The 35th Chaos Communication Congress (35C3)

What

Last month, I attended the 35th Chaos Communication Congress (35C3), one of the leading hacking conferences in Europe. I decided to write a short comment for each of the talks that I went to, to kind of describe the overall feel of the event.

Before I go into that though, let me thank my employer, Codethink. Codethink paid for my trip to CCC this year (indeed my first CCC, and my first serious cybersecurity conference). You can learn more about Codethink on our website.

Thanks to everyone who submitted corrections (you know who you are) and to Marek Domagała for extensive proofreading.

Also, there's more to CCC than the talks. In fact, at the Congress, I met a person who told me she never goes to any talks - she elaborated that because she can watch them online anyway, she prefers to spend time in workshops and sessions ("workshops" and "sessions", as she explained, are different things).

Personally, I spent most of my time in lectures/talks, but there were entire rooms filled with lots of cool stuff to see.

If you want to be up to date with future editions of the Congress, subscribe to the CCC Events Blog.

A word of explanation before I start. Each description below has a link to the web page of the talk. If you follow that link, you can access additional useful resources, contact details of the speakers, links to academic papers and press articles, etc. If something is not mentioned in my description, it can be found under that link.

Talks

Modchips of the State

Speaker: Trammell Hudson
Description: 35C3 Fahrplan
Video: 35C3 Media

You've probably heard about the alleged malicious hardware implant in Supermicro's motherboards. The story was denied by everyone supposedly involved, and Supermicro have described the attack as technically implausible. Trammell has created a proof-of-concept implant and in this talk he was discussing ways in which such an attack could be orchestrated.

Most of the technical details went over my head but I'm sure this talk will be of interest to hardware people.

What The Fax?!

Speakers: Yaniv Balmas, Eyal Itkin
Description: 35C3 Fahrplan
Video: 35C3 Media

Here's a thought: fax is sort of an interface to your internal network, in a sense that it is freely accessible from the outside - everyone can send a fax to you. In that way, it is similar to, say, a web server. But your web server probably runs well researched software, relatively free of bugs. What about your fax machine? Do you even know how to update firmware on your fax machine?

These guys took a popular all-in-one fax/printer device, analysed its firmware and demonstrated a remote-code-execution attack on it. I was surprised how much code a printer runs...

A great talk, very engaging speakers. Also: why are people still using fax in 2018?

The Layman's Guide to Zero-Day Engineering

Speakers: Markus Gaasedelen, Amy (itszn)
Description: 35C3 Fahrplan
Video: 35C3 Media

This is exactly what it sounds like: a guide to writing exploits. I liked how they limited the presentation to a high-level overview while packing all the low-level details into a blog post.

I understand that perhaps it's a niche field, but the talk was very inspiring to me and I'm planning to go through the blog post in detail.

Hunting the Sigfox: Wireless IoT Network Security

Speaker: Florian Euchner (Jeija)
Description: 35C3 Fahrplan
Video: 35C3 Media

This was one of those talks that I went to because there was just nothing more interesting in that time slot and then it turned out to be absolutely amazing. Florian makes a prediction that Sigfox is something that "you have probably never heard of", and that was the case with me. It is a global cellular network for low power devices - very small "things" in the "internet of things" (think: herd tracking).

If you enjoy learning about weird protocols, this talk is for you.

SiliVaccine: North Korea's Weapon of Mass Detection

Speaker: Mark Lechtik
Description: 35C3 Fahrplan
Video: 35C3 Media

A very entertaining analysis of North Korea's national anti-virus product. This is a closed source application which is not distributed outside of DRPK. The speaker had obtained access to a binary of the program that was anonymously sent to Martyn Williams, a journalist writing about North Korea. It turns out SiliVaccine uses a scanning engine from Trend Micro, modified with a custom whitelist. The leaked version's installer was also bundled with malware...

I recommend watching if you're into malware analysis or reverse engineering.

Attacking end-to-end email encryption

Speaker: Sebastian Schinzel
Description: 35C3 Fahrplan
Video: 35C3 Media

On the infamous efail attacks. One of the more significant vulnerabilities presented at this Congress. I recommend watching especially if you like crypto.

