Offense & Defense in IoT World Samuel Lv Keen Security Lab, Tencent
Keen Security Lab of Tencent Wide coverage of software and hardware security research Mainstream PC & Mobile Operating Systems Mainstream PC & Mobile Internet Applications Cloud Computing & Virtualization Connected Vehicles & IoT Devices 3 Android 17 Pwn2Own winners Universal ROOT Research 3 Pwn2Own 4 ios 2Tesla Remote Hacking Research Master of Pwn Jailbreak Research 1 BMW 1 Champions 7 Blackhat Pwnie Award Nominations of Qiangwang Cup and Wangding Cup Remote Hacking Research
Cyber-Security, a Big Challenge to Connected Car OEMs 2015.7 FCA JEEP was hacked remotely by hackers. The hackers demonstrated unauthorized remote controls to JEEP. Security vulnerabilities of different modules, including TSP, Telecom Network, Head Unit etc. were reported to Chrysler. Impact: FCA recalled 1.4 million of JEEP sold in North America. 2015.7 Hackers hijacked OnStar mobile APP and demonstrated unauthorized remote controls such as unlocking door, starting engine, tooting horn etc. The issue was related to the security vulnerability in OnStar mobile APP and TSP modules. Impact: OnStar released an urgent security fix. 2016.2 Nissan LEAF EV car mobile APP was hijacked. The hacker realized unauthorized remote controls to switch on the air-condition, flash lights etc. Security vulnerabilities in LEAF mobile APP and TSP modules caused the issue. Impact: Nissan temporarily shut down the remote control services from TSP. 2016.9 and 2017.7 Keen Lab first time worldwide built the full attack chain to prove that Tesla could be hacked remotely and realized unauthorized remote controls in both parking mode and driving mode. The full attack chain successfully exploited the security vulnerabilities in in-vehicle browser, head unit OS, CAN gateway, CAN protocols and critical ECU modules. Impact: After getting Keen Lab s detailed disclosure, Tesla issued a bunch of urgent patches within 10 days and pushed the patches to variant models of Tesla cars worldwide.
Easy to Attack, Hard to Hold! Connected Car Security Needs Holistic View! N Attack Surfaces 1 1 3 rd party CP Services IV APPs 6 7 WiFi Hotspot BlueTooth USB 5 4 3 9 1 0 OEM TSP OEM backend Services T-Box 1 3 Internet Services/Content 1 OBDII Infotainment OS 8 Gateway 1 4 Charging Station 1 2 BT Key 2 1 5 V2X Mobile APP User Portal CAN BUS & ECUs ADAS 1 6
Keen Lab Offense Research
Technical Overview: Tesla Remote Hacking Research WebKit Browser Vehicle Control Cellular/WiFi Cellular: Phishing with malicious URLs WiFi: Malicious hotspot Browser auto connect behavior OTA Update Service (VPN) Radio Cellular Ubuntu ARMv7 CID Other Services Ethernet 192.168.90.100 192.168.20.2 Bluetooth TCP/UDP IC (Ubuntu) 192.168.90.101 Gateway (RTOS) 192.168.90.102 WiFi (Linux) 192.168.20.1 ABS PAM ESP... CH CAN Bus Body CAN Bus DDM PDM HVAC... In-Vehicle Network Browser Linux Kernel Gateway CAN Multiple vulnerabilities with exploits to get code execution ability Vulnerability with exploit to escalate system privilege and disable AppArmor to get Linux ROOT permission Bypass code integrity check and patch gateway firmware Send malicious CAN messages on arbitrary CAN channels
Tesla Recognitions to Keen Lab Research https://www.tesla.com/about/security Highest reward to security researchers in Tesla history Tesla Remote Hacking 2016 Research Video https://v.qq.com/x/cover/dvlu8l3oz88aiuo/y0329yuyczc.html Tesla Remote Hacking 2017 Research Video https://v.qq.com/x/cover/dvlu8l3oz88aiuo/r0024awar9h.html
Technical Overview: BMW Remote Hacking Research 1 2 Software Defined Radio Platform Simulated GSM Network 3 BMW Car 5 4 CAN Network Central Gateway T-Box
BMW Group Recognitions to Keen Lab Research 1 st BMW Group Digitalization and IT Research Award https://www.bmwgroup.com/en/general/security.html The BMW Group is convinced that the study presented constitutes by far the most comprehensive and complex testing ever conducted on BMW Group vehicles by a third party. - BMW Group Press Release, May 22 nd 2018
Keen Lab Defense Work
Keen Lab IoT Security Solutions Detect, Mitigate, Prevent the REAL Attacks to IoT Mitigations Devices Sandboxing System Hardening SoC Detections APP IoT Firmware Preventions Security Analyzers
ECU Tbox IVI Ports ECU Passenger Gateway Kernel ECU
ECU Tbox IVI Ports Step 1: Luring into a malicious wifi ECU Passenger Gateway Kernel ECU
ECU Tbox IVI Step 2: Pwn an application Ports ECU Passenger Gateway Kernel ECU
ECU Tbox IVI Ports ECU Passenger Gateway Kernel Step 3: Pwn the kernel and get full control ECU
ECU Tbox IVI Ports ECU Step 4: Hack the gateway Gateway Passenger Kernel ECU
ECU Tbox Step 5: Send CAN packets and have fun! IVI Ports ECU Passenger Gateway Kernel ECU
Mitigation: Android/Linux System Hardening SoC Agent Benign App Malicious/ Compromised App User Filtering Kernel Module Policy Hotspot#1 Hotspot#2 Hotspot#3 Hotspot#4
Filter Mitigation: Sandboxing Application Isolated Process User Data Core Logic Host Proxy Web Engine App Sandbox GPU Proxy IO Proxy Life-cycle Proxy System Service Proxy
Detection: IoT/Vehicle SoC Kernel is important, but not the only one USB devices SMS, Wi-Fi, Bluetooth OTA packages Awareness is just as important as intervention A security operation center to Monitor Assess Defend Defeat sophisticated attacks Big data Cloud-side policies
Prevention: APP Security Analyzer
Prevention: IoT Firmware Security Analyzer Source (Opt) Firmware Unpacker App/System Config Source Analyzer Static Analyzers Dynamic Analyzers VM-based Fuzzer Bug Report Report
Cybersecurity Collaborations with Industries Joint-Research: Security for Future Autonomous Driving Intrusion Detection Backend AI/ML Analysis Engine Device Virtualization Expert Services: Battlefield Offense and Defense Practices In-Depth Security Trainings Security Advisory on Security Practices and Implementations Penetration Test (Devices, Backend, Mobile APP, accessories ) Technical Consulting on Security/Incident Response Defense Solutions: Mitigations, Detections & Preventions Android/Linux System Security Hardening Security Operations Center (Instruction Detection Service) Sandbox Mitigation Backend/Cloud Services Protections Security Testing Tools and Automations
THANKS!