With topics ranging from security, hardware and science to ethics, art and culture, the 36th Chaos Communication Congress delivered a lot of outstanding lectures, and we wanted to share our favorite five.
Be sure to read about our four days at 36C3 to learn more about the history of the Congress and the significance of their motto, and to get a general overview of the event.
Today we're highlighting five noteworthy talks from the Congress about security and hacker culture. While mobile security accidentally became sort of a motif on this list, we also have some interesting looks at PDF security, the exploitation of wireless protocols and a video project with valuable and entertaining documents from the history of hacker culture.
The list is in no particular order:
- 1. What's left for private messaging?
- 2. Messenger Hacking: Remotely Compromising an iPhone through iMessage
- 3. Hack_Curio
- 4. All wireless communication stacks are equally broken
- 5. How to Break PDFs
1. What's left for private messaging?
The mass adoption of private messaging has brought the importance of end-to-end encryption to the forefront. There are new ideas out there to improve and balance usability and to maintain a high level of privacy, but there are reasons why they haven't been implemented and still need further development. Will explored these themes, the current state of private messaging, and where it can go from now.
First, he went over the different systems we know in secure communication and analyzed their components, then went over their adversaries, implications and trade-offs. The most common form of private messaging uses a centralized server, a cloud—such as Facebook, WhatsApp, Slack, Wire, etc. This presents potential threats on a few levels of communication: at the local network, with the ISP, in the data center. And at the server itself a legal entity could request your data, a malicious attack could jeopardize the server, even an M&A could put your data at risk, by placing it at the disposal of another organization that you might not put your trust in.
Then we explored different mechanisms of protection against these adversaries, such as traffic obfuscation and server hardening—techniques that revolve around trusting the server less. After going through federated systems, and going further down the line putting less and less trust into a single entity, you eventually end up with a set of decentralized systems.
Will also focused on counteracting threats, going into detail on each tactic and highlighting projects being developed to improve existing solutions.
We found that Will Scott's terrific second keynote at the Congress covered a lot of critical and fascinating information about the challenges of and solutions for private messaging. You can view the entire recording below:
2. Messenger Hacking: Remotely Compromising an iPhone through iMessage
A perfect continuation of Will Scott's private messaging lecture was delivered by Samuel Groß in his talk "Messenger Hacking: Remotely Compromising an iPhone through iMessage."
Samuel is a security researcher at Google Project Zero, where he focuses on web browser and mobile security. He has discovered and reported on many vulnerabilities, some quite notably on the iPhone.
Samuel presented a type of exploit in iMessage that doesn't require a victim to click on a link to become infected with malware. Using only a phone number or the email address of the target, he showcased how quickly he could gain full access to the device and sensitive information including passwords, emails and SMS and other messages, without the appearance of any visual indicators like pop-ups during the process.
The exploit was performed on iOS 12.4, with that vulnerability fixed by Apple in August of last year. After presenting the aforementioned CVE, we saw a technique used to break the ASLR security feature by using a side communications channel, which exists in the form of iMessage receipts. Once the ASLR is broken, Samuel showed how to gain code execution by exploiting the vulnerability one more time.
The talk ended with a few pieces of advice for vendors on safety, security and thwarting attackers. As Groß said himself, a one-hour lecture isn't long enough to present his full range of research, which is why he's released a blog post series detailing various vulnerabilities and exploits.
More evidence that the first day of the Congress was possibly the best is a lecture that doesn't necessarily fall into the security track. Hack_Curio, a video project by Gabriella "Biella" Coleman and Paula Bialski, features hacker culture-related videos with commentary by the many contributing creators.
Representations of hackers abound in popular culture, such as in hacker movies and even the news. The image is not often a positive one; a hooded figure sitting alone at his computer, for instance, or perhaps a criminal hired by the government. Contributing to this perception of hackers is the lack of media and historical support needed to paint a clearer and more accurate picture of the community, one that illustrates the true diversity of hackers.
The project takes an objective stand and aims to present hackers as they truly are, whether they're the heroes of the story, villains or mischief-makers. We saw a video about "Joybubbles" Joe Engressia, an important figure in the history of hacking, showcasing his perfect pitch. We cringed as we watched a video of Steve Balmer going crazy on stage at a Microsoft Conference. We revisited a few legends of the hacker scene, including hacktivists like Phineas Fisher and phone phreaks like Tim Jenkin and his encrypted communication system, Vula. There was a section dedicated to inclusion politics in hacking, with Naomi Ceder representing an important part of hacker history.
And how can we forget Vladimir Putin and his comparison of hackers and artists, who wake up in the morning and start fading? While we may find it funny, even refreshing, to see a person of authority speak publicly about hackers in a humorous way, we can't overlook the political undertones of his statement (as he was discussing Russian involvement in the US elections). But that might even make it more fun.
Whatever the case, we're glad it inspired this meme:
4. All wireless communication stacks are equally broken
On the second of the day of the Congress, Jiska Classen, a PhD student with research focused on IoT ecosystem security, applied wireless security and reverse engineering, held a lecture titled "All wireless communication stacks are equally broken."
This was a shorter, more general talk, with a focus on wireless attack surface and exploitation, such as fuzzing techniques.
"Wireless chips run a firmware that decodes wireless signals and interprets frames. Any parsing error can lead to code execution within the chip. This is already sufficient to read data passing the chip in plaintext, even if it would be encrypted while transmitted over the air."
Jiska presented her team's toolkit for fuzzing, going through wireless protocols traditionally available with our smartphone devices, such as WiFi, LTE, Bluetooth and NFC, but with a specific focus on Bluetooth fuzzing.
At the end of the talk we saw a disclosure timeline that struck us as both funny and a little bit sad, as the bug affects the proprietary firmware and needs help from the manufacturer; you can imagine the duration and "complexity" of reporting required to fix it.
5. How to Break PDFs
There were so many extraordinary lectures on the first day of the Congress! Another was "How to Break PDFs" by Vladislav Mladenov and Fabian Ising, which introduced us to breaking PDF encryption and accessing content.
Almost 99% of organizations and governmental institutions worldwide use PDF as the standard for document sharing. There are options for encrypting them, by having the recipient enter a password to access confidential content within the PDF. Research on PDF encryption and signatures is done by a large team of experts from Ruhr University Bochum.
The first part of the talk was devoted to digitally signed PDF files; the second part dove deeper into PDF encryption. As per their research website, the security problems they discovered can be summarized as follows:
- Even without knowing the corresponding password, an attacker possessing an encrypted PDF file can manipulate parts of it
- PDF encryption uses the Cipher Block Chaining (CBC) encryption mode with no integrity checks, which implies ciphertext malleability
When tackling digital signatures in the PDF format, and analyzing popular PDF viewers, they were able to break 21 of them. Popular viewers like Adobe Acrobat and Firefox and Chrome built-in viewers were vulnerable to one of the three attacks that abuse vulnerabilities in the PDF encryption, enabling them to perform targeted manipulations.
With so many assemblies, lectures and networking opportunities taking place at the Congress and inevitably overlapping, it can be disappointing to miss a must-see lecture. Thankfully, live streams during the four days left us with recordings of all the talks. It was hard to choose only five of the best, but we feel these really stand out, not only for the clever techniques they showcased but also for their entertainment factor, a necessity for the Congress.
What were your favorite talks from this year's Chaos Communication Congress? We'd love to hear about them—let us know on Twitter!