an apprenticeship as an application developer, with a focus on web development with Java, at a major Swiss bank and then completed a Bachelor of Science in Computer Science UAS Zurich at the ZHAW School of Engineering. His primary task is doing security-related analysis of web applications and services. (ORCID 0000-0002-3997-8482)

Links

Tags

0-day AD Age AI Android API Apple Area41 Artikel AWS Backdoor Backup Bern Block Bluetooth Browser Burp Conference Congress Cybercrime DEF CON Detect Disclosure Docker DRM Exchange Exploit Extortion Fake News Flash Flipper Zero Fraud Fuzzing GitHub GraphQL Hacker HTTP Identity Identity Theft iOS ISO Java Keynote Las Vegas Legal Live Mac Office Password PHP Radio Ransomware Report Request Research Reverse Engineering Scam Scan Science SECO Sextortion Signal Source Code Spyware Standard Talk Terror Tool USB Video Windows Word YouTube Zeitung

You want to evaluate or develop an AI?

Our experts will get in contact with you!

×

You want more?

Further articles available here

Dynamic Analysis of Android Apps

Dynamic Analysis of Android Apps

Ralph Meier

Burp Bambdas & BChecks

Burp Bambdas & BChecks

Ralph Meier

Disk Cloning

Disk Cloning

Ralph Meier

The BIOS

The BIOS

Ralph Meier

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here