This year’s overall theme was Power Cycles – shut down the system, restart! According to CCC, the theme covers not only the obvious restart of a computer, but also the ongoing self-demolition of major powers and where they stand in the vortex of cyclically rotating world orders. In this article, we are pleased to provide an insight into the conference and some of the talk highlights.

After last year’s visit to 38C3, the Chaos adventure was firmly on the calendar again this year. This time, together with Yann Santschi, we plunged into the bright, flashy and nerdy adventure in Hamburg.

Talk Highlights

At 39C3, there were a variety of talks, covering different categories: Security, CCC & Community, Art & Beauty, Hardware, Science, Ethics, Society & Politics, and Entertainment. We especially enjoyed the second congress day, as it featured so many incredible talks. We want to point out some of our highlights.

Protecting the network data of one billion people: Breaking network crypto in popular Chinese mobile apps

In this talk, Mona Wang discussed the use of self-developed encryption instead of TLS. Today, mobile traffic accounts for around twice as much as all web traffic. Depending on the region, over 80% or even over 90% of web traffic is now encrypted using HTTPS.

She split her talk into three parts. Starting with WeChat, the largest Chinese app in terms of user numbers, which uses its own encryption system called MMTLS. There are hardly any publicly available documents on it. Communication via the WeChat app is encrypted twice, once on the business layer using AES-CBC and again with MMTLS (using AES-GCM to do so).

The second part covered Input Method Editor (IME) apps, third-party keyboards that are very useful for typing Chinese. Many of these IME apps rely on cloud-based suggestions or send user input to their servers for other reasons. They often use self-developed encryption, which Mona and her team were able to decrypt in some cases. It was mentioned in passing that third-party IME apps are essentially a type of keylogger, which is why they should be used with caution.

The third part of the talk then focused on the analysis of nine popular encryption protocols that are most commonly used in the approximately 2’000 most widely used Chinese apps from the Google Play Store and the Xiaomi Store. Among the top 1’000 apps from the Google Play Store, 12.9% of apps were found to use unencrypted communication and 3.5% were found to use proprietary cryptography. Among the top 1’000 apps from the Xiaomi Store in 2024, 65.4% of apps were found to have unencrypted data traffic and 47.6% of apps were found to use proprietary cryptography. This figure fell by around 9% in a re-examination in 2025, but is still a very high proportion.

The large number of other self-developed protocols that were detected but could not be analysed remains unknown. The most important insight from the talk was: Don’t rely on self-developed encryption, but on known standards such as TLS. Mona’s talk was not recorded, but she published the slides she used.

Lost domains, open doors – what old government domains reveal

In his talk, Tim Philipp Schäfers shared the insights he gained from purchasing a formerly active government domain and explained why using existing domains that you don’t own yourself can be disastrous for test accounts.

He starts by revealing his best hacking tip: Read the documentation. There you can find URLs for test and production environments as well as possible test users. As a result, he registered the domain testtraeger.de. Leading to him receiving the Emails of accounts registered to this domain. One thing led to another, and after resetting the password for the test account with the domain testtraeger.de, he was able to successfully log in to the test environment of the user administration for delegates of the Federal Office for Migration and Refugees (BAMF). The test user even had administrator rights. It also became clear that the domain is used for testing in other areas within the federal government.

To avoid this, test accounts should be used with the top-level domains (TLDs) specified in RFC2606:

• .test
• .example
• .inavlid
• .localhost

German federal authorities occasionally change their names. This means that websites are also moved to new domains. Tim demonstrated this using the example of the Federal Office for the Recognition of Foreign Refugees (BAFL), which is now called the Federal Office for Migration and Refugees (BAMF). After a certain period of time, the domain bafl.de was not renewed and was therefore available for anyone to register. The domain was first used for a website with links to online casino websites before Tim was able to purchase it at auction. Once he had acquired the domain, he began to evaluate the DNS logs and found a large number of requests for subdomains from the IP address range of the German state. A small excerpt from this:

• localhost.rznur.bafl.de
• jfrog-idea-plugin.rznur.bafl.de
• srvnurswvt12.rznur.bafl.de (possibly Server Nuremberg Software Distribution 12)
• gg2.rznur.bafl.de / gg4.rznur.bafl.de (possibly Genoa Gateway 2/4)
• eris-persistence.rznur.bafl.de (initial registration interface for BAMF specialist procedures)

The logs also showed that attempts had been made to deliver emails to bafl.de.

After Tim reported the issue, he was able to transfer the domains back to the BAMF after a long wait. This was because the domain is still present in a large number of configurations, some of which are maintained by external service providers.

