33rd Chaos Communication Congress
I spent the time between Christmas and New Year in Hamburg, Germany, at the Chaos Communication Congress, 33rd edition (33C3 in short). 33C3’s motto was “Works for Me”, a phrase that everyone working in IT/engineering will hear at some point during their career. It quickly became a meme in the congress, showing up every time a presenter had a laptop issue for example.
I used some of the time between talks to update a bit my personal infrastructure to include Owncloud in addition to the existing Gitlab instance. This is still a work in progress, and I may write about it in the future.
I also had a lot of project ideas that I will leave here, in case I need some ways to lose my time soon!
- WhatsApp-b-gone, an idea that was created after @SyrianSpock and I realized that social gatherings were annoyingly filled with people glaring at their phone. The easiest way to implement this is probably to add some rules in the firewall to block WhatsApp traffic. The rules should be easy to turn on and off (webapp for example).
- Learning how to use radare2. Radare2 is a reverse engineering framework like IDA pro, but libre and commandline. It seems powerful but the learning curve is rather steep, so I must stick to it.
- Related to the previous one: reverse engineer the Xiaomi Band fitness device. This is a small connected device that is still complete enough to be interesting to reverse engineer. Gaining code execution on it would be nice, as it is a small wearable device with a lot of autonomy.
- Modifying the CVRA’s USB to CAN adapter to use SocketCAN. It would allow us to plug it into Linux and use Wireshark to analyze traffic.
- A “smart” time tracker, which works by detecting what is your current working directory and guessing on which project I am working.
Anyway: as last year , I took some notes about the talk I went to and also the talk I had to miss, so that I can watch them later. This year marks the introduction of French translation for streams, which are included in the recording if you want to. Kudos to the translation team!
The Global Assassination Grid
As they say in the Air Force, ‚No comms no bombs‘, – A technician’s insight into the invisible networks governing military drones and the quest for accountability
It was impressive to hear him talk about his experience as a drone pilot and why he switched to alert the public about the drone program. I don’t think it is technical but some military acronyms slipped in without being explained.
Shut Up and Take My Money!
FinTechs increasingly cut the ground from under long-established banks’ feet. With a “Mobile First” strategy, many set their sights on bringing all financial tasks—checking the account balance, making transactions, arranging investments, and ordering an overdraft—on your smartphone. In a business area that was once entirely committed to security, Fintechs make a hip design and outstanding user experience their one and only priority. Even though this strategy is rewarded by rapidly increasing customer numbers, it also reveals a flawed understanding of security. With the example of the pan-European banking startup N26 (formerly Number26), we succeeded independently from the used device to leak customer data, manipulate transactions, and to entirely take over accounts to ultimately issue arbitrary transactions—even without credit.
Good talk showing the issues in a banking startup. The exploits were not complicated but are a good example of what not to do when you are developing an application. Not very technical.
What’s It Doing Now?
Legend has it that most airline pilots will at one time have uttered the sentence “What’s it Doing now?”, whenever the autopilot or one of its related systems did something unexpected. I will be exploring some high-profile accidents in which wrong expectations of automation behavior contributed to the outcome.
This talk was trying to see how we could transpose the lessons learnt from plane autopilots to self-driving car, especially regarding to what to do when it fails. Not very technical.
Dieselgate – A year later
At 32C3 we gave an overview on the organizational and technical aspects of Dieselgate that had just broken public three months before. In the last year we have learned a lot and spoken to hundreds of people. Daniel gives an update on what is known and what is still to be revealed.
Awesome talk! Daniel was one of the two presenters on the 32C3 Dieselgate talk. This year they decided to split their talk in one about politics/law (this one) and one about hacking methods used (I could not watch it). I recommend it to anyone interested in the Dieselgate scandal. Not technical.
Nintendo Hacking 2016
This talk will give a unique insight of what happens when consoles have been hacked already, but not all secrets are busted yet. This time we will not only focus on the Nintendo 3DS but also on the Wii U, talking about our experiences wrapping up the end of an era. We will show how we managed to exploit them in novel ways and discuss why we think that Nintendo has lost the game.
I like talks about console hacking: Since console systems are exotic, they usually start with an overview of the platform, which allows you to understand the exploits part without too much specific knowledge (unlike say, talks about PC systems). A good talk, with three passionate hackers showing us how they owned the Wii U and the 3DS. However, the attacks presented are highly technical, and might be hard to understand if you are not familiar with ROP and Use-after-free.
How physicists analyze massive data: LHC + brain + ROOT = Higgs
Physicists are not computer scientists. But at CERN and worldwide, they need to analyze petabytes of data, efficiently. Since more than 20 years now, ROOT helps them with interactive development of analysis algorithms (in the context of the experiments’ multi-gigabyte software libraries), serialization of virtually any C++ object, fast statistical and general math tools, and high quality graphics for publications. I.e. ROOT helps physicists transform data into knowledge.
The presentation will introduce the life of data, the role of computing for physicists and how physicists analyze data with ROOT. It will sketch out how some of us foresee the development of data analysis given that the rest of the world all of a sudden also has big data tools: where they fit, where they don’t, and what’s missing.