The Rocky Road to TLS 1.3 and better Internet Encryption

Speaker: Hanno Böck
Description: 35C3 Fahrplan
Video: 35C3 Media

TLS 1.3 has been published. This talk was a summary of vulnerabilities seen in the SSL/TLS protocol over the years and problems encountered on the way to the newest version.

I first heard about Hanno through The Fuzzing Project, where he helps to find bugs (security and otherwise) in open-source software, which I thought was insanely cool and it had inspired me to do my own work in the area.

Safe and Secure Drivers in High-Level Languages

Speaker: Paul Emmerich, Simon Ellmann, Sebastian Voit
Description: 35C3 Fahrplan
Video: 35C3 Media

This was more fun than I expected. To write a userspace network card driver, one finds an appropriate sysfs/procfs interface exposed by the Linux kernel, mmaps it into memory and reads/writes from/to it appropriately. Then Paul recruited a bunch of students to find the equivalent of that in various languages (including Bash - although that was more of a joke project). Typically, even when using a "memory-safe" language, one has to use an "unsafe" mode, but the idea is that at least in this the unsafe code is limited to a very small set of operations.

Self-encrypting deception

Speaker: Carlo Meijer
Description: 35C3 Fahrplan
Video: 35C3 Media

A security analysis of several SSD models that perform hardware encryption - that is, you transmit your password to the drive, and encryption/decryption is handled by the drive's firmware. The operating system only sees plaintext data. Many vulnerabilities found. Quite high-profile research.

The year in post-quantum crypto

Speakers: Daniel J. Bernstein, Tanja Lange
Description: 35C3 Fahrplan
Video: 35C3 Media

NIST has a contest for post-quantum crypto! This is similar to when a previous contest by NIST gave us AES. I liked the way this talk was delivered, there seemed to be good teamplay between the speakers. They talked about different algorithms submitted to NIST, how they're deficient in various ways (broken, large keys, slow, etc), presented one new, promising post-quantum encryption system (CSIDH), and a crypto software library (libpqcrypto).

It Always Feels Like the Five Eyes Are Watching You

Speaker: Kurt Opsahl
Description: 35C3 Fahrplan
Video: 35C3 Media

This was a non-technical talk by an Electronic Frontier Foundation attorney Kurt Opsahl. He starts by reviewing the history of the Five Eyes - an intelligence alliance between the UK, US, Canada, Australia and New Zealand. Then he talks about how the Five Eyes found themselves "going dark" because of growing prevalence of encryption. He continues to talk about some legislative efforts in the UK and Australia to compel technology companies to reveal plaintext communications and/or insert backdoors into their software. He goes on to argue why such efforts present a threat to privacy.

From Zero to Zero Day

Speaker: Jonathan Jacobi
Description: 35C3 Fahrplan
Video: 35C3 Media

This talk was similar in scope to "The Layman's Guide to Zero-Day Engineering". Jonathan is 18 years old and he goes through the details of his first ever remote code execution exploit against Microsoft Edge. While I appreciate the content, the amount of technical details made this talk impossible to follow.

Matrix, the current status and year to date

Speaker: Ben Parsons
Description: 35C3 Fahrplan
Video: 35C3 Media

That was my first introduction to Matrix. If you don't know, it is an open protocol for communications on the Internet, that is decentralized (like IRC), covers many potential technologies (for example voice and instant messaging), and has bridges to: IRC, Telegram, Slack, etc.

First Sednit UEFI Rootkit Unveiled

Speaker: Frédéric Vachon
Description: 35C3 Fahrplan
Video: 35C3 Media

This talk was about an UEFI rootkit found in the wild by the ESET security company deployed by a Russian state-sponsored actor. This is one of the first such attacks used against real targets.

wallet.fail

Speakers: Thomas Roth, Dmitry Nedospasov, Josh Datko
Description: 35C3 Fahrplan
Video: 35C3 Media

An interesting research into hacking hardware cryptocurrency wallets. Spoiler: many holes were found. It seems that many talks at this year's CCC were hardware-oriented. There was a nice moment when during the Q&A the CTO of Trezor (one of the companies mentioned in the research) came up to the mic stand and encouraged everyone to help find bugs in their products (their designs are open-source).

