Set-top box Hacking: freeing the 'Freebox' (39c3)

The French ISP 'Free' was the first to introduce a set-top box in France in 2002, named the Freebox. Four years later, the fifth version of the Freebox was released and distributed to customers. It comprises two devices: a router, and a PVR called the Freebox HD, both running Linux. The Freebox HD had innovative features at the time, such as live television control and HD capabilities. Such a device has a lot of potential for running homebrew, so I decided to hack it. I present how I got arbitrary code execution on the Freebox...

Omnibus Halbgarer Machenschaften (OHM #23) (39c3)

erdgeist & monoxyd denken laut. Aufgrund des großen Erfolgs soll das jetzt auch beim Congress versucht werden. Themen? Ja! Wahrscheinlich irgendwas mit so... Dingen, die gerade passiert sind und zu denen mal was gesagt werden muss. Besser wir als Lanz & Precht! Es gibt außerdem einen besonderen Anlass: 23! (Wo kommt das eigentlich her?) Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/omnibus-halbgarer-machenschaften-ohm-23
Video:39c3-83813-deu-Omnibus_Halbgarer_Machenschaften_OHM_23_hd.mp4

Block Domains and Advertisements in a ZTE DSL Router

In one of my previous blog posts I showed how to install and run PiHole DNS server locally as a Docker container in your Synology NAS server. This worked great as the PiHole dashboard shows the list of identified annoying advert requests that were blocked shows.

So far I did configure my PiHole DNS server within my Chrome browser so that the browser cant load those annoying domains anymore. This worked like a charm, until quite recently Google updated Chrome browser to only allow a ‘secured DNS connection’ which actually seems a bit of a trojan horse for their own ads...

OpenTelemetry Astroshop Simulator

Astroshop is a great way of testing and running a demo scenario that offers with a large spectrum of technologies, services and a realistic problem scenario of running a real shop in serverless or Kubernetes infrastructure.

Besides, Astroshop being a great way to demo and test observability platforms such as Dynatrace and to run problem scenarios on demand, its also a bit cumbersome to deploy it for testing purposes. Imagine that you are a local developer that just needs to quickly run a test for a new feature using OTel traces and spans. Deploying Astroshop or any other scenario always comes...

How To Minimize Bugs in Cryptography Code (39c3)

"Don't roll your own crypto" is an often-repeated aphorism. It's good advice -- but then how does any cryptography get made? Writers of cryptography code like myself write code with bugs just like anyone else, so how do we take precautions against our own mistakes? In this talk, I will give a peek into the cryptographer's toolbox of advanced techniques to avoid bugs: targeted testing, model checking, mathematical proof assistants, information-flow analysis, and more. None of these techniques is a magic silver bullet, but they can help find flaws in reasoning about tricky corner...

Variable Fonts — It Was Never About File Size (39c3)

A brief history of typographic misbehavior or intended and unintended uses of variable fonts. Nine years after the introduction of variable fonts, their most exciting uses have little to do with what variable fonts originally were intended for and their original promise of smaller file sizes. The talk looks at how designers turned a pragmatic font format into a field for experimentation — from animated typography and uniwidth button text to pattern fonts and typographic side effects with unintended aesthetics. Using examples from projects such as TypoLabs, Marjoree, Kario (the variable font that’s used as...

Lessons from Building an Open-Architecture Secure Element (39c3)

The talk will be about our experience from building an open-architecture secure element from the ground up. It explains why openness became part of the security model, how it reshaped design and development workflows, and where reality pushed back — through legal constraints, third-party IP, or export controls. It walks through the secure boot chain, attestation model, firmware update flow, integration APIs, and the testing framework built for external inspection. Real examples of security evaluations by independent researchers are presented, showing what was learned from their findings and how those exchanges raised the overall...

Textiles 101: Fast Fiber Transform (39c3)

Textiles are everywhere, yet few of us know how they’re made. This talk aims to give you an overview over the complete transformation from fiber to finished textile. We'll be exploring fiber properties, spinning, and techniques like weaving, knitting, crochet, braiding, and knotting, followed by finishing methods such as dyeing, printing, and embroidery. You’ll learn why not only fiber but also structure matters, and how to make or hack textiles on your own without relying on fast fashion or industrial tools. Textiles play an integral part in our daily lives. If you’re reading this, chances are...

"Passwort" - der heise security Podcast live vom 39C3 (39c3)

Der heise security Podcast macht wieder einen Betriebsausflug nach Hamburg. Diesmal bringt Christopher seinen Co-Host Sylvester mit und spricht 90 Minuten lang über aktuelle Security-Themen vom Congress. Wir haben uns erneut einige spannende Fundstücke herausgesucht und sprechen darüber miteinander, aber auch mit unseren Gästen. Welche Themen wir besprechen ist - wie immer bei unserem Podcast - eine Überraschung. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2025/hub/event/detail/passwort-der-heise-security-podcast-live-vom-39c3
Video:39c3-83754-deu-Passwort_-_der_heise_security_Podcast_live_vom_39C3_hd.mp4

When Vibe Scammers Met Vibe Hackers: Pwning PhaaS with Their Own Weapons (39c3)

What happens when AI-powered criminals meet AI-powered hunters? A technical arms race where both sides are vibing their way through exploitation—and the backdoors write themselves. In October 2025, we investigated Taiwan's fake delivery scam ecosystem targeting convenience store customers. What started as social engineering on social media became a deep dive into two distinct fraud platforms—both bearing the unmistakable fingerprints of AI-generated code. Their developers left more than just bugs: authentication flaws, file management oversights, and database implementations that screamed "I asked LLM and deployed without reading." We turned their sloppiness into weaponized OSINT. Through...