Fun thing about this talk: the topics were chosen by the audience, based on the amount of cheering for a given topic. However, I did not learn much in this talk, especially on ROOT, which was supposed to be the theme of the talk. Somewhat technical.
No USB? No problem.
How to get USB running on an ARM microcontroller that has no built in USB hardware. We’ll cover electrical requirements, pin assignments, and microcontroller considerations, then move all the way up the stack to creating a bidirectional USB HID communications layer entirely in software.
xobs is the co-creator of the Novena open source laptop. I highly recommend reading his blog, if you are into hardware hacking or manufacturing. About the talk itself, I enjoyed it, as it was a nice introduction to USB and debugging, and I worked on those two topics before. However, if you are not planning to implement USB soon, or don’t like firmware hacking, this talk might not be your cup of tea.
Formal Verification of Verilog HDL with Yosys-SMTBMC
Yosys is a free and open source Verilog synthesis tool and more. It gained prominence last year because of its role as synthesis tool in the Project IceStorm FOSS Verilog-to-bitstream flow for iCE40 FPGAs. This presentation however dives into the Yosys-SMTBMC formal verification flow that can be used for verifying formal properties using bounded model checks and/or temporal induction.
Insanely technical talk about formal verification of FPGA programs, which can be used to find bugs not exercised by the simulation or by testing on hardware. I must admit I did not understand most of the talk, but I think I got an approximate understanding of the process.
Lockpicking in the IoT
“Smart” devices using BTLE, a mobile phone and the Internet are becoming more and more popular. We will be using mechanical and electronic hardware attacks, TLS MitM, BTLE sniffing and App decompilation to show why those devices and their manufacturers aren’t always that smart after all. And that even AES128 on top of the BTLE layer doesn’t have to mean “unbreakable”. Our main target will be electronic locks, but the methods shown apply to many other smart devices as well…
This talk focuses on some digital padlocks that use Bluetooth for unlocking. The researcher shows how incredibly bad the security of those things are, both mechanically and in software.
A world without blockchain
Instant money transfer, globally without borders and 24/7. That’s one of the promises of Bitcoin. But how does national and international money transfer work in the world of banks?
A talk showing what happens behind-the-scenes when you send money to your cousin in Brazil. Contains both the accounting principles and the technical explanations of what happens. I would have loved to go a bit more in-depth, but the talk was already short on time. Not technical.
Intercoms Hacking
Call the frontdoor to install your backdoors
The author attack modern intercoms by forcing them to connect to a rogue 3G cell. They are then able to open the door and spy on door conversation. It was interesting to see how to create a fake GSM antenna using a BladeRF/HackRF with YateBTS on the software side. Technical: you might have to search a bit if you don’t know anything about GSM & SDR.
radare demystified
radare is a libre framework and a set of tools to ease several tasks related to reverse engineering, exploiting, forensics, binary patching. This year, the project gets 10 year old.
This talk will show the evolution and structure of the project, its roots, some of the most notorious capabilities, showing several usage examples to let the attendees the power in functionalities and extensibility the tool provides.
I wanted to learn radare2 even before coming to CCC, so this talk was a “must attend”. What I got back from this talk was some starting points on how to use radare2. If you are not interested by reverse engineering, I don’t think you are in the audience for this talk.
Here are my raw notes:
They apparently have an IRC channel.
Should take between 2 days and one week to get used to it (à la vim).
Commands are mnemonic, based on modifiers (à la vim again)
5 commands to remember:
* s seek
* pd print disassembly
* s? prints help for s
* w is for write
* q quit
* ~ means grep ("p 10 ~ Mov")
* /m looks for known file format using magic
It appears to be able to read data in structs.
See the blog post "Analysis by default"
On Smart Cities, Smart Energy, And Dumb Security
Smart City is an abstract concept everyone talks about but no one knows what it actually means. No one, except Energy utilities. In this talk we will explore the vast world of Smart Energy, and see how energy providers used the “Smart City” concept to get better control over our energy consumption, all while almost completely ignoring security aspects along the way. Join me and see how Smart Energy is making our lives a little bit better, but also dangerously insecure.
I was disappointed by this talk. It contained a lot of non-fact based affirmations such as “you can make electricity meters exploded by hacking them” and little technical content. Same goes for Zigbee: no exploits / concepts, only talk. I was under the impression that the guy wanted to sell us the product his new startup is developping (he said he was working on this topic at the beginning of the talk though). I don’t recommend watching it.
Dissecting modern (3G/4G) cellular modems
Let’s have a detailed look at some modern 3G/4G cellular modems and see what we can find out about their internals using undocumented debug interfaces and software or hardware based hacking techniques.
The speakers are coming from the osmocom project so they know quite a lot about reverse engineering. This is also not their first talk so they know how to present well. A good talk about reverse engineering obscure hardware, GPL enforcement and weird programming practices. Technical.
They also introduced a multi voltage UART adapter called the Osmocom MV-UART.
Dissecting HDMI
Ever wondered what is actually happening when a speaker can’t get their laptop to project? While developing the FPGA-based HDMI2USB.tv open hardware for recording conferences, we discovered just how convoluted the HDMI protocol can be. Come hear all the horrible details!