In his presentation, Tim also addressed the issue of trust in government domains. Most countries use a gov.TLD domain, which makes it easy for citizens to associate a URL with the respective country. In Germany, all ministries have different domains with different structures, some of which are abbreviations or written out in full. Switzerland also does not have a classic gov domain either; instead, they use admin.ch, but gov.ch redirects to that.

Together with FragDenStaat, Tim published a list of over 2’500 German government domains to shed light on the matter.

When Vibe Scammers Met Vibe Hackers: Pwning PhaaS with Their Own Weapons

With a very well-illustrated talk, Chiao-Lin Yu (Steven Meow) showed us how he brings vibe scammers to their knees as a vibe hacker. His presentation was roughly about uncovering the use of scam frameworks, their structure, range of functions and further development. Steven, as he calls himself, mainly used Claude 4.5, Gemini 2.5 Pro, HexStrike MCP and Strix for his vibe hacking adventure. He did not write his own code for hacking the scam framework, but had it generated exclusively by LLMs.

He begins by discussing various scam patterns and how they work. A multi-stage process is often used, starting with an advertisement on a social network for a free product, for which only the shipping costs have to be paid. This is used to target or filter out potential individuals who are suitable for a later scam. By entering their payment information for shipping, the scammers obtain the victim’s initial data, which is used at a later stage. The payments for the shipping themselves usually go to a charity organisation at this stage. After paying for shipping, the victim is redirected to a scammer website due to a lack of identification. The victim is tricked into contacting fake support. The fake support has the information entered earlier and tricks the victim into transferring money to a scammer account to supposedly unlock their account.

Steven then talked about his approach using the aforementioned AI tools and what he encountered in the process. He carried out reconnaissance with the help of Strix and HexStrike, during which he came across a php.bak file. He forwarded this to Claude Code for a source code review. The result was an SQL injection, which was then tested more thoroughly by the AI using sqlmap. However, the exploit did not work at first. After manual investigation, Steven saw that the application checks the User-Agent header and expects a mobile device, otherwise it responds with an error message. After this discovery, the SQL injection exploit worked and Steven obtained the access data. The search for the login page for the backend proved somewhat more difficult, but was discovered using a target-specific word list generated by AI. Steven praises the use of LLMs to generate specific word lists from previously performed scans. He then continued his way to local administrator rights on the server through privilege escalation, also with the help of AI.

With the access he gained, he began collecting and evaluating information from the logs. He found that deploying a new phishing website takes only four minutes and changing the domain takes only one minute. In the installation package he found, he used Claude Code to find over 20 vulnerabilities, including file upload bypass, hardcoded credentials, and the SQL injection he had found earlier. The Telegram page found in the installation package was displayed in the familiar vibe purple, an indigo colour strongly indicating the use of AI to create a website. In it, Steven finds a remote code execution vulnerability that he can also exploit. The additional Telegram data he finds enables him to identify various individuals and their connections within the scammer organisation. He was able to identify other phishing websites in different versions, but all based on the same foundation. Steven says that the resulting evolution is rapid, with development increasingly moving towards automation and even greater use of AI.

Finally, Steven says: It is important to familiarise yourself with the applicable laws in your own country before you start investigating scam websites.

Bluetooth Headphone Jacking: A Key to Your Phone

Dennis Heinze and Frieder Steinmetz of ERNW delivered a highlight at the congress. Their talk as well as their demos showed very impressively, how a WhatsApp account (or also other accounts relying on caller-verification) can be taken over through a Bluetooth connection to the victims headphones.

The first part of their talk covers a few basics on Bluetooth Technology. They show that pairing (and therefore authentication) is not required when connecting to the headphones by using Bluetooth Low Energy (BLE). This allows attackers in reach to connect to the headphones, dump the headphone’s flash and interact with its memory.

During a live demo where they connected to the headphones of a friend of theirs, they were able to read a lot of information like the model of headphones as well as the song the friend was currently listening to from it. This was happening while the friend was listening to music, without him noticing. The connection happens through Bluetooth Low Energy, while the music is streamed through Bluetooth Classic. Additionally, a separate connection can be established to Bluetooth Classic allowing to use the microphone for eavesdropping attacks.

In the second part of their talk, they cover the authentication between the headphones and the smartphone. The authentication is done through a Link Key. They also cover the Hands-Free Profile (HFP) that allows the use of functions from the headphones to the phone itself, like accepting a call or starting a voice assistant.

Through the above mentioned Link Key, the headphones can be imitated when connection to a smartphone. To do so, the Bluetooth Classic addresses of the phone as well as the headphones and the Link Key need to be known. This information can be gathered through the attacks mentioned in part 1. Through the implementation of the BTstacks an attacker can, as showed in another live demo, interact directly with Siri on the smartphone. And in yet another demo, they showed how to take over a WhatsApp or also an Amazon Account takeover through this attack vectors.

