Hardware hacking tooling for the new iPhone generation
stacksmashing
Hardware hacking tooling for the new iPhone generation If you've followed the iPhone hacking scene you probably heard about cables such as the Kanzi Cable, Kong Cable, Bonobo Cable, and so on: Special cables that allow access to hardware debugging features on Lightning-based iPhones such as UART and JTAG. However with the iPhone 15, all of those tools became basically useless: USB-C is here, and with that we need new hardware and software tooling. This talk gives you a brief history of iPhone hardware hacking through the Lightning port, and then looks at the new iPhone 15, and how - using vendor defined messages, modifying existing tooling like the Central Scrutinizer, and a bit of hardware hacking - we managed to get access to the (unfortunately locked on production devices) JTAG interface exposed on the USB-C port on the new iPhone 15. And how you can do it using open-source tooling too.
bzvr_, kucher1n, oct0xor
Imagine discovering a zero-click attack targeting Apple mobile devices of your colleagues and managing to capture all the stages of the attack. That’s exactly what happened to us! This led to the fixing of four zero-day vulnerabilities and discovering of a previously unknown and highly sophisticated spyware that had been around for years without anyone noticing. We call it Operation Triangulation. We've been teasing this story for almost six months, while thoroughly analyzing every stage of the attack. Now, for the first time, we're ready to tell you all about it. This is the story of the most sophisticated attack chain and spyware ever discovered by Kaspersky.
TETRA unlocked after decades in the shadows
Carlo Meijer, Jos Wetzels, Wouter Bokslag
This talk will present details of the TETRA:BURST vulnerablities - the result of the first public in-depth security analysis of TETRA (Terrestrial Trunked Radio): a European standard for trunked radio globally used by government agencies, police, military, and critical infrastructure relying on secret cryptographic algorithms which we reverse-engineered and published in August 2023. Adding to our initial disclosure, this talk will present new details on our deanonymization attack and provide additional insights into background and new developments.
Security Of Railway Communication Protocols
Katja Assaf
The railway communication network looks different from your standard corporate IT. Its hardware, software and protocols have many peculiarities since it is an old, distributed, fragmented and highly standardised system. This creates problems when trying to introduce state-of-the-art IT security, and then there is the mindset: "But we always have done it this way!"
Donncha Ó Cearbhaill
Ever evolving mercenary spyware continues to threaten the safety of activists, journalist and human rights defenders around the world. Following the exposure of the Pegasus spyware scandal, this talk will be a technical deep dive into the tactics and techniques sold by the European-based spyware alliance Intellexa, which is used by governments to infect the devices and infrastructure we all depend on.
Advanced QEMU-based fuzzing
Addison Crump, andreafioraldi, domenukk, Dongjia Zhang, van Hauser
The maintainers of the AFLplusplus open-source project show crazy new ways to (ab)use QEMU to explore difficult, binary-only targets through fuzzing. We present a proof of concept using LibAFL\_qemu to find command and SQL-injections, going beyond the classic fuzzing for memory corruption. We also showcase how to build a custom fuzzer to test Android libraries without using a phone.
The cybersecurity dark side of solar energy when clouds are involved
Sebastien
In this talk we will have a look at some cybersecurity challenges raised by the trend of decentralizing our energy production. Our energy infrastructure is now changing from a centralized system based on big power plants to a more decentralized system based on renewable energy produced by smaller power plants (maybe yours). In Germany alone, [300.000 so called balcony power plants were in operation by August 2023](https://www.heise.de/hintergrund/Ueber-300-000-Balkonkraftwerke-in-Deutschland-in-Betrieb-Statistik-der-Woche-9285107.html). Most of these smaller power plants are / will be somehow connected to some cloud services. To show that security hasn't been the biggest priority, we will examine the cybersecurity controls of different solar inverters. To put it mildly: there is room for improvement. We will also discuss the need for better regulations and enforcement of cybersecurity for smaller connected power plants: altogether they probably produce more power than the bigger ones - and this trend is accelerating. Protecting our infrastructure shall have - today more than ever before - a high priority.
Real-world exploits and mitigations in Large Language Model applications
Johann Rehberger
With the rapid growth of AI and Large Language Models users are facing an increased risk of scams, data exfiltration, loss of PII, and even remote code execution. This talk will demonstrate many real-world exploits the presenter discovered, including discussion of mitigations and fixes vendors put in place for the most prominent LLM applications, including ChatGPT, Bing Chat and Google Bard.
beyond the trivial
Ilja van Sprundel
In this talk, we delve into the captivating realm of TCP/IP stack fuzzing. As the backbone of internet communication, the TCP/IP stack is a prime target for cyber threats. This presentation will unravel the intricacies of fuzzing techniques applied to several TCP/IP stacks, shedding light on how these methodologies can uncover bugs, crashes and vulnerabilities. From the fundamentals of packet fuzzing to advanced mutation strategies, attendees will gain valuable insights into the proactive ways to fuzz a TCP/IP stack. Whether you're a seasoned cybersecurity professional or a curious enthusiast, this talk promises to be an enlightening journey into the heart of TCP/IP stack security and the crucial role of fuzzing in safeguarding our interconnected world.
