Chaos Computer Club - recent events feed

**Over the past few decades, nucleic acids have increasingly been investigated as alternative data storage media and platforms for molecular computing. This talk builds on past research and introduces another branch to the field: DNA cryptography based on random chemistry. This technology provides a platform for conceiving new security architectures that bridge the physical with the digital world.** Nucleic acids have been theorized as potential data storage and computation platforms since the mid-20th century. In the meantime, notable advances have been made in implementing such systems, combining academic research with industry efforts. After providing a general introduction to the interdisciplinary field of DNA information technology, in the second half of the talk focuses on DNA-based cryptography and security systems, in particular zooming in on the example of chemical unclonable functions (CUFs) based on randomly generated, synthetic DNA sequences. Similar to Physical Unclonable Functions (PUFs), these DNA-based systems contain vast random elements that cannot be reconstructed – neither algorithmically nor synthetically. Using biochemical processing, we can operate these systems in a fashion comparable to cryptographic hash functions, enabling new authentication protocols. Aside from covering the basics, we delve into the advantages, as well as the drawbacks, of DNA as a medium. Finally, we explore how CUFs could in the future be implemented as physical security architectures: For example, in anti-counterfeiting of medicines or as personal signatures for artworks. In a broader sense, this talk aims to inspire a reconsideration of entropy, randomness and information in the experimental sciences through a digital lens. In doing so, it provides examples of how looking at physical systems through an information perspective can unravel new synergies, applications and even security architectures. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/chaos-communication-chemistry-dna-security-systems-based-on-molecular-randomness

Der inkompetente Podcast über Dresscodes und Mode. Warum verschiedene Kleiderordnungen immer mal wieder zu komischen Situationen und politischen Missverständnissen gesorgt haben. Warum ist der Business Dress eigentlich nur ein besserer Hausanzug ? Warum wird aus gemütlicher Kleidung eine Kleidung die bei Staatsempfängen getragen wird. Warum ist ein Dresscode immer missverständlich ? Bitte zum Vortrag in smart Casual Business white Tie, aber nicht zu formal erscheinen. Wer das versteht oder auch nicht wird sich wohlfühlen. Eine kleine Reise über die merkwürdige Welt der (Männer) Mode, die halt wenig sinnvoll ist. Mode ist halt nur eine Möglichkeit sich von anderen Abzugrenzen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/och-menno-mode-power-cycles-power-suit-dresscodes-wtf

Trump has staged an unscheduled, midair rapid disassembly of the global system of trade. Ironically, it is this system that prevented all of America's trading partners from disenshittifying their internet: the US trade representative threatened the world with tariffs unless they passed laws that criminalized reverse-engineering and modding. By banning "adversarial interoperability," America handcuffed the world's technologists, banning them from creating the mods, hacks, alt clients, scrapers, and other tools needed to liberate their neighbours from the enshittificatory predations of the ketamine-addled zuckermuskian tyrants of US Big Tech. Well, when life gives you SARS, you make sarsaparilla. The Trump tariffs are here, and it's time to pick the locks on the those handcuffs and set the world's hackers loose on Big Tech. Happy Liberation Day, everyone! Enshittification wasn't an accident. It also wasn't inevitable. This isn't the iron laws of economics at work, nor is it the great forces of history. Enshittification was a choice: named individuals, in living memory, enacted policies that created the enshittogenic environment. They created a world that encouraged tech companies to merge to monopoly, transforming the internet into "five giant websites, each filled with screenshots of the other four." They let these monopolists rip us off and spy on us. And they banned us from fighting back, claiming that anyone who modified a technology without permission from its maker was a pirate (or worse, a terrorist). They created a system of "felony contempt of business-model," where it's literally a crime to change how your own devices work. They declared war on the general-purpose computer and demanded a computer that would do what the manufacturer told it to do (even if the owner of the computer didn't want that). We are at a turning point in the decades-long war on general-purpose computing. Geopolitics are up for grabs. The future is ours to seize. In my 24 years with EFF, I have seen many strange moments, but never one quite like this. There's plenty of terrifying things going on right now, but there's also a massive, amazing, incredibly opportunity to seize the means of computation. Let's take it. ' Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/a-post-american-enshittification-resistant-internet

This talk demonstrates end-to-end prompt injection exploits that compromise agentic systems. Specifically, we will discuss exploits that target computer-use and coding agents, such as Anthropic's Claude Code, GitHub Copilot, Google Jules, Devin AI, ChatGPT Operator, Amazon Q, AWS Kiro, and others. Exploits will impact confidentiality, system integrity, and the future of AI-driven automation, including remote code execution, exfiltration of sensitive information such as access tokens, and even joining Agents to traditional command and control infrastructure. Which are known as "ZombAIs", a term first coined by the presenter as well as long-term prompt injection persistence in AI coding agents. Additionally, we will explore how nation state TTPs such as ClickFix apply to Computer-Use systems and how they can trick AI systems and lead to full system compromise (AI ClickFix). Finally, we will cover current mitigation strategies and forward-looking recommendations and strategic thoughts. During the Month of AI Bugs (August 2025), I responsibly disclosed over two dozen security vulnerabilities across all major agentic AI coding assistants. This talk distills the most severe findings and patterns observed. Key highlights include: * Critical prompt-injection exploits enabling zero-click data exfiltration and arbitrary remote code execution across multiple platforms and vendor products * Recurring systemic flaws such as over-reliance on LLM behavior for trust decisions, inadequate sandboxing of tools, and weak user-in-the-loop controls. * How I leveraged AI to find some of these vulnerabilities quickly * The AI Kill Chain: prompt injection, confused deputy behavior, and automatic tool invocation * Adaptation of nation-state TTPs (e.g., ClickFix) into AI ClickFix techniques that can fully compromise computer-use systems. * Insights about vendor responses: from quick patches and CVEs to months of silence, or quiet patching * AgentHopper will highlight how these vulnerabilities combined could have led to an AI Virus Finally, the session presents practical mitigations and forward-looking strategies to reduce the growing attack surface of probabilistic, autonomous AI systems. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/agentic-probllms-exploiting-ai-computer-use-and-coding-agents

„They Talk Tech“ Live: Podcasts-Hosts Svea Eckert und Eva Wolfangel diskutieren mit Anne Roth, Referentin für Digitalpolitik der Linksfraktion, Netzaktivistin, scharfe Beobachterin und präzise Analytikerin digitaler Machtstrukturen, über Überwachung, digitale Freiheitsrechte, feministische Netzpolitik und die politischen Kämpfe hinter der Technologie. Anne Roth beschäftigt sich seit vielen Jahren mit staatlichen Sicherheitsarchitekturen, Geheimdienstkontrolle, digitaler Gewalt und Fragen politischer Teilhabe. Im Gespräch geht es um die Mechanismen digitaler Macht, um Freiheitsrechte im Zeitalter permanenter Datenerfassung und darum, wie politische Entscheidungen technologische Entwicklungen prägen und umgekehrt - und wo die netzpolitische Community auch in politisch schwierigen Zeiten ansetzen kann, um die Entwicklung positiv zu beeinflussen. Eine offene, präzise und lebendige Diskussion, die sowohl technisch interessierte als auch politisch denkende Menschen abholt. Live und mit Raum für eure Fragen. "They Talk Tech" ist ein c't-Podcast von Svea Eckert und Eva Wolfangel Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/they-talk-tech-live-mit-anne-roth

It is 1976 and the USA long stopped going to the Moon when a Soviet automatic landing station called Luna 24 descends to the Lunar surface. It touches down on 3.3 Billion year old rock formations at a place no mission has ever gone before. What exactly happened remains a mystery to this day, but the space probe managed to take a 2.3 m long drill core from the Lunar regolith, packaged the sample in a genius way and launched it for its voyage to Earth. Some days later the sample entered earths atmosphere and landed in remote Siberia and ended up in our hands more than 50 Years later. We tell the story of the sample, the people that brought it to Earth and how we analyzed it with the newest methods including µm sized high intensity X-ray beams, 30kV electron beams and LN2 cooled infrared spectrometers. In this talk, members of the Museum for Natural History in Berlin will present the story of a Luna 24 sample retrieved by the GDR from the USSR. The sample has been almost "lost" to time. When it fell into our hands, we started understanding its historical and scientific significance, produced specialized sample containers and initiated curation efforts of the sample while slowly understanding its history and geochemical composition. ### Luna 24 Moon Mission What happened on the 18th & 19th of August 1976 on the moon? Why was this landing site chosen and how was the sample retrieved and brought back to Earth? Which way did the scientists handle these extremely precious samples? Picture: Музей Космонавтики (CC0 1.0) ### Methods and Results Which methods can be utilized to gather new information from such a sample without destroying it? Which storage and curation methods must be used to preserve its value for the scientists that come after us? How did advanced analytical methods like µCT, electron microscopes, µ X-ray fluorescence spectrometers and nitrogen-cooled infrared spectrometers contribute to our understanding of the sample? Fly with us to the moon! This work has been developed together with Christopher Hamann. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/a-space-odyssey-2-how-to-study-moon-rocks-from-the-soviet-sample-return-mission-luna-24