Do not look up: There are sensitive internal links in the clear on GEO satellites

Even though they had some technical difficulties, Nadia Heninger and Annie Dai gave a fascinating talk about unencrypted satellite traffic.

An introduction to geostationary (GEO) satellites was given in the beginning. These are satellites, that are located at a fixed position along the equator and serve a defined space of the earth. At the heart, these satellites are basic repeaters. They receive data from a terminal below the satellite (like an airplane or a power plant) and forward them as a broadcast to everything below the it. Encryption is only applied at the terminal station.

Those satellites are very interesting since they are an important part in communication for legacy infrastructure (for example satellite tv, airplanes, power plants, military communication, etc.). Nadia and Annie show how they built their own satellite dish and are actually able to gather dumps of data. After decoding the data, they were already able to find admin passwords in plain text in there.

Furthermore, they show that the data contained in those dumps is used for military. They use some weird security-by-obscurity encoding to “secure” their data. Nadia and Annie could still show that it is rather easy to break this obscurity. Also, intentionally the military did not want to implement common protocols like TLS.

Additionally, the data contained unencrypted communication from airplane Wi-Fi traffic as well as cell phone communication from remote locations utilizing satellites to connect to the cell infrastructure. The latter contained US and Mexican navy communication like specific ship and helicopter locations. Finally, they were also able to find unencrypted credit card transactions including all the necessary information including numbers and balances.

It is important to note that the encryption downsides only apply to GEO satellites. LEO (Low Earth Orbit e.g. Starlink) and MEO (Medium Earth Orbit) satellites encrypt the traffic further.

What to do at the 39C3

There is a reason why all “old heads” told us You can rewatch (most) talks, not the rest though. You could really feel it. We did not take this serious enough in retrospect, still we improved our soldering skills at the Riesengrossen Dauerlötworkshop of Blinkyparts, while also having great talks with other soldering enthusiasts. We were checking out the world of retro games and fell in love with Bomberman. We were touring Hamburg and the rote Flora. We discovered Tschunk as well as tried the entire Mate variation. We saw different art installations. We were able to create our very own Lichtbildausweis (photo ID) with digitalcourage, sent some postcards using the Chaos Post, had some great talks with interesting creatures. We admired the angel system as well as the voluntary work done by so many people. In between, we visited Coffee Nerds when it was time for another caffeine boost. We took part in different assemblies and self-organized sessions, and got so many tips and tricks. And still we missed so many interesting things and talks!

Conclusion

All in all, it was a blast! Every corner had something new to discover and to experience. You could talk to so many different creatures about the wildest things without ever these chats ever getting boring. It is really a very impressive event with extraordinary creatures. We were able to broaden our horizons on a technical but also personal level and we will return with this experience back home and back to scip. We are looking forward to rewatch all the talks we missed and also to next year. Until then we say #DankeAI

About the Authors

Ralph Meier completed an apprenticeship as an application developer, with a focus on web development with Java, at a major Swiss bank and then completed a Bachelor of Science in Computer Science UAS Zurich at the ZHAW School of Engineering. His primary task is doing security-related analysis of web applications and services. (ORCID 0000-0002-3997-8482)

Yann Santschi completed an apprenticeship as a systems engineer at the Swiss Stock Exchange and then worked as a cyber security consultant at one of the Big Four consulting firms. He is currently pursuing his Bachelor’s degree in Information and Cyber Security with a major in Attack Specialist and Penetration Testing at HSLU. His focus is on web applications, network security, and social engineering.

Links

• https://amanita19.github.io/
• https://blog.stevenyu.tw/
• https://chaospost.de/
• https://cseweb.ucsd.edu/~nadiah/
• https://en.wikipedia.org/wiki/.gov#International_equivalents
• https://ernw.de/index.html
• https://fahrplan.events.ccc.de/congress/2025/fahrplan/
• https://fragdenstaat.de/
• https://fragdenstaat.de/artikel/exklusiv/2025/12/geheimsache-domains/
• https://github.com/bluekitchen/btstack
• https://m0na.net/
• https://m0na.net/slides/breaking-network-crypto-ccc-2025.pdf
• https://shop.blinkyparts.com/en/
• https://shop.digitalcourage.de/
• https://tim-philipp-schaefers.de/
• https://www.rfc-editor.org/rfc/rfc2606.html
• https://www.scip.ch/?labs.20250123
• https://www.youtube.com/watch?v=fLYeq5KLMyE