Fahrplan Sneak

The final 30c3 schedule is going to be late, we know… however, please stay tuned, as it’s still work in progress, and we can promise the Fahrplan will be awesome!

We’d like to tell you about some of the security highlights at 30c3. There are three major groups of interest this year:

  1. Cryptography
  2. Hardware & Embedded Device Security
  3. Software & Protocol Reverse Engineering

First, let’s start with a cryptography highlight: Nadia Heninger, Tanja Lange and Daniel J. Bernstein will be presenting “This Year in Crypto”. They will cover stuff that was broken before and continues to be broken again and again. The talk will also cover the coming Cryptopocalypse, backdoors in cryptographic implementations and the authors’ worries and concerns in regard to crypto in general. It’s worth mentioning that they initially recommended that their talk should be part of the Art & Beauty Track, since crypto is beautiful (and finessing crypto is an art).

Another cryptographic highlight this year is a lecture by Dmitry Khovratovich who’s going to talk about White-Box Cryptography. He’s going to explain the differences between White-Box & Public-Key Cryptography and obfuscation. This will include an overview of the white-box crypto concept along with the most common applications and proposed designs.

The Hardware & Embedded Security track will also feature several noteworthy lectures this year. Due to the outstanding quality of the submissions, it’s difficult to mention just a handful of talks. However, we’d like to highlight the following ones:

Console Hacking 2013 – It’s the year of the Wii U. This talk will cover improvements made in the architecture over previous console generations. Still, its security system was completely bypassed, and the authors will show how the Wii U was broken in less than 31 days. You’ll be able to reproduce all of the presented attacks at home – if you bring basic knowledge of embedded systems and CPU architectures.

Staying on the topic of Embedded Security and Embedded Privacy, Martin Herfurt will be presenting his research on Hybrid broadband broadcast TV (HbbTV). This is the new de-facto standard, which is currently being rolled out around the world. This new standard raises several security and privacy concerns. Martin will cover the emerging standard and how to deal with those security & privacy concerns.

Dr. Peter Laackmann will be covering the last 25 years of smartcard hacking (in German). This will be a rather entertaining talk with many crazy IC analysis techniques that you don’t want to miss – even if you’re not that much into technical details of chip-card hacking (or German).

As already mentioned, there is a substantial number of excellent hardware-security related talks this year. To keep the blog post short, here are just a few more that deserve to be mentioned:

  • Ralf P. Weinmann will talk about Hexagon Challenges: Baseband Exploitation in 2013,
  • Dmitry Nedospasov will be presenting his approaches on physical attacks of ICs’ backsides,
  • Adrian Dabrowski is going to introduce you to the RFID Treehouse of Horror, and how to hack city-wide access control systems.

Though it’s difficult to categorize the remaining submissions, they include Software and Protocol Reverse Engineering as well as any remaining software security related topics.

Jan Schejbal and his colleagues reverse engineered one of the implementations of the CHIASMUS cipher, designed by the BSI (Bundesamt für Sicherheit in der Informationstechnik). This work will not only reveal insights on the non-public CHIASMUS-cipher, but also uncover serious implementation issues in the “official” GSTOOL. The implementation issues allow an attacker to crack files that have been encrypted with GSTOOL with very little effort.

Also worth mentioning: Collin Mulliner’s “Dynamic Dalvik instrumentation of Android Applications and the Android framework” as well as Andreas “Bogk’s Bug Class Genocide”. Ilja van Sprundel will try to debunk the greatness of a well known open-source project: the X11 or X.org code.

See you at 30c3!

30c3 Security team