Mit den Prozessen im Budapest-Komplex wird ein Exempel statuiert - nicht nur gegen Einzelne, sondern gegen antifaschistische Praxis insgesamt. Die Behauptung einer kriminellen Vereinigung mit Mordabsichten stellt eine absurde juristische Eskalation des staatlichen Vorgehens gegen Antifaschist*innen dar und steht in keinem Verhältnis zu den verhandelten Vorkommnissen. Die Verfahren in dieser Weise zu verfolgen, lässt vor allem auf ein hohes Ausforschungs- und Einschüchterungsinteresse schließen. Mit dieser Prozesswelle und den Repressionen gegen Freund*innen und Angehörige wird antifaschistisches Engagement massiv kriminalisiert und ein verzerrtes Bild von politischem Widerstand gezeichnet - während gleichzeitig rechte Gewalt europaweit zunimmt und faschistische Parteien erstarken. Wir sehen, dass Angriffe auf Rechtsstaatlichkeit und Zivilgesellschaft immer weiter zunehmen. Die Art und Weise, wie gegen die Antifas im Budapest-Komplex und im Antifa-Ost Verfahren vorgegangen wird ist ein Vorgeschmack darauf, wie politische Opposition in einer autoritären Zukunft behandelt werden könnte. Wir sind alle von der rechtsautoritären Entwicklung, von Faschisierung betroffen. Die Kriminalisierung von Antifas als "terroristische Vereinigung" ist Teil einer (weltweiten) Entdemokratisierung und Zersetzung von Rechtsstaatlichkeit. Am 26. September wurde gegen Hanna vor dem OLG München das erste Urteil gegen eine der Antifaschist*innen im Rahmen des Budapest-Komplexes gefällt: 5 Jahre für ein lediglich auf Indizien basierendes Urteil. Dem Mordvorwurf der Staatsanwaltschaft wurde nicht entsprochen, behauptet wurde aber die Existenz einer gewalttätigen „kriminellen Vereinigung“. Am 12. Januar 2026 wird nun vor dem OLG Düsseldorf der Prozess gegen Nele, Emmi, Paula, Luca, Moritz und Clara, die seit Januar in verschiedenen Gefängnissen in U-Haft sitzen, eröffnet. Die Anklage konstruiert auch hier eine kriminelle Vereinigung nach §129 und enthält den Vorwurf des versuchten Mordes. Die Verfahren in dieser Weise zu verfolgen, lässt vor allem auf ein hohes Ausforschungs- und Einschüchterungsinteresse schließen. Zaid, gegen den ein europäischer Haftbefehl aus Ungarn vorliegt, war Anfang Mai unter Meldeauflagen entlassen worden; aufgrund seiner nicht-deutschen Staatsangehörigkeit hatte der Generalbundesanwalt keine Anklage gegen ihn erhoben. Da er in Deutschland nach wie vor von einer Überstellung nach Ungarn bedroht ist, hält er sich seit Oktober 2025 in Paris auf. Er ist gegen Auflagen auf freiem Fuß. Ein weiteres Verfahren im Budapest- Komplex wird in Dresden zusammen mit Vorwürfen aus dem Antifa Ost Verfahren verhandelt. Der Prozess gegen Tobi, Johann, Thomas (Nanuk), Paul und zwei weitere Personen wird bereits im November beginnen. In Budapest sitzt Maja – entgegen einer einstweiligen Verfügung des BVerfG und festgestellt rechtswidrig im Juni 2024 nach Ungarn überstellt - weiterhin in Isolationshaft; der Prozess soll erst im Januar fortgeführt werden und voraussichtlich mit dem Urteil am 22.01. zu Ende gehen. Mit den Prozessen im Budapest-Komplex wird ein Exempel statuiert – nicht nur gegen Einzelne, sondern gegen antifaschistische Praxis insgesamt. Die Behauptung einer kriminellen Vereinigung mit Mordabsichten stellt eine absurde juristische Eskalation des staatlichen Vorgehens gegen Antifaschist*innen dar und steht in keinem Verhältnis zu den verhandelten Vorkommnissen. Mit dieser Prozesswelle und den Repressionen gegen Freund*innen und Angehörige wird antifaschistisches Engagement massiv kriminalisiert und ein verzerrtes Bild von politischem Widerstand gezeichnet – während gleichzeitig rechte Gewalt europaweit zunimmt und faschistische Parteien erstarken. Wir sehen, dass Angriffe auf Rechtsstaatlichkeit und Zivilgesellschaf immer weiter zunehmen. Die Art und Weise, wie gegen die Antifas im Budapest-Komplex vorgegangen wird, ist ein Vorgeschmack darauf, wie politische Opposition in einer autoritäreren Zukunft behandelt werden könnte. Wir sind alle von der rechtsautoritären Entwicklung, von Faschisierung betroffen. Die Kriminalisierung von Antifas als „terroristische Vereinigung" ist Teil einer (weltweiten) Entdemokratisierung und Zersetzung von Rechtsstaatlichkeit. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/selbstverstandlich-antifaschistisch-aktuelle-informationen-zu-den-verfahren-im-budapest-komplex-von-family-friends-hamburg

Bei "Off The Record" nehmen wir euch mit in den Maschinenraum von netzpolitik.org. Einmal im Monat geben Redakteur:innen und andere Team-Mitglieder Einblicke in ihre Arbeit. Bei dieser Live-Ausgabe zum Abschluss des Jahres wollen wir hinter die Kulissen einiger große Recherchen blicken: Es geht um Spionage-Apps und Datenhändler, eine mysteriöse Schallwaffe und die Tücken der Verwaltungsdigitalisierung. In "Off/On", dem Podcast von netzpolitik.org, wechseln sich zwei Formate ab: Bei "Off The Record" geht es ab in den Maschinenraum von netzpolitik.org: Wir erzählen, wie unsere Recherchen entstehen, und machen transparent, wie wir arbeiten. Bei "On The Record" interviewen wir Menschen, die unsere digitale Gesellschaft prägen. Bei dieser Live-Ausgabe von "Off The Record" spricht Ingo Dachwitz mit Chris Köver, Markus Reuter und Esther Mehnhard über ihre Recherchen des Jahres. Wie sind sie bei der Recherche vorgegangen? Welche Hindernisse mussten sie überwinden? Wie verpackt man komplexe Sachverhalten am besten? Und was haben die Recherchen ausgelöst? Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/netzpolitikorg-offon-off-the-record-live

We present a comprehensive security assessment of Unitree's robotic ecosystem. We identified and exploited multiple security flaws across multiple communication channels, including Bluetooth, LoRa radio, WebRTC, and cloud management services. Besides pwning multiple traditional binary or web vulnerabilities, we also exploit the embodied AI agent in the robots, performing prompt injection and achieve root-level remote code execution. Furthermore, we leverage a flaw in cloud management services to take over any Unitree G1 robot connected to the Internet. By deobfuscating and patching the customized, VM-based obfuscated binaries, we successfully unlocked forbidden robotic movements restricted by the vendor firmware on consumer models such as the G1 AIR. We hope our findings could offer a roadmap for manufacturers to strengthen robotic designs, while arming researchers and consumers with critical knowledge to assess security in next-generation robotic systems. Unitree is among the highest-volume makers of commercial robots, and their newest humanoid platforms ship with multiple control stacks and on-device AI agents. If the widespread, intrusive presence of these robots in our lives is inevitable, should we take the initiative to ensure they are completely under our control? What paths might attackers use to compromise these robots, and to what extent could they threaten the physical world? In this talk, we first map the complete attack surface of Unitree humanoids, covering hardware interfaces, near-field radios and Internet-accessible channels. We demonstrate how a local attacker can hijack a robot by exploiting vulnerabilities in short-range radio communications (Bluetooth, LoRa) and local Wi-Fi. We also present a fun exploit of the embodied AI in the humanoid: With a single spoken/text sentence, we jailbreak the on-device LLM Agent and pivot to root-priviledged remote code execution. Combined with a flaw in the cloud management service, this forms a full path to gain complete control over any Unitree robot connected to the Internet, obtaining root shell, camera livestreaming, and speaker control. To achieve this, we combined hardware inspection, firmware extraction, software-defined radio tooling, and deobfuscation of customized, VM-based protected binaries. This reverse engineering breakthrough also allowed us to understand the overall control logic, patch decision points, and unlock advanced robotic movements that were deliberately disabled on consumer models like G1 AIR. Takeaways. Modern humanoids are networked, AI-powered cyber-physical systems; weaknesses across radios, cloud services, and on-device agents could allow attackers to remotely hijack robot operations, extract sensitive data or camera livestreams, or even weaponize the physical capabilities. As robotics continue their transition from controlled environments to everyday applications, our work highlights the urgent need for security-by-design in this emerging technology landscape. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/skynet-starter-kit-from-embodied-ai-jailbreak-to-remote-takeover-of-humanoid-robots

Auf der Insel Rügen und in Österreich tut sich was - und zwar neue Chaos Events. Wir möchten über Anforderungen, Herausforderungen, Hürden, Erfahrungen und Glücksmomente aus unserer Sicht der Orga erzählen. Das InselChaos fand im LaGrange e.V. im September 2025 statt und bildet den Auftakt für weitere kreative, informative und chaotische Events auf der Insel Rügen. Das Håck ma’s Castle wird mit etwas Humor auch über Herausforderungen sprechen, welche unter anderem durch dezentrale Teams aus diversen Hackspaces entstehen. **InselChaos** Der Port39 e.V. hatte den Traum, das Chaos nach MV zu holen und ein größeres Event an der Ostsee zu veranstalten. Gerade erst 3 Jahre alt, haben wir mit der Planung in kleinem Kreis begonnen. Eine Location musste gesucht, Inspirationen und Ideen gesammelt, bürokratische Hürden und sehr viele individuelle Probleme gelöst werden, bis es Anfang September soweit war, dass wir unsere Gäste begrüßen durften. In diesem Talk sprechen wir darüber, wie es ist, als kleiner Verein mit einem vierköpfigen Orga-Team ein ChaosEvent mit über 150 Gästen zu koordinieren, welche Schwierigkeiten wir dabei überwunden und vor allem, welche Learnings wir daraus gezogen haben, um es nächstes Mal noch besser zu machen. **Håck ma’s Castle** Wir werden in unserem Talk, darüber sprechen, welche Methoden und Meetingmodi wir ausgetestet haben, gute wie aber auch schlechte Entscheidungen welche getroffen wurden. Vorallem aber auch über die Herausforderung, die es mit sich bringt, wenn sich Wesen noch nicht kennen und wir zuerst auf menschlicher Ebene auch zusammenkommen mussten, damit es inhaltlich auch besser klappt. Hard facts Håck ma's Castle: - 3 (+1) Tage Event - August 2024 - mit Schloss - mit Camping - ~330 Wesen - inklusive 1 Schlosskatze *meow* - Orga verteilt in ganz Österreich und darüber hinaus: - metalab, realraum, C3W, CCC Salzburg, /dev/lol, SegFaultDragons, SegVault, IT-Syndikat, /usr/space, Gebärdenverse, female coders, chaos.jetzt etc. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/neue-chaos-events-inselchaos-und-hack-ma-s-castle-plaudern-aus-dem-nahkastchen

In 2022, CitizenLab contacted a member of the Spanish non-profit Irídia to tell them that one of their members had likely been hacked with Pegasus spyware. The target, a lawyer, had been spied on by the Spanish government in 2020 because he represented a Catalan politician who was in prison. His phone was infected with Pegasus during the COVID-19 lockdown, on the same day he was having an online meeting with other lawyers working on the case. Irídia and the lawyer (Andreu) decided to take the case to court. A few years later, he met with Data Rights and invited them to join forces and bring in partners from across Europe to increase the impact. This collaboration led to the creation of the PEGA coalition in May 2025. This talk goes over the status of the case and work we have done across Europe to bring spyware use in court. Despite the European Parliament’s PEGA investigation in 2023, spyware scandals in Europe continue to grow, with little real action to stop or address them. Many EU countries were — or still are — clients of the world’s major spyware companies. As a result, nothing changes except the number of victims targeted by these technologies. Worst, offices or clients in the EU is useful for spyware companies' sales pitch. So, the EU is a growing hub for this ominous ecosystem! With no real political will to act, members of the PEGA investigation say the only hope for change is to take these cases to court — and that’s exactly the path we’ve chosen! Irídia’s case is one of the flagship cases in the EU, both for its depth and for what it has achieved so far. We will review the current status and implications of the case, examining issues that range from state responsibility to the role of the spyware company behind Pegasus — in its creation, sale, and export — which maintains a strong presence within the EU. After that, we will take a step back to look at what is happening across Europe. We will highlight the most significant cases currently moving forward, as well as some of the PEGA coalition’s strategies for driving accountability, strengthening safeguards, and ensuring remedies. The coalition’s mission goes beyond legal action — it aims to prevent the devastating impact of spyware and push for systemic change. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/suing-spyware-in-europe-news-from-the-front