Uncovering fake base stations on iOS devices
lukasarnld
Your phone’s internal communication contains precious data. It can be analyzed to detect fake base stations used in cellular attacks. For that, we reverse-engineered a proprietary communication channel between the phone’s OS and modem.
Über „Girodays“ & anderen Kuriositäten
Tim Philipp Schäfers (TPS)
Debitkarte/girocard geklaut? – Schnell sperren lassen … doch was, wenn die Sperrung nicht so wirksam ist, wie es scheint? Im Rahmen des Vortrages werden Datenschutz- und IT-Sicherheitsmängel im KUNO-Sperrsystem vorgestellt. Das System ist bei > 90 % der Händler in Deutschland im Einsatz und soll seit einem Beschluss der Innenministerkonferenz im Jahr 2005 garantieren, dass das elektronische Lastschriftverfahren (ELV) vor Betrug sicher(er) ist. Im Rahmen des Vortrages wird unter anderem aufgezeigt, wie es Unbefugten/Taschendieben (über Jahre) möglich war, gesperrte EC- & Debitkarten/ girocards für die ELV simpel zu entsperren. Darüber hinaus werden Streifzüge durch die Themen der IT-Sicherheit, des Datenschutzes und Payments vorgenommen – Vergnügen für alle Datenreisenden ist garantiert :) Weitere Infos zu den Lücken (Ende des Jahres) unter: https://giroday.de
A deep dive into an underrepresented research area
Kevin Gomez
The importance and relevance of vehicles in investigations are increasing. Their digital capabilities are rapidly growing due to the introduction of additional services and features in vehicles and their ecosystem. In this talk on automotive digital forensics, you will embark on a journey through the cutting-edge world of automotive technology and the critical role digital forensics plays in this domain. We will explore the state-of-the-art methods and tools to investigate modern vehicles, shedding light on forensic experts' significant challenges. This presentation delves into the latest research areas and trends, providing insights into how technology rapidly evolves in the automotive industry, creating opportunities and challenges for digital forensics specialists. We will also peer into the future, discussing the directions in which automotive digital forensics is heading and the implications for our increasingly connected and autonomous vehicle landscape. Through case studies, you will gain a firsthand look at different investigations conducted on modern vehicles, showcasing the real-world applications of digital forensics in this field--explicitly focusing on privacy issues and security pitfalls in modern vehicles. Whether you're a seasoned expert or a curious enthusiast, this talk will give you a deeper understanding of the complex intersection of automotive technology and digital investigations.
Christian Werling, Hans Niklas Jacob - hnj, Niclas Kühnapfel
Tesla's driving assistant has been subject to public scrutiny for good and bad: As accidents with its "full self-driving" (FSD) technology keep making headlines, the code and data behind the onboard Autopilot system are well-protected by the car manufacturer. In this talk, we demonstrate our voltage-glitching attack on Tesla Autopilot, enabling us root privileges on the system.
Decrypting files hijacked by the "second most used ransomware in Germany"
muelli
We present an analysis and recovery method for files encrypted by Black Basta, the "second most used ransomware in Germany". We analysed the behaviour of a ransomware encryptor and found that the malware uses their keystream wrongly, rendering the encryption vulnerable to a known-plaintext attack which allows for recovering affected files. We confirmed the finding by implementing tools for recovering encrypted files. We have made our tools for decrypting files without access to the actual key available to victims directly, through BSI, and to incident responders, as well as German and international law enforcement. Now, we are actively publishing these tools, along with the knowledge shared in our talk, empowering affected organizations to recover some of their files without succumbing to paying the criminals.
Alexander Heinrich, jiska
Apple's cutting-edge emergency SOS and location sharing services provide crucial communication alternatives when no cellular network is available. This talk will shed light on how these satellite services work, how they are integrated into existing fall and crash detection, present the security measures employed to safeguard resource access and privacy, and explore how this communication is embedded within the operating system.
braelynnn, Dennis Giese
For the past 5 years we have been presenting ways to hack and root vacuum robots at various events like the c3 or the DEFCON. In all these cases it covered vacuum robots by Roborock, Dreame, Xiaomi and some smaller companies. However, did we ever take a look at other vendors and maybe some new interesting device classes? In this talk we do exactly that, and will take a deep dive into Ecovacs robots!
Finishing off the Nintendo DSi
PoroCYon
Over the years, many talks about console jailbreaks have been presented at CCC. However, one console has been left overlooked: the Nintendo DSi. It didn't see any serious hacks in its active lifetime, the ones that eventually appeared aren't completely satisfactory, and several components (such as its boot ROMs) were left untouched. In this presentation, we rectify the situation, explain how to extract the boot ROMs, and demonstrate new jailbreaks that can take over the console at an even deeper level. As a bonus, this work makes it possible to revive consoles with worn-out eMMC NAND chips.
Aarch64 binary rewriting adventures but mostly pains
@cyanpencil (Luca Di Bartolomeo)
A talk on the first heuristic-free static binary rewriter for aarch64. Why is it the first? Because everyone else already knew how much of a bad idea this would have been.
