Between Christmas and New Year's, a time when most of the world winds down, the hacker community comes alive at the annual Chaos Communication Congress (CCC). I had the opportunity to represent Semaphore's Tailored Security Assessment (TSA) team at the 38th iteration (38C3) in Hamburg. As penetration testers, we are constantly seeking to expand our in-depth knowledge of attack vectors and understanding of emerging security vulnerabilities.
The congress's unique assembly concept enables communities and groups to create their own spaces at the conference. This creates an area of specialized focus within the conference. Whether it was hardware hacking workshops at tailored workbenches, deep technical discussions about novel attack methodologies, or collaborative coding sessions. These self-organized elements provided some of the most valuable learning experiences of the congress.
Some of the trends that we have observed during this year's 38C3:
• AI System Integration: As AI systems become more mainstream and popular they become integrated with different systems. This results in the emergence of novel attack surfaces and vulnerabilities. The intersection of AI with traditional systems creates complex security challenges, including potential vulnerabilities in AI-enhanced control systems and manipulation of AI decision-making processes. This technology shift is forcing security researchers and penetration testers to develop new methodologies for testing and securing AI-integrated systems.
• Hardware Security Testing: Equipment that was once reserved for well-funded corporations or nation-state actors is becoming more accessible. Many tools can now be self-built or acquired at reasonable costs, enabling broader participation in hardware security research and testing. From electromagnetic fault injection tools to custom protocol analyzers, the barrier to entry for hardware security research continues to lower, which results in more vulnerabilities being uncovered within the hardware vulnerabilities space.
• Critical Communication Systems: The security landscape of communication protocols, particularly in industrial control systems and critical infrastructure, continues to reveal significant vulnerabilities. From unencrypted radio-based control systems managing renewable energy infrastructure, to proprietary industrial protocols. We are now seeing how fundamental communication systems can harbor serious security implications. This trend emphasizes the need for thorough security assessments that consider both traditional and non-traditional communication channels, especially in systems where failure could have far-reaching consequences.
Some of the best talks during congress this year were:
- ACE up the sleeve: Hacking into Apple's new USB-C Controller - A very interesting presentation from Thomas Roth (stacksmashing), who detailed the exploitation of Apple's new USB-C controller (ACE3). The methodology involved a fascinating combination of hardware attacks, including electromagnetic fault injection and side-channel analysis.
- Breaking NATO Radio Encryption - The presentation on NATO radio encryption vulnerabilities in the HALFLOOP-24 algorithm was particularly noteworthy. The researchers demonstrated how differential cryptanalysis could be leveraged to compromise the encryption with just two hours of intercepted radio traffic.
- We've not been trained for this: life after the Newag DRM disclosure - One of the more anticipated talks this year was the follow-up of last years talk: “Breaking DRM in Polish trains”. The presentation detailed the aftermath of discovering intentional failure-simulation code in train systems, leading to multiple investigations and legal challenges.
- The evolution of iOS spyware, from Pegasus to Predator - This was one of my favorite talks of this year. Providing a history lesson of spyware on iOS through time.
- BlinkenCity: Radio-Controlling Street Lamps and Power Plants – This was an unexpected, but fascinating presentation covering vulnerabilities in some of Europe's renewable energy infrastructure that can be remote controlled via longwave radio. The research into the Versacom and Semagyr protocols revealed how unencrypted and unauthenticated control signals could potentially be exploited.
The technical depth and breadth of presentations at 38C3 demonstrate that the security landscape continues to evolve in unexpected ways. As penetration testers, it is important to stay up to date on what moves and new testing methodologies. We are excited to integrate some of these insights into our TSA methodology and continue delivering high-quality, technical security assessments that help our clients identify and mitigate security vulnerabilities.
CCC is a very open conference, hence most of the videos are also published. If you want to see any of them, head over to https://media.ccc.de/c/38c3 and watch one presentation or two. If you want a recommendation, feel free to shoot me a message :)