Könntest du jetzt noch sagen, was du heute online gemacht hast? Für viele ist das Internet so selbstverständlich, dass sie es kaum noch merken, wenn sie es benutzen. Dennoch sind viele Menschen unfreiwillig aus der digitalen Welt ausgeschlossen. Wie könnte das Internet für alle nutzbar werden? Für viele Menschen ist es selbstverständlich, online unterwegs zu sein. Dennoch sind weiterhin viele Menschen mit Beeinträchtigung online ausgeschlossen. Seit Juni 2025 sind durch das Barrierefreiheitsstärkungsgesetz ist digitale Barrierefreiheit für Unternehmen verpflichtend. Damit ist digitale Barrierefreiheit von einer Option zu einem Recht geworden. Trotz der gesetzlichen Vorgaben scheitert die digitale Barrierefreiheit in der Praxis häufig an der fehlenden Expertise von Verantwortlichen. Wir möchten aus drei Perspektiven auf Barrierefreiheit in der digitalen Welt schauen: Lena Müller ist Entwicklerin und für die barrierefreie Gestaltung von Inhalten verantwortlich. Kathrin Klapper promoviert und nutzt in ihrem Alltag zum Sprechen einen Sprachcomputer mit Augensteuerung. Und Jakob Sponholz setzt sich in seiner Forschung mit der Frage auseinander, wie digitale Medien zur Inklusion beitragen können. Wir möchten zunächst einen Einblick in die Mechanismen geben, die digitale Inklusion verhindern - sowohl theoretisch als auch praktisch. Anschließend möchten wir anhand von einfachen Beispielen zeigen, dass der Einstieg in die Gestaltung von barrierefreien Inhalten eigentlich gar nicht so schwer ist und es sich lohnt, einfach anzufangen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/digitale-inklusion-wie-wir-digitale-barrierefreiheit-fur-alle-erreichen-konnen

The session title is fashioned after the Kenyan movement building rhetoric “Hatupangwingwi” which is Kenyan slang meant as a call to action to counter anti-movement building techniques by the political class and resist infiltration and corruption. This is true for the organisation and movement building towards inclusive identity regimes in Kenya. The session seeks to explore the lessons from Kenya’s journey to digitalization of public services and the uptake of Digital Public infrastructure. It digs deeper on the power of us and how civil society could stop a destructive surveillance driven digitalisation thus protecting millions of Kenyans. In 2019, the Kenyan government announced the transition to a centralised database named National integrated Identity management system (Huduma Namba) in a bid to develop a digital Identity system that went on to be termed a “single source of truth. Historically, Kenya has not had the best track record with civil registration and identity systems. This is particularly due to the linkages with colonial practices with the first ID “Kipande” being used as a tool for surveillance of natives and imposed for restriction of movement. This system carried on post independence creating different classes of citizens in terms of access to nationality documents. It is for this reason that CSOs, mostly community-based, chose a three pronged approach to counter this; seeking legal redress, grassroots/community mobilization and advocacy and spotlighting ways in which in a shrinking civil society space, Kenyan civil society was able not only take up space, but make their impact felt in protecting the rights of those on the margins. The session shares lessons of how we shaped the Media narrative that took down a multi million dollar project that was not people centered but rather oppression driven. This session shares experiences of how we created a heightened sense of citizenry awareness to shoot down oppressive digitalisation agendas. The aim is to show how these efforts led to over 10 million Kenyans resisting to enroll in the system especially the young people (Gen Z) who felt they were being coerced to join a system due to the poor messaging by the government and they connected with the NGO campaign thus choosing to resist the system in the true spirit of Hatupangwingwi, with Hashtags like [#DOIDRIGHT](https://events.ccc.de/congress/2025/hub/tag/DOIDRIGHT) and [#DEPORTME](https://events.ccc.de/congress/2025/hub/tag/DEPORTME) trending on social media as a sign of resistance. This led to the collapse of the whole project. Finally, the session will share how in 2022, when the new government wanted to roll out the new DPI project known as Maisha Namba, they realised the importance of including civil society voices and they convened over 50 NGOs to try to build buy-in for the new digital ID program. It was the first time the government and NGOs were on the same table discussing how to build an inclusive digital ID system. This is the story of how the power of us led to civil society earning their space in the designing phase of the new Digital Public Infrastructure. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/hatupangwingwi-the-story-how-kenyans-fought-back-against-intrusive-digital-identity-systems

Lightning Talks - Tag 2 - **Lightning Talks Introduction** - **Chaos auf der Schiene: Die Wahrheit hinter den Verspätungen** — *poschi* - **EventFahrplan - The 39C3 Fahrplan App for Android** — *tbsprs* - **Quantum computing myths and reality** — *Moonlit* - **Return to attacker.com** — *Safi* - **Teilchendetektor im Keller? Ich habs gemacht. Die Theorie und der Bau einer Funkenkammer** — *Rosa* - **What's the most secure phone?** — *jiska* - **reverse engineering a cinema camera’s peripheral port** — *3nt3* - **Youth Hacking 4 Freedom: the European Free Software competition for teenagers** — *Ana Galan* - **From word clouds to Word Rain: A new text visualisation technique** — *Maria Skeppstedt* - **Spaß mit Brettspielen** — *Marco Bakera* - **Creative Commons Radio - I really didn't want to become a copyright activist!** — *Martin* - **lernOS für Dich - Selbstmanagement & persönliches Wissensmanagement leicht gemacht** — *Simon Dückert* - **Was man in Bluetooth Advertisements so alles findet** — *Paul* - **The Sorbus Computer** — *SvOlli* - **AI doesn’t have to slop - Introducing an open source alternative to big-tech AI agents** — *Kitty* - **Interoperability and the Digital Markets Act: collecting experiences from the community** — *Dario Presutti* - **Leveraging Security Twin for on-demand resilience assessment against high-impact attacks** — *Manuel Poisson* - **A seatbelt for innerHTML** — *Frederik Braun* - **Toxicframe - Ghost in the Switch: Vier Jahre Schweigen in der Netgate SG-2100** — *Wim Bonis* - **KI³Rat = Mensch x Daten x Dialog** — *ceryo / Jo Tiffe* - **iPod Nano Reverse Engineering** — *hug0* - **Interfaces For Society - Wenn Demokratie Auf Protokollen Läuft** — *Pauline Dimmek* - **Security problems with electronic invoices** — *Hanno Böck* Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/lightning-talks-tag-2

In unserer „Unnecessarily Complicated Kitchen“ hacken wir die Gesetze der Kulinarik. Ich zeige live, wie Hitze, Chemie und Chaos zusammenwirken, wenn Moleküle tanzen, Dispersionen emulgieren und Geschmack zu Wissenschaft wird. Zwischen Pfanne und Physik entdecken wir, warum Kochen im Grunde angewandtes Debugging ist – und wie man Naturgesetze so würzt, dass sie schmecken. Willkommen in der „Unnecessarily Complicated Kitchen“ – einer Küche, in der Naturwissenschaft, Technik und kulinarisches Chaos aufeinandertreffen. Wir sezieren das Kochen aus der Perspektive von Hacker*innen: Warum Hitzeübertragung ein deinen Tschunk kühlt, warum Emulsionen wie BGP funktionieren und wie sich die Kunst des Abschmeckens in Datenpunkten erklären lässt. In diesem Talk verbinden wir naturwissenschaftliche Experimente mit kulinarischer Praxis. Wir erhitzen, rühren, messen und analysieren – live auf der Bühne. Dabei übersetzen wir Physik und Chemie in Geschmack, Textur und Aha-Momente. Kochen wird so zum Laborversuch, zum Hack, zum Reverse Engineering des guten Geschmacks. Ich zeige, dass hinter jeder gelungenen Marinade ein Protokoll steckt, hinter jeder Soße ein Algorithmus – und dass man auch in der Küche mit Trial & Error, Open Source und einer Prise Chaos zu erstaunlichen Ergebnissen kommt. Am Ende steht nicht nur Erkenntnis, sondern auch Genuss: Denn wer versteht, warum etwas schmeckt, kann die Regeln brechen – und sie dabei besser würzen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/unnecessarily-complicated-kitchen-die-wissenschaft-des-guten-geschmacks

I successfully failed with a literature related project and accidentally built a ChatGPT detector. Then I spoke to the people who uploaded ChatGPT generated content on Wikipedia. It began as a standard maintenance project: I wanted to write a tool to find and fix broken ISBN references in Wikipedia. Using the built-in checksum, this seemed like a straightforward technical task. I expected to find mostly typos. But I also found texts generated by LLMs. These models are effective at creating plausible-sounding content, but (for now) they often fail to generate correct checksums for identifiers like ISBNs. This vulnerability turned my tool into an unintentional detector for this type of content. This talk is the story of that investigation. I'll show how the tool works and how it identifies this anti-knowledge. But the tech is only half the story. The other half is human. I contacted the editors who had added this undeclared AI content. I will talk about why they did it and how the Wikipedians reacted and whether "The End is Nigh" calls might be warranted. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/ai-generated-content-in-wikipedia-a-tale-of-caution

Have you ever wondered how the chips and algorithms that made all those electronic music hits work? Us too! At The Usual Suspects we create open source emulations of famous music hardware, synthesizers and effect units. After releasing some emulations of devices around the Motorola 563xx DSP chip, we made further steps into reverse engineering custom silicon chips to achieve what no one has done before: a real low-level emulation of the JP-8000. This famous synthesizer featured a special "SuperSaw" oscillator algorithm, which defined an entire generation of electronic and trance music. The main obstacle was emulating the 4 custom DSP chips the device used, which ran software written with a completely undocumented instruction set. In this talk I will go through the story of how we overcame that obstacle, using a mixture of automated silicon reverse engineering, probing the chip with an Arduino, statistical analysis of the opcodes and fuzzing. Finally, I will talk about how we made the emulator run in real-time using JIT, and what we found by looking at the SuperSaw code. This talk is a sequel to my last year's talk "Proprietary silicon ICs and dubious marketing claims? Let's fight those with a microscope!", where I showed how I reverse engineered a pretty old device (1986) by looking at microscope silicon pics alone, with manual tracing and some custom tools. Back then I claimed that taking a look at a more modern device would be way more challenging, due to the increased complexity. This time, in fact, I've reverse engineered a much modern chip: the custom Roland/Toshiba TC170C140 ESP chip (1995). Completing this task required a different approach, as doing it manually would have required too much time. We used a guided automated approach that combines clever microscopy with computer vision to automatically classify standard cells in the chip, saving us most of the manual work. The biggest win though came from directly probing the chip: by exploiting test routines and sending random data to the chip we figured out how the internal registers worked, slowly giving us insights about the encoding of the chip ISA. By combining those two approaches we managed to create a bit-accurate emulator, that also is able to run in real-time using JIT. In this talk I want to cover the following topics: - What I learned since my previous talk by looking at more complicated chips - Towards automating the silicon reverse engineering process - How to find and exploit test modes to understand how stuff works - How we tricked the chips into spilling its own secrets - How the ESP chip works, compared to existing DSP chips - How the SuperSaw oscillator turned out to work Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/from-silicon-to-darude-sand-storm-breaking-famous-synthesizer-dsps

