36C3 Day 2 – Highlights from the 36th Chaos Communication Congress

Day number 2 at the Chaos Communication Congress (36C3) continues where it left off the day before. There is only limited time for sleep; which is why many visitors drag themselves out of bed at an unusually early time for hackers. Nevertheless, the 6-2-1 rule – at least 6 hours of sleep, 2 meals, and one shower per day – is highly valued at the Congress. Full of motivation I, too, set off early towards the Leipzig exhibition center for another great day.

Read day 1: https://basto.digital/en/posts/events/36c3-day-1/

Wi-Fi vs. Bluetooth

In her talk “All wireless communication stacks are equally broken” Jiska Classen (Secure Mobile Networking Group, TU Darmstadt (SEEMOO)) explained the flawed state of wireless communication. Wi-Fi and Bluetooth share much more than just the transmission frequency of 2.4 GHz. In order for different components to transmit simultaneously on the 2.4 GHz band, the Wi-Fi and Bluetooth interfaces involved must coordinate with each other, since simultaneous transmission is not possible.

This can only work if the chips agree on the distribution of resources and can trust each other. The security researchers succeeded in controlling the opposing chip on the smartphone, thereby causing the entire service and sometimes even the operating system to crash. By exploiting another vulnerability in the Broadcom chip, it was even possible to remotely execute code. This allows an attacker, for example, to exfiltrate the Bluetooth pairing keys, which in combination with smart lock permissions can lead to the compromise of the entire device.

Fishing in foreign data

The spokesman of the Chaos Computer Club Linus Neumann and his CCC colleague Thorsten Schröder were able to prove in a series of analyses that the so-called State Trojan used in Turkey has its origin in Germany. To be more precise, the software was most likely developed by the company Finfisher, which has been repeatedly criticized in the past. In their research, Neumann and Schröder took a closer look at a total of 28 samples of the Finspy surveillance application for Android devices. An extensive data leak following a successful hacker attack on Finfisher in 2014 served as the basis for the allocation of the samples examined.

Since then, the trojan developers have improved their techniques for disguising its origins. However, the two researchers have been able to establish a link between Finfisher and the applications using matching metrics and configuration files. Since the delivery of surveillance software to countries outside the EU requires a licence, a court will now have to clarify to what extent Finfisher has illegally sold the state Trojan Finspy to Turkey. Corresponding requests for sanctions have already been submitted by the CCC before 36C3.

Hacking == illegal?

In his lecture “Hackerparagraph § 202c StGB // Reality Check“, lawyer Ulrich Kerner explained the legal finesse of hacking in Germany. Paragraph § 202c of the German StGB already caused a lot of frustration when it was introduced in 2007, especially at the CCC. What is decisive in the current situation of the law is that even the preparation of a cyber crime is illegal. However, this does not apply to dual-use tools, i.e. software that has a valid field of usage even outside malicious hacking attacks. Port scanners such as Nmap or Remote Access Tools (RAT) are often times used by administrators to analyze their own infrastructure. That’s why the possession of such tools is not restricted by law. If you want to understand the current legal situation regarding hacking, you can read my detailed article here (German).