Breaking and fixing the Bluetooth standard. One More Time.
Daniele Antonioli
Ciao! We present the BLUFFS attacks (CVE-2023-24023), six novel attacks breaking Bluetooth's forward and future secrecy. Our attacks enable device impersonation and machine-in-the-middle across sessions by compromising and re-using one session key. We discuss the four vulnerabilities in the Bluetooth specification enabling the attacks, two of which are new and related to unilateral and repeatable session key derivation. We describe the toolkit we developed and open-sourced to test our attacks via firmware binary patching, our experiments where we exploited 18 heterogeneous Bluetooth devices, and the practical and backward-compliant session key derivation protocol we built to fix the attacks by design. We also cover related work like KNOB, BIAS, and BLUR, and educational Bluetooth security tips and tricks.
Wie man Stalkerware und Staatstrojaner auf Smartphones finden kann
vik3000
Smartphones sind in den letzten zehn Jahren zu einem allseits beliebten Angriffsziel geworden, sei es für Stalkerware, Staatstrojaner oder Banking-Malware. In diesem Vortrag wollen wir einen Überblick geben, mit welchen Techniken und Open-Source-Tools man auf Smartphones (unter iOS und Android) auf die Jagd nach Malware gehen kann. Im Anschluss findet ein Workshop mit einem praktischen Teil zum Ausprobieren einiger dieser Techniken statt.
A Beginner’s Guide
Christoph Wolff, Pascal Zenker
This introductory session will outline the process of hacking internet-connected devices, with the help of a real world example: Poly telephones and conference speaker systems. We will explain vulnerabilities we identified in them and how they can be leveraged to transform the devices into wiretaps.
using my blog as example
Fefe
I have previously given talks about security principles and approaches like Least Privilege, TCB Minimization, and Self Sandboxing. The most frequent feedback has been "I don't know how to apply this in practice". So, in this talk, I will show how I applied those principles in a real-world software project: a CRUD web app. My blog. I introduced dangerous attack surface on purpose so I could some day give a talk about how to apply these techniques to reduce risk. This is that talk. I will also introduce the concept of append-only data storage.
Christoph Saatjohann, Sebastian Schinzel
Elektronische Arbeitsunfähigkeitsbescheinigungen (eAU), Arztbriefe, medizinische Diagnosen, all diese sensiblen Daten werden heute mittels KIM – Kommunikation im Gesundheitswesen – über die Telematikinfrastruktur (TI) verschickt. Aber ist der Dienst wirklich sicher? Wer kann die Nachrichten lesen, wo werden die E-Mails entschlüsselt und wie sicher ist die KIM-Software? Im Live-Setup einer Zahnarztpraxis haben wir Antworten auf diese Fragen gesucht.
Timo Longin
Introducing a novel technique for e-mail spoofing.
Ben H
A walkthrough of the assembly code idioms the Rust compiler uses to implement the language’s core features (as they appear in Klabnik’s and Nichols’ “The Rust Programming Language”) - starting with simple match expressions and all the way to monomorphized functions and iterator chains.
cerebro, e7p, Steffen Becker
Ensuring the integrity of Integrated Circuits (ICs) against malicious hardware Trojans is paramount for secure electronic devices. One approach involves imaging the manufactured chips to compare them with their original design files. While such techniques for detecting Trojans are relatively well-known in the industry, there is a notable absence of comprehensive, publicly available case studies. To bridge this gap, we unveil a Red Team vs. Blue Team case study on hardware Trojan detection across four digital ICs in various modern feature sizes. We share our findings, algorithms, and image datasets, shedding light on the efficiency of these techniques, and offer insights into the impact of technology scaling on detection performance.
Adam Batori
Following the failure and easy exploitation of the AACSv1 DRM on HD-DVD and Blu-ray, AACS-LA went back to the drawing board and announced the next generation AACSv2 DRM scheme, launching alongside 4K UHD Blu-ray in 2015. Since then, nearly no information has come out publicly about any vulnerabilities or even the algorithms themselves, owing in large part to software players requiring the use of Intel SGX secure enclave technology, which promises integrity and confidentiality of AACSv2 code and data through local and remote attestation mechanisms. Join us as we explore the broken history of AACS, describe practical side-channel attacks against SGX, and present the first look into the inner workings of AACSv2 DRM, culminating in a demonstration of the first full compromise of AACSv2 and unofficial playback of a UHD-BD disc.
Konrad Kohbrok, Raphael Robert
They call it RFC 9420, we say MLS: A new IETF standard for end-to-end encryption was published in July and brings large improvements in performance and security compared to existing protocols. We are here to present Messaging Layer Security, its ecosystem and its roadmap. The MLS protocol is already being used in production to end-to-end encrypt Webex conference calls and will soon provide encryption for Android messages and RCS 2.0 for billions of users. Other messaging tools (such as Discord, Matrix, Wire, etc.) are currently trialing MLS and are expected to follow. Why was the protocol developed in the first place? How does it work? What are the next steps for MLS?
sre
Mainframe, Oldenburg's Hackerspace, needed a wireless door lock solution. We do not trust vendors advertising promises about the device security and had a closer look.