Learn from our mistakes during the first iteration of Network Operations for Europe's largest furry convention, Eurofurence. Dieses Jahr hat ein kleines Team aus dem Chaos, Furries und Chaos-Furries ein neues Netzwerk-OC gegründet, um die Eurofurence mit gutem premium 👌 Internetz auszustatten. Wir erzählen von unseren Erfahrungen und den sozialen sowie technischen Herausforderungen. Zum Zeitpunkt der 29. Eurofurence (also dieses Jahr) hatte das Event eine Größe erreicht, bei der typische Event-Locations unsere speziellen Anforderungen nicht mal eben so erfüllen konnten. Beispielsweise ist eine aufwändige Audio/Video-Produktion Teil der Eurofurence, welche ein IP-Netz mit hoher Bandbreite, niederiger Latenz, niedrigem Jitter, Multicast-Transport und präzise Zeitsynchronisierung benötigt. Deshalb wurde dieses Jahr das _Onsite Eurofurence Network Operation Center_ _(EFNOC)_ gegründet. Unsere Aufgabe sollte es sein, alle Anforderungen der anderen Teams kompetent zu erfüllen wovon wir euch in diesem Vortrag etwas aus dem Nähkästchen erzählen wollen. Grob haben wir wärend der EF29 das Team etabliert und ein Netzwerk gebaut, welches für A/V-Produktion, Event-Koordination und Event-Management (z.B. Security, Ticketing) benutzt wurde. Unser persönliches Ziel war es außerdem, ein benutzbares WLAN-Netzwerk für alle Besuchenden über dies gesamte Event-Venue hinweg zu schaffen – also von Halle H bis zum Vorplatz. Unsere Architektur bestand dafür aus einem simplen Layer2-Netzwerk mit VLAN-Unterteilung, welches von _Arista DCS-7050TX-72Q_ mit 40Gbit/s Optiken bereitgestellt wurde. Die Aristas haben außerdem ein PTP-Signal propagiert, welches von einer Meinberg Master-Clock gesteuert wurde. Zusätzlich war ein Linux-Server als Hypervisor für diverse Netzwerk-Services wie DNS, DHCP, Monitoring und Routing im Einsatz. So zumindest der Plan, denn während des Events wurden wir mit der Realität und vielen „spaßigen“ Problemen konfrontiert. Unser Talk wird sich unter anderem mit diesen technischen Problemen beschäftigen, allerdings den Fokus nicht nur auf die technische Darstellung legen. Stattdessen werden wir auch beleuchten, wie wir als Team menschlich untereinander und in der Kommunikation mit anderen Teams damit umgegangen sind. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/building-a-noc-from-scratch

Science advances by extending our senses beyond the limits of human perception, pushing the boundaries of what we can observe. In photon science, imaging detectors serve as the eyes of science, translating invisible processes into measurable and analysable data. Behind every image lies a deep understanding of how detectors see, respond and perform. At facilities like the European XFEL, the world's most powerful X-ray free-electron laser located in the Hamburg metropolitan area, imaging detectors capture ultrashort X-ray flashes at MHz frame rates and with high dynamic range. Without these advanced detectors, even the brightest X-ray laser beam would remain invisible. They help to reveal what would otherwise stay hidden, such as the structure of biomolecules, the behaviour of novel materials, and matter under extreme conditions. But how do we know they will perform as expected? And how do we design systems capable of “seeing” the invisible? I will take a closer look how imaging technology in large-scale facilities is simulated and designed to make the invisible visible. From predicting detector performance to evaluating image quality, we look at how performance simulation helps scientists and engineers understand the “eyes” of modern science. X-ray imaging detectors have come a long way in the last 15 years, turning ideas that once seemed impossible into realities. Imaging detectors in photon science are more than just high-speed cameras. They are complex systems operating at the limits of what’s physically measurable. Understanding how they behave before, during, and after experiments is essential to advancing both the technology and the science it enables. In this talk, I’ll take you inside the world of detector simulation and performance modelling. I’ll explore how tools like Monte Carlo simulations, sensor response models, and system-level performance evaluations are used to: - Predict detector behaviour in extreme conditions (such as MHz X-ray bursts), and - identify critical performance bottlenecks before production. By linking imaging technology with simulation and modelling, we can better interpret experimental data and design the next generation of scientific cameras. Beyond the technical aspects, this talk reflects on the broader theme of how we “see” though technology, what it means to make the invisible visible, and how simulation changes not only how we build instruments, but also how we understand them. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/the-eyes-of-photon-science-imaging-simulation-and-the-quest-to-make-the-invisible-visible

This presentation examines artistic practices that engage with sociotechnical systems through tactical interventions. The talk proposes art as a form of infrastructural critique and counter-technology. It also introduces a forthcoming HackLab designed to foster collaborative development of open-source tools addressing digital authoritarianism, surveillance capitalism, propaganda infrastructures, and ideological warfare. In this talk, media artist and curator Helena Nikonole presents her work at the intersection of art, activism, and tactical technology — including interventions into surveillance systems, wearable mesh networks for off-grid communication, and AI-generated propaganda sabotage. Featuring projects like Antiwar AI, the 868labs initiative, and the curatorial project Digital Resistance, the talk explores how art can do more than just comment on sociotechnical systems — it can interfere, infiltrate, and subvert them. This is about prototypes as politics, networked interventions as civil disobedience, and media hacks as tools of strategic refusal. The talk asks: what happens when art stops decorating crisis and starts debugging it? The talk will also introduce an upcoming HackLab initiative — a collaboration-in-progress that brings together artists, hackers, and activists to develop open-source tools for disruption, resilience, and collective agency — and invites potential collaborators to get involved. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/coding-dissent-art-technology-and-tactical-media

Presenting FEX, a translation layer to run x86 apps and games on ARM devices: Learn why x86 is such a pain to emulate, what tricks and techniques make your games fly with minimal translation overhead, and how we are seamless enough that you'll forget what CPU you're using in the first place! ARM-powered hardware in laptops promises longer battery life at the same compute performance as before, but a translation layer like FEX is needed to run existing x86 software. We'll look at the technical challenges involved in making this possible: designing a high-performance binary recompiler, translating Linux system calls across architectures, and forwarding library calls to their ARM counterparts. Gaming in particular poses extreme demands on FEX and raises further questions: How do we enable GPU acceleration in an emulated environment? How can we integrate Wine to run Windows games on Linux ARM? Why is Steam itself the ultimate boss battle for x86 emulation? And why in the world do we care more about page sizes than German standardization institutes? This talk will be accessible to a technical audience and gaming enthusiasts alike. However, be prepared to learn cursed knowledge you won't be able to forget! Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/breaking-architecture-barriers-running-x86-games-and-apps-on-arm

Bluetooth headphones and earbuds are everywhere, and we were wondering what attackers could abuse them for. Sure, they can probably do things like finding out what the person is currently listening to. But what else? During our research we discovered three vulnerabilities (CVE-2025-20700, CVE-2025-20701, CVE-2025-20702) in popular Bluetooth audio chips developed by Airoha. These chips are used by many popular device manufacturers in numerous Bluetooth headphones and earbuds. The identified vulnerabilities may allow a complete device compromise. We demonstrate the immediate impact using a pair of current-generation headphones. We also demonstrate how a compromised Bluetooth peripheral can be abused to attack paired devices, like smartphones, due to their trust relationship with the peripheral. This presentation will give an overview over the vulnerabilities and a demonstration and discussion of their impact. We also generalize these findings and discuss the impact of compromised Bluetooth peripherals in general. At the end, we briefly discuss the difficulties in the disclosure and patching process. Along with the talk, we will release tooling for users to check whether their devices are affected and for other researchers to continue looking into Airoha-based devices. Examples of affected vendors and devices are Sony (e.g., WH1000-XM5, WH1000-XM6, WF-1000XM5), Marshall (e.g. Major V, Minor IV), Beyerdynamic (e.g. AMIRON 300), or Jabra (e.g. Elite 8 Active). Airoha is a vendor that, amongst other things, builds Bluetooth SoCs and offers reference designs and implementations incorporating these chips. They have become a large supplier in the Bluetooth audio space, especially in the area of True Wireless Stereo (TWS) earbuds. Several reputable headphone and earbud vendors have built products based on Airoha’s SoCs and reference implementations using Airoha’s Software Development Kit (SDK). During our Bluetooth Auracast research we stumbled upon a pair of these headphones. During the process of obtaining the firmware for further research we initially discovered the powerful custom Bluetooth protocol called *RACE*. The protocol provides functionality to take full control of headphones. Data can be written to and read from the device's flash and RAM. The goal of this presentation is twofold. Firstly, we want to inform about the vulnerabilities. It is important that headphone users are aware of the issues. In our opinion, some of the device manufacturers have done a bad job of informing their users about the potential threats and the available security updates. We also want to provide the technical details to understand the issues and enable other researchers to continue working with the platform. With the protocol it is possible to read and write firmware. This opens up the possibility to patch and potentially customize the firmware. Secondly, we want to discuss the general implications of compromising Bluetooth peripherals. As smart phones are becoming increasingly secure, the focus for attackers might shift to other devices in the environment of the smart phone. For example, when the Bluetooth Link Key, that authenticates a Bluetooth connection between the smart phone and the peripheral is stolen, an attacker might be able to impersonate the peripheral and gain its capabilities. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/bluetooth-headphone-jacking-a-key-to-your-phone

The spyware attack targeting WhatsApp, disclosed in August as an in-the-wild exploit, garnered significant attention. By simply knowing a victim's phone number, an attacker could launch a remote, zero-interaction attack against the WhatsApp application on Apple devices, including iPhones, iPads, and Macs. Subsequent reports indicated that WhatsApp on Samsung devices was also targeted by similar exploits. In this presentation, we will share our in-depth analysis of this attack, deconstructing the 0-click exploit chain built upon two core vulnerabilities: CVE-2025-55177 and CVE-2025-43300. We will demonstrate how attackers chained these vulnerabilities to remotely compromise WhatsApp and the underlying iOS system without any user interaction or awareness. Following our analysis, we successfully reproduced the exploit chain and constructed an effective PoC capable of simultaneously crashing the target application on iPhones, iPads, and Macs. Finally, we will present our analysis of related vulnerabilities affecting Samsung devices (such as CVE-2025-21043) and share how this investigation led us to discover additional, previously unknown 0-day vulnerabilities. In August 2025, it attracted significant attention when Apple patched CVE-2025-43300, a vulnerability reportedly exploited in-the-wild to execute "extremely sophisticated attack against specific targeted individuals”. A week later, WhatsApp issued a security advisory, revealing the fix for a critical vulnerability, CVE-2025-55177, which was also exploited in-the-wild. Strong evidence indicated that these two vulnerabilities were chained together, enabling attackers to deliver a malicious exploit via WhatsApp to steal data from a user's Apple device, all without any user interaction. To deconstruct this critical and stealthy in-the-wild 0-click exploit chain, we will detail our findings in several parts: 1. WhatsApp 0-Click Attack Vector (CVE-2025-55177). We will describe the 0-click attack surface we identified within WhatsApp. We will detail the flaws in WhatsApp's message handling logic for "linked devices," which stemmed from insufficient validation, and demonstrate how an attacker could craft malicious protocol messages to trigger the vulnerable code path. 2. iOS Image Parsing Vulnerability (CVE-2025-43300). The initial exploit allows an attacker to force the target's WhatsApp to load arbitrary web content. We will then explain how the attacker leverages this by embedding a malicious DNG image within a webpage to trigger a vulnerability in the iOS image parsing library. We will analyze how the RawCamera framework handles the parsing of DNG images, and pinpoint the resulting OOB vulnerability. 3. Rebuilding the Chain: From Vulnerability to PoC. In addition, we will then walk through our process of chaining these two vulnerabilities, constructing a functional Proof-of-Concept (PoC) that can simultaneously crash the WhatsApp application on target iPhones, iPads, and Macs. Beyond Apple: The Samsung Connection (CVE-2025-21043). Samsung's September security bulletin patched CVE-2025-21043, an out-of-bounds write vulnerability in an image parsing library reported by the Meta and WhatsApp security teams. This vulnerability was also confirmed to be exploited in-the-wild. While an official WhatsApp exploit chain for Samsung devices has not been publicly detailed, we will disclose our findings on this related attack. Finally, we will share some unexpected findings from our investigation, including the discovery of several additional, previously undisclosed 0-day vulnerabilities. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/dngerouslink-a-deep-dive-into-whatsapp-0-click-exploits-on-ios-and-samsung-devices

