The 39C3 Congress took place between Christmas and New Year's Eve in the heart of Hamburg. The program covered a wide range of topics relevant to modern security professionals. Presentations ranged from low‑level security research and reverse engineering to privacy and cryptography challenges in consumer technologies, large‑scale network security, and the security implications of emerging and everyday connected devices. Other sessions addressed legal approaches against surveillance technologies, the role of technology in modern conflicts, and the security of safety‑critical and medical systems.
Several talks combined technical depth with significant real‑world relevance. One particularly engaging session, “Protecting the network data of one billion people: Breaking network crypto in popular Chinese mobile apps”, was presented by Mona Wang. Wang is an information security researcher who has worked with organizations such as the Electronic Frontier Foundation and the research community at UC Berkeley. In her talk, Wang described how her team systematically analyzed and exploited around a dozen custom-built network encryption protocols used in widely adopted Chinese mobile apps, including communication and browsing software. By demonstrating how network eavesdroppers could recover sensitive user metadata from these bespoke schemes, the research reinforced the age-old lesson of not developing your own cryptography and highlighted the importance of well‑vetted, standard protocols in protecting user data at scale.
Another memorable session, “Watch Your Kids: Inside a Children’s Smartwatch”, was delivered by Nils Rollshausen, a PhD candidate at the Secure Mobile Networking Lab (SEEMOO) at TU Darmstadt. Rollshausen walked through a detailed security analysis of a popular children’s smartwatch platform, reverse‑engineering its firmware and access controls. The investigation revealed that static cryptographic keys and insufficient authentication allowed proof‑of‑concept attacks to read and modify messages, manipulate location data, or interact with the device remotely. Demonstrations included altering reported GPS coordinates and spoofing communications. These demonstrations illustrated how flawed security assumptions can translate into real‑world privacy and safety implications for end users.
These talks are just a few examples of the many fascinating technical analyses and insightful sessions that cover different aspects of security and privacy at 39C3.
A defining characteristic of 39C3 is its strong focus on interaction and hands‑on participation. In addition to talks, the Congress featured numerous hacking spaces, project areas, workshops, and assemblies. These spaces enabled practical experimentation, collaborative learning, and informal knowledge exchange. Participants were able to explore tools, exchange techniques, and discuss ideas beyond the constraints of a traditional conference setting.
Taking part in 39C3 was intense but extremely rewarding. The technical depth, creative exploration, and community engagement provided valuable insights and emphasized the importance of adopting a comprehensive approach to cybersecurity.
For our customers, the talks highlighted the importance of security best practices. This includes relying on proven standards, maintaining an inventory of devices and systems and ensuring they are kept up to date, as well as choosing providers that can demonstrate how cybersecurity is addressed throughout their supply chain. Insights from 39C3 also show how proactive vulnerability research and responsible handling of security issues help protect digital services and maintain trust.
Overall, 39C3 made it clear that open exchange and cooperation are essential for the further development of cybersecurity and the creation of a trustworthy digital world.