The annual CAST award recognizes outstanding bachelor and master theses in applied cybersecurity from all over Germany. This year, however, it almost feels like a class reunion: Three of the seven awardees are from here at SEEMOO. Noreen Mehler, Inga Dischinger, and me, Nils Rollshausen, all present our recently completed theses to the jury as the first snow falls on the Fraunhofer SIT.

Noreen Mehler shares her work on evaluating detection methods for hidden sensors — such as microphones or cameras — and talks about the difficulties in reproducing the results of academic research. To aid future researchers in this endeavor, she walks us through her process of designing a robust, replicable, and accessible evaluation framework for sensor detection methods. Methods that we, living in an age of cheap spy cameras from online retailers, desperately need and that currently, as Noreen finds, often fail to hold up to their claimed performance. During lunch, she also gives a quick demo of one of the more reliable methods she evaluated: Laser-assisted photography detection with off-the-shelf smartphones that can find camera lenses.

Inga Dischinger tells us about her adventures in reverse-engineering the Apple ecosystem: She untangles the mess of daemons, services, and protocols that power Apple's Continuity Camera, an enabled-by-default feature that lets your MacBook access your iPhone's camera — even if your phone is locked. In addition to presenting an interesting attack surface — and thus a good target for her security analysis — understanding this complex system also allows her to provide an open re-implementation of some of Apple's magic features. If you want to snap pictures from your iPhone on your Linux laptop, now you can.*

Finally, I present WatchWitch, my investigations into the inner workings of the Apple Watch. Always on our wrists, smartwatches like the Apple Watch collect a trove of intimate data about our lives. Understanding the tangle of interwoven custom protocols used by the watch lets us analyze its security and privacy — and beyond that, try our hand at re-implementing them as an open-source app. The result is WatchWitch, my Android app that lets users connect their Apple Watch to an Android smartphone and allows me to stream my heart rate to my phone in the, at this point, well-rehearsed live demonstration of my presentation.*

*Some limitations apply. May require extracted key material and/or WiFi routers in your backpack.