Almost everyone has a household appliance at home, whether it's a washing machine, dishwasher, or dryer. Despite their ubiquity, little is publicly documented about how these devices actually work or how their internal components communicate. This talk takes a closer look at proprietary bus systems, hidden diagnostic interfaces, and approaches to cloud-less integration of appliances from two well-known manufacturers into modern home automation systems. Modern home appliances may seem simple from the outside, but inside they contain complex electronic systems, proprietary communication protocols, and diagnostic interfaces rarely documented outside the manufacturer. In this talk, we'll explore the challenges of reverse-engineering these systems: from analyzing appliance control boards and internal communication buses to decompiling and modifying firmware to better understand device functionality. We'll also look at the security mechanisms designed to protect diagnostic access and firmware readout, and how these protections can be bypassed to enable deeper insight into device operation. Finally, this talk will demonstrate how the results of this research can be used to integrate even legacy home appliances into popular home automation platforms. This session combines examples and insights from the reverse-engineering of B/S/H/ and Miele household appliances. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/hacking-washing-machines

A spectre is haunting Europe—the spectre of bureaucracy. All the Powers of old Europe have entered into an unholy alliance to exorcise this spectre: The EU Commission, Member States, industry, even J.D. Vance. This threatens the digital rights and rules built up in the last decade. The new EU Commission has an agenda. What started with the report of former European Central Bank chief Mario Draghi on Europe's "competitiveness" has quickly turned into "getting rid of bureaucracy", then into "simplification", and finally open "deregulation". What this means is that a large number of European laws that were adopted in the last decade to ensure sustanabiliy, protect human rights along the whole supply chain, or to ensure our digital rights, are watered down, and core elements are scrapped. In terms of the EU's digital rulebook, it has already started in May with the deletion of a core compliance element in the General Data Protection Regulation (GDPR) - the obligation to keep records of your processing activities. While it sounds harmless - all the other rights and obligations still appy - it means that companies have no clue anymore what personal data they process, for which purposes, and how. A much larger revision has been proposed on 19th November 2025, with the "omnibus" legislation dubbed "Digital Simplification Package". This will affect rules on data protection, data governance, AI, obligations to report cybersecurity incidents, and protections against cookies and other tracking technologies. Furthermore, the EU's net neutrality rules are scheduled to be opened for reform in December by the so called Digital Networks Act. In this talk we discuss what to expect from the new EU agenda, who is driving it and how to resists. Our goal is to leave you better informed and equipped to fight back against this deregulatory trend. This talk may contain hope. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/throwing-your-rights-under-the-omnibus-how-the-eu-s-reform-agenda-threatens-to-erase-a-decade-of-digital-rights

Der amtierende US-Präsident postet ein Video, in dem er Demonstrierende aus einem Kampfjet heraus mit Fäkalien bewirft und das Weiße Haus zelebriert den „Star Wars Day“ mit einem pompösen Trump-Bild mit Lichtschwert. Accounts von AfD-Sympathisanten posten KI-Kitsch einer vermeintlich heilen Welt voller blonder Kinder und Frauen im Dirndl. Ist das lediglich eine geschmackliche Entgleisung oder steckt da mehr dahinter? KI-generierter Content ist aus der Kommunikationsstrategie autoritärer Akteure nicht mehr wegzudenken. Social Media wird derzeit mit rechtem KI-Slop geflutet, in dem wahlweise die Welt dank Migration kurz vor dem Abgrund steht oder blonde, weiße Familien fröhlich Fahnen schwenken. Im politischen Vorfeld der extremen Rechten werden zudem immer häufiger mal mehr oder weniger offensichtliche Deepfakes geteilt, die auf die jeweilige politische Botschaft einzahlen. Das reicht von KI-generierten Straßenumfragen über Ausschnitte aus Talksendungen, die nie stattgefunden haben, bis hin zu gänzlich KI-generierten Influencerinnen (natürlich blond). Was macht das mit politischen Debatten? Und wie sollten wir als Gesellschaft damit umgehen? Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/radikalisierungspipeline-esoterik-von-eso-nazis-de

Trusted Execution Environments (TEEs) based on ARM TrustZone form the backbone of modern Android devices' security architecture. The word "Trusted" in this context means that **you**, as in "the owner of the device", don't get to execute code in this execution environment. Even when you unlock the bootloader and Magisk-root your device, only vendor-signed code will be accepted by the TEE. This unfortunate setup limits third-party security research to the observation of input/output behavior and static manual reverse engineering of TEE components. In this talk, we take you with us on our journey to regain power over the highest privilege level on Xiaomi devices. Specifically, we are targeting the Xiaomi Redmi 11s and will walk through the steps necessary to escalate our privileges from a rooted user space (N-EL0) to the highest privilege level in the Secure World (S-EL3). We will revisit old friends like Trusted Application rollback attacks and GlobalPlatform's design flaw, and introduce novel findings like the literal fiasco you can achieve when you're introducing micro kernels without knowing what you're doing. In detail, we will elaborate on the precise exploitation steps taken and mitigations overcome at each stage of our exploit chain, and finally demo our exploits on stage. Regaining full control over our devices is the first step to deeply understand popular TEE-protected use cases including, but not limited to, mobile payment, mobile DRM solutions, and the mechanisms protecting your biometric authentication data. We present novel insights into the current state of TEE security on Android focusing on two widespread issues: missing TA rollback protection and a type confusion bug arising from the GlobalPlatform TEE Internal Core API specification. Our results demonstrate that these issues are so widespread that on most devices, attackers with code execution at N-EL1 (kernel) have a buffet of n-days to choose from to achieve code execution at S-EL0 (TA). Further, we demonstrate how these issues can be weaponized to fully compromise an Android device. We discuss how we exploit CVE-2023-32835, a type confusion bug in the keyinstall TA, on a fully updated Xiaomi Redmi Note 11. While the keyinstall TA shipped in the newest firmware version is not vulnerable anymore, the vulnerability remains triggerable due to missing rollback protections. To further demonstrate how powerful code execution as a TA is, we'll exploit a vulnerability in the BeanPod TEE (used on Xiaomi Mediatek SoCs), to achieve code execution at S-EL3. Full privilege escalations in the TEE are rarely seen on stage, and we are targeting the BeanPod TEE which is based on the Fiasco micro kernel. This target has never been publicly exploited, to the best of our knowledge. Our work empowers security researchers by demonstrating how to regain control over vendor-locked TEEs, enabling deeper analysis of critical security mechanisms like mobile payments, DRM, and biometric authentication. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/not-to-be-trusted-a-fiasco-in-android-tees

With PTP 1588, AES67, and SMPTE 2110, we can transmit synchronous audio and video with sub-millisecond latency over the asynchronous medium Ethernet. But how do you make hundreds of devices agree on the exact same nanosecond on a medium that was never meant to care about time? Precision Time Protocol (IEEE 1588) tries to do just that. It's the invisible backbone of realtime media standards like AES67 and SMPTE 2110, proprietary technologies such as Dante, and even critical systems powering high-frequency trading, cellular networks, and electric grids. Where even a few microseconds of drift can turn perfect sync into complete chaos. This talk takes a deep dive into the mysterious world of precise time distribution in large networks. We’ll start by exploring how PTP 1588 actually works, from announce, sync, and follow-up messages to delay measurements and the magic of hardware timestamping. We’ll look at why PTP is critical for modern audio/video-over-IP standards like AES67 and SMPTE 2110, and how they push Ethernet to its absolute temporal limits. Along the way, we’ll discover how transparent and boundary clocks fight jitter, and why your switch’s buffer might secretly hate you. We will do live Wireshark dissections of real PTP traffic, demos showing what happens when timing breaks, and some hands-on hardware experiments with grandmasters and followers trying to stay in sync. Expect packets, graphs, oscilloscopes, crashing live demos and at least one bad joke about time travel. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/excuse-me-what-precise-time-is-it

Seit jetzt schon vier Jahren droht aus der EU die Chatkontrolle. In Deutschland ist das Thema nach den Protesten im Oktober aktueller denn je - und sogar Jens Spahn und Rainer Wendt sind plötzlich gegen diese Form der Überwachung. In diesem Vortrag schauen wir zurück und erklären was, vor allem im Hintergrund, passiert ist. Wir nehmen die Position der Bundesregierung genau unter die Lupe und werfen einen Blick auf die Schritte, die auf EU-Ebene vor uns liegen. Die Chatkontrolle liest sich mehr wie eine tragische Komödie, als ein Gesetzgebungsverfahren. Nach dem dramaturgischen Rückblick auf dem 37C3 wird es nun Zeit einen Blick auf die Seite der Rebellen zu werfen. Markus Reuter und khaleesi haben den Gesetzgebungsprozess rund um die Chatkontrolle von Anfang an eng begleitet, er aus der der journalistischen, sie aus der Policy-Perspektive. Nach den ersten Jahren mit großen Rummel und Hollywoodstars ist es nach den EU-Wahlen doch etwas ruhig geworden. Doch die Gefahr ist nicht vom Tisch: Zwar steht die Position des EU-Parlaments gegen die Chatkontrolle - aber wie sicher sie wirklich ist, ist unklar. Derzeit hängt alles am Rat: Es gab sehr positive Vorschläge (polnische Ratspräsidentschaft) und negative Vorschläge (dänische Ratspräsidentschaft) - doch einigen können sich die Länder nicht und eine Mehrheit will die Chatkontrolle, kann sich aber nicht durchsetzen. Und auch in Deutschland hat die Chatkontrolle den ganz großen Sprung in die Öffentlichkeit geschafft und die Gegner:innen einen Etappensieg errungen. Was dieser Erfolg mit der Arbeit der letzten vier Jahre zu tun hat und warum auch in Deutschland noch nichts in trockenen Tüchern ist, erzählen wir in diesem Talk. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/episode-ii-der-rat-schlagt-zuruck

This talk reveals our in-depth vulnerability research on the Windows Recovery Environment (WinRE) and its implications for BitLocker, Windows’ cornerstone for data protection. We will walk through the research methodology, uncover new 0-day vulnerabilities, and showcase full-chain exploitations that enabled us to bypass BitLocker and extract all the protected data in several different ways. This talk goes beyond theory - as each vulnerability will be accompanied by a demo video showcasing the complete exploitation chain. To conclude the talk, we will share Microsoft’s key takeaways from this research and outline our approach to hardening WinRE and BitLocker. In Windows, the cornerstone of data protection is BitLocker, a Full Volume Encryption technology designed to secure sensitive data on disk. This ensures that even if an adversary gains physical access to the device, the data remains secure and inaccessible. One of the most critical aspects of any data protection feature is its ability to support recovery operations in case of failure. To enable BitLocker recovery, significant design changes were implemented in the Windows Recovery Environment (WinRE). This led us to a pivotal question: did these changes introduce any new attack surfaces impacting BitLocker? In this talk, we will share our journey of researching a fascinating and mysterious component: WinRE. Our exploration begins with an overview of the WinRE architecture, followed by a retrospective analysis of the attack surfaces exposed with the introduction of BitLocker. We will then discuss our methodology for effectively researching and exploiting these exposed attack surfaces. Our presentation will reveal how we identified multiple 0-day vulnerabilities and developed fully functional exploits, enabling us to bypass BitLocker and extract all protected data in several different ways. Notably, the findings described reside entirely in the software stack, not requiring intrusive hardware attacks to be exploited. Finally, we will share the insights Microsoft gained from this research and explain our approach to hardening and further securing WinRE, which in turn strengthens BitLocker. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/bitunlocker-leveraging-windows-recovery-to-extract-bitlocker-secrets