The speaker comes from the Timsvideos project. The aim of the project is to be able to record conferences, like the CCC, but with less resources. To do that they wanted to create an HDMI screen capture board, which they implemented on an FPGA.
He recommended to watch another talk from 28C3 called “Implementation of mitm attack on hdcp-secured links”. Also a website filled with FPGA resources: hamsterworks He also mentions a talk at PyCon AU about designing hardware with FPGAs.
The Moon and European Space Exploration
Since the early successes of moon missions in the Sixtie, mankind has moved on to the earth orbit and other deep space missions. But interest in the moon as a target has intensified recently as the strategies for future missions are evolving.
Jan Wörner is the director of the European Space Program. In this talk he tries to answer the question “Why are we studying space?” I recommend it to everybody; the talk is fun and not technical.
Interplanetary Colonization
The long term survival of the human species requires that we become an interplanetary species. But we must answer two big questions: where are we going, and how do we get there? We explore what scientists know (and don’t know) about humanity’s potential future homes both inside and outside the solar system, and then we’ll dive into the technological challenges of (and potential solutions for) getting humans to and colonizing a new planet.
Quick intro to how can we move from planets to planets to colonize them. Not very technical, but I did not enjoy it as much as the previous one.
The Zcash anonymous cryptocurrency
Zcash is the third iteration of an extension to the Bitcoin protocol that provides true untraceability, i.e. fully anonymous transactions. It is arguably the first serious attempt to establish this extension, in the form of its own blockchain, beyond the form of an academic proposal. The talk provides an introduction to the magic that makes it work.
I need to rewatch that one to fully understand the math behind Zcash. It looked interesting, but I am into crypto; skip if you are not.
Community
Mitch Altman (born December 22, 1956) is a San Francisco-based hacker and inventor, best known for inventing TV-B-Gone, as featured speaker at hacker conferences, as international expert on the hackerspace movement, and for teaching introductory electronics workshops. He is also Chief Scientist and CEO of Cornfield Electronics.
In this talk, Mitch Altman tells us the story of how he entered the hacker scene. The guy is influential and his message definitely resonated with me. However, it also revealed that he has some strong bias, against the government for example, which I don’t agree with.
Retail Surveillance / Retail Countersurveillance
From geo-magnetic tracking for smartphones to facial recognition for email marketing, from physical shopping cart fingerprinting to computer vision algorithms that use your clothing as metadata, this talk will explore the emerging landscape of hyper-competitive retail surveillance. Instead of dramatizing these technologies which can lead to calcification and normalization, the aim of this talk is to energize discourse around building creative solutions to counter, adapt to, or rethink emerging surveillance technologies.
Those projects are about defeating common surveillance techniques through fashion and makeup. I liked the concepts, they are very cyberpunk-ish.
The Ultimate Gameboy talk
The 8-bit Game Boy was sold between 1989 and 2003, but its architecture more closely resembles machines from the early 1980s, like the Commodore 64 or the NES. This talk attempts to communicate “everything about the Game Boy” to the listener, including its internals and quirks, as well as the tricks that have been used by games and modern demos, reviving once more the spirit of times when programmers counted clock cycles and hardware limitations were seen as a challenge.
Last talk I saw at the congress, with a packed audience. Very well prepared, and communicates the effects used in Gameboy programming well.
Shining some light on the Amazon Dash button
This talk will explore the hard- and software of the Amazon Dash button.
PS4: PC Master Race
Last year, we demonstrated Linux running on the PS4 in a lightning talk - presented on the PS4 itself. But how did we do it? In a departure from previous Console Hacking talks focusing on security, this year we’re going to focus on the PS4 hardware, what makes it different from a PC, and how we reverse engineered it enough to get a full-blown Linux distro running on it, complete with 3D acceleration.
Yay, more console hacking! Very impressive technical level, learnt a lot about hardware and Linux kernel while watching this!
Talks I plan to watch later
Since I did not have time to watch everything I wanted, I made a short list of the videos I am going to watch in the coming weeks:
- How Do I Crack Satellite and Cable Pay TV?
- The Fight for Encryption in 2016
- Building a high throughput low-latency PCIe based SDR
- Bootstraping a slightly more secure laptop
- Untrusting the CPU
- Software Defined Emissions
- Where in the World Is Carmen Sandiego?
- You can -j REJECT but you can not hide: Global scanning of the IPv6 Internet
- Syrian Archive
- Tapping into the core
- Wheel of Fortune
- Gone in 60 Milliseconds
- Recount 2016: An Uninvited Security Audit of the U.S. Presidential Election
- The Untold Story of Edward Snowden’s Escape from Hong Kong
- Downgrading iOS: From past to present
- SpinalHDL : An alternative hardware description language
- How do we know our PRNGs work properly?
- Decoding the LoRa PHY
- Hacking collective as a laboratory
- Making Technology Inclusive Through Papercraft and Sound
- Do as I Say not as I Do: Stealth Modification of Programmable Logic Controllers I/O by Pin Control Attack
- Rebel cities
- The High Priests of the Digital Age
- Infrastructure review
- The Transhumanist Paradox