Smart Home - Smart Hack

Speaker: Michael Steigerwald
Description: 35C3 Fahrplan
Video: 35C3 Media

It was the only talk that I went to that was in German, and so I test-drove the 35C3 translation system on it. There was a communications service that you could connect to to listen to an English translation, live, but I didn't manage to get it working. Eventually, I resorted to listening to a public livestream (also in English), but audio was several minutes off and overall it was a very confusing experience.

Off-the-Record protocol version 4

Speaker: Sofia Celi, Jurre van Bergen
Description: 35C3 Fahrplan
Video: 35C3 Media

The OTR protocol was the standard choice for end-to-end encrypted instant messaging for years, and the Signal protocol is based on it. Did you know - the Signal protocol is used in WhatsApp and (optionally) Facebook Messenger, so perhaps most of instant messaging today is end-to-end encrypted. The fourth version of OTR is being drafted now, I wonder whether it will influence derivative protocols such as Signal as well.

Kernel Tracing With eBPF

Speaker: Jeff Dileo, Andy Olsen
Description: 35C3 Fahrplan
Video: 35C3 Media

An introduction to eBPF and a discussion of its limitations and security risks it might create.

Memsad

Speaker: Ilja van Sprundel
Description: 35C3 Fahrplan
Video: 35C3 Media

Subtitled "why clearing memory is hard". Say you've got a chunk of memory on the heap that you no longer need, that contains sensitive data. You will typically want to zero out that memory before you free() it so that it doesn't accidentally get leaked. If you just do a memset() though, the compiler may optimize the memset() call out. So different people have come up with different ways to implement a "secure" memset(). There's one in Linux, and there's even one in C11.

The Surveillance State limited by acts of courage and conscience

Speaker: Robert Tibbo
Description: 35C3 Fahrplan
Video: 35C3 Media

A talk by Edward Snowden's lawyer. It focuses on the Snowden Refugees - people who provided shelter to Snowden in Hong Kong and are prosecuted for it.

The Mars Rover On-board Computer

Speaker: breakthesystem
Description: 35C3 Fahrplan
Video: 35C3 Media

A pleasant interlude. :)

Citizens or subjects? The battle to control our bodies, speech and communications

Speakers: Diego Naranjo, Andreea Belu
Description: 35C3 Fahrplan
Video: 35C3 Media

This was a talk about the implications of technology, specifically upload filters for privacy and freedom of speech.

Exploring fraud in telephony networks

Speakers: Merve Sahin, Aurélien Francillon
Description: 35C3 Fahrplan
Video: 35C3 Media

How criminals make money in telephone networks. The best thing from this is LENNY! Entertain yourselves.

The Urban Organism

Speaker: Michelle
Description: 35C3 Fahrplan
Video: 35C3 Media

About a hackerspace in Hong Kong.

Explaining Online US Political Advertising

Speaker: Damon McCoy
Description: 35C3 Fahrplan
Video: 35C3 Media

Who is paying for political ads on social media?

Analyze the Facebook algorithm and reclaim data sovereignty

Speaker: Claudio Agosti
Description: 35C3 Fahrplan
Video: 35C3 Media

Research project hosted on facebook.tracking.exposed. The browser extension will collect the posts that appear in your Facebook feed. The specifics seem kind of vague to me, but the author has a vision of the world where each user is able to decide exactly what content they're getting (think: client has access to all posts and then builds a feed on the client side, with the algorithm chosen by the user).

Cat & Mouse: Evading the Censors in 2018

Speaker: kmc
Description: 35C3 Fahrplan
Video: 35C3 Media

Newest developments in Internet censorship and its prevention. My impression was that evading the censors in 2018 is pretty much the same as it was in 2015. I did learn more about Psiphon though - a free and open-source circumvention software/network.