Live-Sonderausgabe der Landtagsrevue - dem Landespolitik-Ableger der Parlamentsrevue. Wir schauen zurück auf das erste Jahr der Landtagsrevue und beantworten eure Fragen rund um die Parlamente - wie funktioniert das eigentlich alles? Wo können wir als Zivilgesellschaft am besten Einfluss nehmen? Wer sind all diese Leute?? Schickt uns eure Fragen gern vorab an [email protected] - so können wir auch Antworten aus den Ländern mitbringen, die nicht live dabei sind. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/landtagsrevue-live

What power structures are inherent to the field of computer-generated art? In the year 1965, so 60 years ago, the first three exhibitions of art created with the help of computers took place - in part independently of each other. We want to present the interesting aspects of developments since then and discuss them with Frieder Nake, one of the people who exhibited in those very beginnings and followed those developments with a critical attitude. We want to look at the complex topic of art created with computers, beginning with some careful and barely noticed first experiments and emerging into an ever more diverse and creative field, from different angles. In particular, we want to focus on the dynamics of power and how these developments were influenced by their context - from social movements to political pressure. We want to start with explaining how the initial developments, both from an artistic - concrete art - and technological - the evolution of computers and the creation of the drawing machine Zuse Z64 in Germany and film techniques in the US, respectively - took place. We will do so in the context of the first three exhibitions that all took place in the year 1965. Their artworks were created by Georg Nees in Stuttgart, A. Michael Noll with Béla Julesz in New York and Frieder Nake with Georg Nees, again in Stuttgart. In the following, we will try to give an outline of further developments. We provide examples how hierachies in art and science have developed and played a role in different events. In the domain of computer-generated art, similar to other art, there are two large influences hidden for the typical recipent of this art - galleries and critics. We will discuss this exemplary with early exhibitions of Frieder Nake being described by the FAZ and later on, how the east-west conflict has influenced the art and its exhibitions. Among other issues, we discuss patriarchal structures, the commercial side of art, how old tech is sold as revolutionary and how progress is still as connected with threatening feelings as in the early years. Looking back at the beginnings, it is interesting to observe how artists - also with an artistic, rather than technical background - worked with the limitations and overcame them. Fortunately, the technological entry barrier to create algorithmic art yourself has drastically decreased over time and we want to encourage you to experiment yourself! Frieder Nake is creating algorithmic drawings and doing visual research since 1964. In 1971, he published the influential essay "there should be no computer art" and he has been teaching computer graphics at the University of Bremen for decades. Enna Gerhard is pursuing a PhD in theory of computer science and creates algorithmic drawings in the meantime. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/1965-60-years-of-algorithmic-art-with-computers

Lager, Duldung, Bezahlkarte, Essensscheine – Criminalization, Radicalization, Reality for Many People in East Germany This talk sheds light on how these terms shape everyday life. We dive into an existence marked by uncertainty, isolation, and psychological strain, both in anonymous big cities and rural areas of East Germany. We ask: What does “solidarity” really mean in this context? In this session, people share everyday experiences with a system that often systematically undermines human rights and dignity. We don’t just talk about the obvious obstacles like the payment card or residency obligation, but also the invisible wounds: the constant fear of deportation, the psychological consequences of isolation, and the daily experience of hostility. We highlight the specific challenges of life in cramped camps on the outskirts of big cities, as well as the social control and visibility in rural communities. However, this talk is not just about naming problems. At its core is the urgent question: What does true solidarity really look like? How can support go beyond symbolic politics and short-term aid offers? This session is an invitation to shift perspectives, listen, and collaboratively develop concrete approaches for a more humane policy and a more solidaric coexistence. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/life-on-hold-what-does-true-solidarity-look-like-beyond-duldung-camps-deportation-and-payment-cards

Wenn die Regierung sich nicht mehr an das eigene Recht gebunden fühlt, markiert das nicht nur einen politischen Spurwechsel, sondern die Auffahrt auf den Highway to Trumpism. Zeit die Notbremse zu ziehen! Normalerweise trifft es in solchen Situationen immer zuerst diejenigen, die sich am wenigsten wehren können. Doch was passiert, wenn genau diese Menschen mit juristischen Werkzeugen bewaffnet werden, um zurückzuschlagen? Anhand von über 100 Klagen afghanischer Schutzsuchender zeigen wir, wie Ministerien das Bundesaufnahmeprogramm sabotieren, Gerichte sie zurückpfeifen – und die Zivilgesellschaft zum letzten Schutzwall des Rechtsstaats wird. Und wir verraten, warum sich Beamte im BAMF vielleicht lieber krankmelden sollten und welche anderen Möglichkeiten sie haben, um nicht straffällig zu werden. • Versprochen ist versprochen und wird auch nicht gebrochen“ – das lernen wir schon als Kinder. Aber der Kindergarten ist schon lange her, und Politiker*innen haben zwar oft das Auftreten eines Elefanten, aber das Gedächtnis eines Goldfischs. • Deswegen hätte die Bundesregierung auch fast 2.500 Afghan*innen mit deutschen Aufnahmezusagen in Islamabad „vergessen“, die dort seit Monaten auf die Ausstellung ihrer deutschen Visa warten • Das Kalkül dahinter: Pakistan erledigt die Drecksarbeit und schiebt sie früher oder später ab, Problem solved! - selbst wenn dabei Menschenleben auf dem Spiel stehen. • Wie kann die Zivilgesellschaft die Notbremse ziehen, wenn sich Regierung und Verwaltung nicht mehr an das eigene Recht gebunden fühlen? • Eine Möglichkeit: wir vernetzen die afghanischen Familien mit Anwält*innen, damit sie Dobrindt und Wadephul verklagen - und sie gewinnen! Die Gerichtsbeschlüsse sind eindeutig: Visa sofort erteilen – sonst Strafzahlungen! Inzwischen laufen über 100 Verfahren an vier Verwaltungsgerichten, weitere kommen täglich hinzu. • Das dürfte nicht ganz das gewesen sein, was die neue Bundesregierung meinte, als sie im Koalitionsvertrag verkündete, „freiwillige Aufnahmeprogramme so weit wie möglich zu beenden“. Übersetzung der politischen Realitätsversion: Wenn es nach Dobrindt und dem Kanzler geht, sollen möglichst gar keine Schutzsuchenden aus Afghanistan mehr nach Deutschland kommen – rechtsverbindliche Aufnahmezusagen hin oder her. Einreisen dürfen nur noch anerkannte Terroristen aus der Taliban-Regierung, um hier in Deutschland die afghanischen Botschaften und Konsulate zu übernehmen • Durch die Klagen konnten bereits 78 Menschen einreisen, etwa 80 weitere Visa sind in Bearbeitung – und weitere werden vorbereitet. • Doch wie in jedem Drehbuch gilt: The Empire strikes back! Die Regierung entwickelt laufend neue Methoden, um Urteile ins Leere laufen zu lassen und Einreisen weiterhin zu blockieren. • Willkommen im „Trumpismus made in Germany“. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/and-so-it-begins-wie-unser-rechtsstaat-auf-den-highway-richtung-trumpismus-rast-und-warum-afghanische-klager-innen-fur-uns-die-notbremse-ziehen

Marc-Uwe Kling liest neues vom Känguru vor. Vielleicht auch was von Elon und Jeff on Mars. Und dann ruft das Känguru zum Digital Independence Day auf. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/die-kanguru-rebellion-digital-independence-day

Die **Sicherheits_lücke** (https://sicherheitsluecke.fm) greift aktuelle Ereignisse und Trends der Cybersecurity auf. Im Podcast werden die Themen - gerne auch mal humoristisch, sarkastisch oder selbstironisch - von Volker Skwarek, Monina Schwarz und Ingo Timm mit Tiefgang aufbereitet. Mit dem Format **live** ist der Podcast auch regelmäßig auf Kongressen zu finden und diskutiert interessante Vorträge mit ausgewählten Gästen. Wir berichten mit Gästinnen von der Gesellschaft für Informatik über interessante Vorträge und Erlebnisse vom ersten Tag des 39c3. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/die-sicherheits_lucke-live-vom-39c3-ein-tag-mit-de

Nach den längsten Koalitionsverhandlungen in der zweiten Republik kämpft die Dirndlkoalition gegen Inflation, Budgetdefizit und rechte Volkskanzlerfantasien. Wir geben einen Überblick zum politischen Jahr in Österreich. Am Beginn des Jahres wollte Herbert Kickl noch Volkskanzler werden, am Ende des Jahres regiert eine Dreierkoalition in Österreich. Wie gewohnt wollen wir auch heuer wieder erzählen, was in der österreichischen Innenpolitik passiert, der Humor soll dabei nicht zu kurz kommen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/eine-typisch-sterreichische-lsung-die-dirndlkoalition

Most clubs and concerts have predefined light and visuals, and often they are generic and not synced to the beat of the music. Today we will show you that it's actually possible to sync visual effects to the beat of live music recorded from the microphone, and it's pretty easy! Aimed at beginners. We will teach people how to set up and use TouchDesigner to perform audio analysis and how to draw basic effects and light shows that respond to the beat of the input audio. If you want to follow along, please come with TouchDesigner preinstalled (the free version is perfectly fine). Recommended on Windows or Mac, but with enough pain it can run under Wine as well. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/syncing-visuals-and-stage-lights-against-the-beat-

FreeBSD’s jail mechanism promises strong isolation—but how strong is it really? In this talk, we explore what it takes to escape a compromised FreeBSD jail by auditing the kernel’s attack surface, identifying dozens of vulnerabilities across exposed subsystems, and developing practical proof-of-concept exploits. We’ll share our findings, demo some real escapes, and discuss what they reveal about the challenges of maintaining robust OS isolation. FreeBSD’s jail feature is one of the oldest and most mature OS-level isolation mechanisms in use today, powering hosting environments, container frameworks, and security sandboxes. But as with any large and evolving kernel feature, complexity breeds opportunity. This research asks a simple but critical question: If an attacker compromises root inside a FreeBSD jail, what does it take to break out? To answer that, we conducted a large-scale audit of FreeBSD kernel code paths accessible from within a jail. We systematically examined privileged operations, capabilities, and interfaces that a jailed process can still reach, hunting for memory safety issues, race conditions, and logic flaws. The result: roughly 50 distinct issues uncovered across multiple kernel subsystems, ranging from buffer overflows and information leaks to unbounded allocations and reference counting errors—many of which could crash the system or provide vectors for privilege escalation beyond the jail. We’ve developed proof-of-concept exploits and tools to demonstrate some of these vulnerabilities in action. We’ve responsibly disclosed our findings to the FreeBSD security team and are collaborating with them on fixes. Our goal isn’t to break FreeBSD, but to highlight the systemic difficulty of maintaining strict isolation in a large, mature codebase. This talk will present our methodology, tooling, and selected demos of real jail escapes. We’ll close with observations about kernel isolation boundaries, lessons learned for other OS container systems, and a call to action for hardening FreeBSD’s jail subsystem against the next generation of threats. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/escaping-containment-a-security-analysis-of-freebsd-jails

Willkommen zum inkompetenten Podcast mit der besonderen Folge zur Inkompetenz in der IT und IT Security. Warum ist das Password Louvre schlecht ? Wie läuft die Cloud Transformation richtig schlecht ? Eine kleine Show der Pleiten, Pech und Pannen. Und für die Besucher des Talks über Uboote letztes Jahr gibt es noch einen kleinen Ausflug in die Welt der ultrakomprimierten Daten, oder die Server formaly known als TITAN Steuersystem. Ein kleiner Rundflug über die besten Fails der letzten Jahre. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/och-menno-it-und-it-security-uppsis

Seit Anfang 2024 dürfen Ausländerbehörden Smartphones von ausreisepflichtigen Menschen nicht nur durchsuchen, sondern gleich ganz behalten – „bis zur Ausreise“. Was als geringfügige Änderung im Aufenthaltsgesetz daherkommt, erweist sich als massiver Eingriff in Grundrechte: Menschen verlieren nicht nur die Kontrolle über ihre Daten, sondern auch ihr wichtigstes Kommunikationsmittel – auf unbestimmte Zeit. Hier hört ihr, welche absurden Blüten das treibt. Von Bayern bis NRW haben Bundesländer inzwischen eigene IT-forensische Tools für ihre Behörden angeschafft, um auf den Geräten nach “Indizien” für die Herkunft zu suchen. Sie setzen Methoden ein, wie wir sie sonst aus Ermittlungsverfahren oder von Geheimdiensten kennen – um die Geräte von Menschen zu durchsuchen, die nichts verbrochen haben. Seit Anfang 2024 dürfen Ausländerbehörden Smartphones von ausreisepflichtigen Menschen nicht nur durchsuchen, sondern gleich ganz behalten – „bis zur Ausreise“. Was als geringfügige Änderung im Aufenthaltsgesetz daherkommt, erweist sich als massiver Eingriff in Grundrechte: Menschen verlieren nicht nur die Kontrolle über ihre Daten, sondern auch ihr wichtigstes Kommunikationsmittel – auf unbestimmte Zeit. Hier hört ihr, welche absurden Blüten das treibt. Von Bayern bis NRW haben Bundesländer inzwischen eigene IT-forensische Tools für ihre Behörden angeschafft, um auf den Geräten nach “Indizien” für die Herkunft zu suchen. Sie setzen Methoden ein, wie wir sie sonst aus Ermittlungsverfahren oder von Geheimdiensten kennen – um die Geräte von Menschen zu durchsuchen, die nichts verbrochen haben. Im Vortrag zeige ich, welche absurden Konsequenzen das für die Betroffenen mit sich bringt, welche Bundesländer an der traurigen Spitze der Statistik stehen – und wie sich das Ganze in das Arsenal der digitalen und sonstigen Repressionen von Geflüchteten einreiht. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/handy-weg-bis-zur-ausreise-wie-cellebrite-ins-auslanderamt-kam

A 595€ wheelchair remote that sends a handful of Bluetooth commands. A 99.99€ app feature that does exactly what the 595€ hardware does. A speed upgrade from 6 to 8.5 km/h locked behind a 99.99€ paywall - because apparently catching the bus is a premium feature. Welcome to the wonderful world of DRM in assistive devices, where already expensive basic mobility costs extra and comes with in-app purchases! And because hackers gonna hack, this just could not be left alone. This talk depicts the reverse engineering of a popular electric wheelchair drive system - the Alber e-motion M25: a several thousand euro assistive device that treats mobility like a SaaS subscription. Through Android app reverse engineering, proprietary Bluetooth protocol analysis, hours of staring at hex dumps (instead of the void), and good old-fashioned packet sniffing, we'll expose how manufacturers artificially limit essential features and monetize basic human mobility. What you'll learn: - how a 22-character QR code sticker, labeled as "Cyber Security Key", becomes AES encryption - why your 6000€ wheelchair drive includes an app with Google Play Billing integration for features the hardware already supports - the internals, possibilities and features of electronics worth 30€ cosplaying as a 595€ medical device - the technical implementation of the "pay 99.99€ or stay slow" speed limiter (6 km/h vs 8.5 km/h) - how nearly 2000€ in hardware and app features can be replaced by a few hundred lines of Python - why the 8000€ even more premium (self-driving) variant is literally identical hardware with a different Boolean flag and firmware plus another (pricier) remote We'll cover the complete methodology: from initial reconnaissance, sniffing and decrypting packets to reverse-engineer the proprietary communication protocol, to PoCs of Python replacements, tools, techniques, and ethical considerations of reverse engineering medical devices. This is a story about artificial scarcity, exploitative DRM, ethics and industry power, and how hacker-minded creatures should react and act to this. This talk will be simultaneously interpretated into German sign language (Deutsche Gebärdensprache aka. DGS). Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/pwn2roll-who-needs-a-599-remote-when-you-have-wheelchair-py

Might contain zerodays. https://gpg.fail/ From secure communications to software updates: PGP implementations such as *GnuPG* ubiquitously relied on to provide cryptographic assurances. Many applications from secure communications to software updates fundamentally rely on these utilities. Since these have been developed for decades, one might expect mature codebases, a multitude of code audit reports, and extensive continuous testing. When looking into various PGP-related codebases for some personal use cases, we found these expectations not met, and discovered multiple vulnerabilities in cryptographic utilities, namely in *GnuPG*, *Sequoia PGP*, *age*, and *minisign*. The vulnerabilities have implementation bugs at their core, for example in parsing code, rather than bugs in the mathematics of the cryptography itself. A vulnerability in a parser could for example lead to a confusion about what data was actually signed, allowing attackers without the private key of the signer to swap the plain text. As we initially did not start with the intent of conducting security research, but rather were looking into understanding some internals of key management and signatures for personal use, we also discuss the process of uncovering these bugs. Furthermore, we touch on the role of the OpenPGP specification, and the disclosure process. Beyond the underlying mathematics of cryptographic algorithms, there is a whole other layer of implementation code, assigning meaning to the processed data. For example, a signature verification operation both needs robust cryptography **and** assurance that the verified data is indeed the same as was passed into the signing operation. To facilitate the second part, software such as *GnuPG* implement parsing and processing code of a standardized format. Especially when implementing a feature rich and evolving standard, there is the risk of ambivalent specification, and classical implementation bugs. The impact of the vulnerabilities we found reaches from various signature verification bypasses, breaking encryption in transit and encryption at rest, undermining key signatures, to exploitable memory corruption vulnerabilities. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/to-sign-or-not-to-sign-practical-vulnerabilities-i

In August 2024, Raspberry Pi released their newest MCU: The RP2350. Alongside the chip, they also released the RP2350 Hacking Challenge: A public call to break the secure boot implementation of the RP2350. This challenge concluded in January 2025 and led to five exciting attacks discovered by different individuals. In this talk, we will provide a technical deep dive in the RP2350 security architecture and highlight the different attacks. Afterwards, we talk about two of the breaks in detail---each of them found by one of the speakers. In particular, we first discuss how fault injection can force an unverified vector boot, completely bypassing secure boot. Then, we showcase how double glitches enable direct readout of sensitive secrets stored in the one-time programmable memory of the RP2350. Last, we discuss the mitigation of the attacks implemented in the new revision of the chip and the lessons we learned while solving the RP2350 security challenge. Regardless of chip designer, manufacturer, hobbyist, tinkerer, or hacker: this talk will provide valuable insights for everyone and showcase why security through transparency is awesome. The RP2350 is one of the first generally available microcontrollers with active security-features against fault-injection such as glitch-detectors, the redundancy co-processor, and other pieces to make FI attacks more difficult. But security on paper often does not mean security in real-life. Luckily for us, Raspberry Pi also ran the RP2350 Hacking Challenge: A public bug bounty that has exactly these attacks in-scope. During the hacking challenge 5 different attacks were found on the secure-boot process - one of which was shown at 38C3 by Aedan Cullen. In this talk, we talk about all successful attacks - including laser fault-injection, a reset glitch, and a double-glitch during execution of the bootrom - to show all the different ways in which a chip can be attacked. We also talk about the awesomeness of an open security-ecosystem for chips: Raspberry Pi was very transparent on the findings, and worked with researchers to improve the new revision of the chip. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/of-boot-vectors-and-double-glitches-bypassing-rp2350-s-secure-boot

Spätestens seitdem Donald Trump wieder im Weißen Haus sitzt, geistert die „Digitale Souveränität“ verstärkt durch die politischen Diskussionen. Wir haben mittlerweile ein Zentrum dafür (ZenDiS) und einen Fonds, der sich zur Agentur gemausert hat (Sovereign Tech Fund/Agency). Aber ist jetzt das Schlagwort Digitale Souveränität der Türöffner für mehr Open-Source-Software in Behörden, Verwaltungen, Schulen und anderen öffentlichen Einrichtungen, oder erweist sich das als Bumerang? Sind Big Tech, die doch viel in Linux und Open Source investieren, wirklich das Problem? In dieser Sonderfolge des c’t uplink blicken wir kritisch auf den Begriff Digitale Souveränität und diskutieren, welche Konzepte sich dahinter verbergen. Wir sprechen darüber, ob und warum gerade die Community den Karren aus dem Dreck ziehen soll. Außerdem schauen wir, warum es nur so langsam vorwärts geht mit freier Software in öffentlicher Hand und welche Lösungswege es gibt oder geben könnte. Gäste (u.a.): - Anne Roth, Referentin Digitalpolitik im Bundestag - Bonnie Mehring, Senior-Projekt-Managerin Free Software Foundation Europe - Sven Neuhaus, Tech Lead Open-Source-Produkte, Zentrum Digitale Souveränität Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/c-t-uplink-digitale-souvernitt-sind-hcker-innen-jetzt-frs-staatswohl-verantwortlich

Neben dem Congress gibt es noch viele andere Chaos-Events, die über das ganze Jahr verteilt stattfinden. Das Easterhegg, die GPN und die MRMCD kennen vermutlich die meisten Chaos-Wesen. Aber was ist eigentlich mit den ganzen kleineren Veranstaltungen? Bei diesem Vortrag im Lightning-Talk-Format habt ihr die Möglichkeit, euch quasi im Schnelldurchlauf über viele weitere tolle Chaos-Events zu informieren. Zusätzlich werden auch ein bis zwei größere Events vorgestellt, die sich gerade in der Planungsphase befinden und noch Verstärkung für ihr Team suchen. Falls ihr euer Chaos-Event auf der großen Bühne kurz vorstellen möchtet, tragt euch bitte [im Wiki ein](https://events.ccc.de/congress/2025/hub/de/wiki/event-vorstellungen). Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/chaos-all-year-round

The Deutschlandticket was the flagship transport policy of the last government, rolled out in an impressive timescale for a political project; but this speed came with a cost - a system ripe for fraud at an industrial scale. German public transport is famously decentralised, with thousands of individual companies involved in ticketing and operations. Unifying all of these under one national, secure, system has proven a challenge too far for politicians. The end result: losses in the hundreds of millions of Euros, compensated to the transport companies from state and federal budgets to keep the system afloat, and nobody willing to take responsibility. This talk will cover the political, policy, and technical mistakes that lead to this mess; how we can learn from these mistakes; and what we can do to ensure the Deutschlandticket has a viable future. At last years Congress Q presented [a deep-dive into the technical details of train ticketing](https://media.ccc.de/v/38c3-what-s-inside-my-train-ticket) and its [Zügli](https://zügli.app) platform for this; since then, things have gone rather out of hand. The little side-project for looking into the details of train tickets turned into a full-time project for detecting ticketing fraud. This talk details an executive summary of the madness that has been the past year, and how we accidentally ended up in national and international politics working to secure the Deutschlandticket. Shortly after last year's talk, we were contacted about some *interesting* looking tickets someone noticed, issued by the Vetter GmbH Omnibus- und Mietwagenbetrieb - or so they claimed to be. These were normal Deutschlandtickets, but with a few weird mistakes in them. At first, we thought nothing much of it; mistakes happen. But, on further investigation, these turned out to not be legitimate tickets at all, but rather from a fraudulent website by the name of d-ticket.su, using the private signing key obtained under suspicious circumstances. How exactly this key came into the wrong hands remains unclear, but we present the possible explanations for how this could've happened, how many responsible have been thoroughly uncooperative in getting to the bottom of this, and how the supporting systems and processes of the Deutschlandticket were unable to cope with this situation. Parallel to this, another fraud has been draining the transport companies of their much-needed cash: SEPA Direct Debit fraud. Often, a direct debit payment can be setup online with little more than an IBAN and ticking a box; and most providers of the Deutschlandticket offer an option to pay via direct debit. Fraudsters have noticed this, and mass purchase Deutschlandtickets with invalid or stolen IBANs before flipping them for a discounted price on Telegram; made easier because most transport companies issue a ticket immediately, before the direct debit has been fully processed. The supporting systems of the Deutschlandticket in many cases don't even provide for the revocation of such tickets. We will detail the hallmarks of this fraud, how transport companies can work to prevent it, and how we tracked down the fraudsters by their own careless mistakes. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/all-my-deutschlandtickets-gone-fraud-at-an-industrial-scale

Großen Herausforderungen im Gesundheitswesen soll mittels Technik und Eigenverantwortung begegnet werden. Die Hoffnung: „KI“ und Digitalisierung machen das System effizienter; Selbstoptimierung und mehr Eigenverantwortung halten die Menschen länger gesund. Der Vortrag analysiert aktuelle Diskurse rund um Digitalisierung und Gesundheit, und fragt kritisch, wie diese Entwicklung ohnehin bestehende soziale Ungleichheiten verschärfen könnte. Am Ende bleibt die Frage: Wie könnten tragfähige Lösungen fürs Gesundheitssystem aussehen? In der Analyse sind sich alle einig: Das Gesundheitssystem steht vor großen Herausforderungen, die von explodierenden Kosten, wachsenden Zugangsbarrieren bis hin zum anstehenden demographischen Wandel reichen: viele Menschen werden alt und kränker, während gleichzeitig sehr viele Mitarbeiter:innen des Gesundheitswesens in Rente gehen. Wir brauchen also Lösungen fürs Gesundheitssystem, die nachhaltig tragen und Menschenwürde ermöglichen. Während ganz unterschiedliche Lösungsansätze diskutiert werden, taucht ein Narrativ immer wieder auf: Dass Digitalisierung durch massive Effizienzgewinne die bestehenden Probleme im Gesundheitswesen fixen werden: Dank „KI“ sollen Menschen weniger häufig Ärzt:innen brauchen, zum Beispiel, indem durch Symptomchecker und Co vorgefiltert wird, wer wirklich behandelt werden muss, und wer nicht. Manche behaupten, dass Hausärzt:innen künftig ein vielfaches an Patient:innen behandeln könnten, wenn nur die richtigen technischen Hilfsmittel gefunden wurden. Und längst befinden wir uns tatsächlich in einer Realität, in der Chats mit LLMs an vielen Stellen zumindest Dr. Google ersetzt haben. Weitere Lösungsansätze zielen auf mehr Eigenverantwortung ab: "Longevity" ist das Trendwort in aller Munde. Ein Ansatz der „Langlebigkeit“, der maßgeblich durch technische Maßnahmen gestützt sein soll: Selbstoptimierung per App, „KI“ als individueller Gesundheitsassistent und allerlei experimentelle Untersuchungen. Die Grundidee: Wenn Menschen länger gesund bleiben und leben, wird das Gesundheitssystem weniger belastet, während Menschen länger zu Gesellschaft und Wirtschaft beitragen können. Die ideologischen Grundzüge und Geschäftsmodelle der „Longevity“ kommen aus den USA, von Tech-Milliardären und ihren Unsterblichkeitsfantasien bis hin zu wenig seriösen Gesundheitsinfluencer:innen, die am Ende oft mehr schaden als dass sie zu einem größeren Wohlbefinden ihrer Kund:innen beitragen würden - und trotzdem hunderttausende auf Social Media in ihren Bann ziehen. Der Vortrag zieht Verbindungslinien zwischen naiver Technikgläubigkeit, aktuellen Diskursen im Gesundheitswesen, ihren fragwürdigen ideologischen Wurzeln und der Frage, wie wir Herausforderungen und insbesondere sozialen Ungleichheiten im Feld der Gesundheit wirklich effektiv begegnen. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/ki-digitalisierung-und-longevity-als-fix-fur-ein-kaputtes-gesundheitssystem

In dieser Live-Session wird gescannt, gesampelt und gesendet: medizinischer Ultraschall im Megahertz-Bereich trifft digitale Audioverarbeitung mit 48 Kilohertz. Ultraschall.fm dient als Interface zwischen Körper und Codec – vom Schallkopf bis zum Kopfhörer, von Wellen im menschlichen Gewebe zu (Radio-) Wellen im Äther. Radiomegahertz demonstriert die open source Podcasting-Software zur Produktion einer medizinischen Live-Ultraschall Untersuchung. Die Session ist für alle Podcast-Kreaturen, die den Megahertz-Bereich auch hören und nicht nur sehen möchten. This live session involves scanning, sampling, and broadcasting: medical ultrasound in the megahertz range meets digital audio processing at 48 kilohertz.Ultraschall.fm serves as an interface between the body and the codec—from the transducer to the headphones, from waves in tissue to waves in the ether. Radiomegahertz demonstrates the open source podcasting software. The session is for all creatures who want to hear the megahertz range and not just see it. Wenn Neo in die Matrix schaut, sieht er die Welt. Ärzt:innen sollten bei der Betrachtung eines Ultraschallbildes mit den typischen Graustufen die Anatomie des Menschen erkennen. Doch die Entstehung und Interpretation des Graustufenbildes liegt in der Hand der Ultraschallenden. Neo muss genauso wie Ärzt:innen lernen, die Technik zu nutzen und die Bilder zu interpretieren. Radiomegahertz erstellt Podcasts über Ultraschall in der Medizin und wird während der Live-Session auf die Möglichkeiten und Grenzen von Ultraschall eingehen. Zur Verdeutlichung werden Freiwillige live „geschallt” (sonografiert). Das Ziel ist die Erstellung eines Podcasts bzw. Videopodcasts. Zur Produktion wird die Open-Source-Software Ultraschall.fm verwendet. Die Software-Entwickler von Ultraschall.fm sind während der Session vor Ort und bieten Support bei podcasttypischen Fragen. When Neo looks into the Matrix, he sees the world. When looking at an ultrasound image with the typical gray scale, doctors should be able to recognize human anatomy. However, the creation and interpretation of the gray scale image is in the hands of the ultrasound technician. Just like doctors, Neo must learn to use the technology and interpret the images. Radiomegahertz creates podcasts about ultrasound in medicine and will discuss the possibilities and limitations of ultrasound during the live session. To illustrate this, volunteers will be “scanned” (sonographed) live. The goal is to create a podcast or video podcast. The open-source software Ultraschall.fm will be used for production. The software developers from Ultraschall.fm will be on site during the session to offer support with podcast-related questions. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/podcast-radiomegahertz-mhz-rein-khz-raus-ultraschall-fm-mittendrin

While trying to apply fault injection to the AMD Platform Security Processor with unusual (self-imposed) requirements/restrictions, it were software bugs which stopped initial glitching attempts. Once discovered, the software bug was used as an entry to explore the target, which in turn lead to uncovering (and exploiting) more and more bugs, ending up in EL3 of the most secure core on the chip. This talk is about the story of trying to glitch the AMD Platform Security Processor, then accidentally discovering several bugs and getting a good look inside the target, before returning to trying to hammer it with novel physical strategies. # BACKSTORY --------------- So here is the backstory of how it all started: - I bought a commercial gaming console - Then bought a VR headset (for this console) because of exclusive game - But also wanted to play beatsaber - I could, but builtin song selection was very limited - Custom songs exist (for example on steam), but not for this console - I didn't want to buy a second headset for steam That's when i decided i want to hack this console so that i can port community created customs songs to the console and play them there with the VR headset i already have. Initially starting with an approach similar to the usual "entrypoint through browser", then go for kernel and call it a day, but quickly annoying hurdles blocked my way. For one, the Hypervisor makes your live just miserable with it's execute only kernel text blind exploitation. Other issues were that one needs to be on latest version to download the game, which exists only as digital purchase title, preventing me to share my efforts with others even if i can get it working on my console. Though, what finally put the nail in the coffin was when porting a kernel zeroday to the console failed because of heavy sandboxing, unreachable syscalls or even entirely stripped kernel functions. Some may call it "skill issue". Anyways, that's when i was full of it and decided to bring this thing down for good. Everybody does glitching nowadays and according to rumors people did have success on this thing with glitching before, so how hard can it really be, right? So the question became: Is it possible to build a modchip, which glitches the board and lets me play beatsaber custom songs? Stuff like that has been done on other consoles before (minus the beatsaber part :P) Turns out that when manufacturing produces chips with broken GPUs, they are sold as spinoff desktop mainboards (with disabled GPU) rather than thrown away. Which is great, because those mainboards are much cheaper, especially if you buy broken spinoff mainboards on ebay. So on the journey to beatsaber custom songs, breaking this desktop mainboard became a huge chunk of the road. Because if i can glitch this and build a modchip for it, surely i can also do it for the console, right? I mean it's the exact same SoC afterall! Back when i started i didn't know i would be about to open pAMDoras box and discover so many bugs and hacks. # Actual talk description --------------- **Disclaimer: This is not a console hacking talk!** This talk is gonna be about breaking nearly every aspect of the AMD Platform Security Processor of the desktop mainboard with the same SoC as the console. While certainly usefuly for _several_ other AMD targets, unfortunately not every finding can directly be ported to the console. Still, it remains very useful nonetheless! Note: The final goal of custom songs on beatsaber has not been reached yet, this talk is presenting the current state of things. In this talk you'll be taken on a ride on how everything started and how almost every aspect of the chip was broken. How bugs were discovered, what strategies were used to move along. Not only will several novel techniques be presented for applying existing physical attacks to targets where those couldn't really be applied before, but also completely new approaches are shared which bring a whole different perspective on glitching despite having lots of capacitors (which we don't really want to remove) and extremely powerfull mosfets (which smooth out crowbar attempts in a blink of an eye). But that's not all! While trying to perform physical attacks on the hardware, the software would just start falling apart by itself. Which means, at least **6 unpatchable\* bugs** were discovered, which are gonna be presented in the talk alongside with **5 zero-day exploits**. Getting EL3 code execution on the most secure core inside AMDs SoC? No Problem! Apart from just bugs and exploits, many useful techniques and discovery strategies are shared which will provide an excellent knowedgle base and attack inspiration for following along or going for other targets. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/opening-pamdora-s-box-and-unleashing-a-thousand-paths-on-