Offense & Defense in IoT World. Samuel Lv Keen Security Lab, Tencent

Similar documents
Convergence of Safety, Systems & Cybersecurity Bill StClair, Director, LDRA, US Operations

The Remote Exploitation of Unaltered Passenger Vehicles Revisited. 20 th October 2016 Mark Pitchford, Technical Manager, EMEA

Automotive Anomaly Monitors and Threat Analysis in the Cloud

Turbocharging Connectivity Beyond Cellular

Experimental Security Assessment of BMW Cars: A Summary Report

Presentation's title

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

Securing the Connected Car. Eystein Stenberg CTO Mender.io

Automotive Cybersecurity: Why is it so Difficult? Steven W. Dellenback, Ph.D. Vice President R&D Intelligent Systems Division

SIMPLIFYING THE CAR. Helix chassis. Helix chassis. Helix chassis WIND RIVER HELIX CHASSIS WIND RIVER HELIX DRIVE WIND RIVER HELIX CARSYNC

The modern car has 100 million lines of code and over half of new vehicles will be connected by 2020.

Car hacks 2018 (BMW, Audi) for the "not so hands-on"

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

ANATOMY OF AN ATTACK!

How Security Mechanisms Can Protect Cars Against Hackers. Christoph Dietachmayr, CIS Solution Manager EB USA Techday, Dec.

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

Preventing Cyber Attacks on Aftermarket Connectivity Solutions Zach Blumenstein, BD Director Argus Cyber Security

Modern Automotive Vulnerabilities: Causes, Disclosure & Outcomes Stefan Savage UC San Diego

Open Source in Automotive Infotainment

13W-AutoSPIN Automotive Cybersecurity

Connected Cars as the next great consumer electronics device

Securing the future of mobility

Automotive Cyber Security

SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM

Heavy Vehicle Cyber Security Bulletin

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Vehicle & Transportation Infrastructure Cyber Security Discussions. IQMRI

IC32E - Pre-Instructional Survey

Protect Your Organization from Cyber Attacks

EC-Council C EH. Certified Ethical Hacker. Program Brochure

Countermeasures against Cyber-attacks

Advanced Diploma on Information Security

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Conquering Complexity: Addressing Security Challenges of the Connected Vehicle

Linux in the connected car platform

Car Hacking for Ethical Hackers

Kaspersky Cloud Security for Hybrid Cloud. Diego Magni Presales Manager Kaspersky Lab Italia

VEHICLE FORENSICS. Infotainment & Telematics Systems. Berla Corporation Copyright 2015 by Berla. All Rights Reserved.

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

RiskSense Attack Surface Validation for IoT Systems

Handling Top Security Threats for Connected Embedded Devices. OpenIoT Summit, San Diego, 2016

The Future of Mobility

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

Securing the SMB Cloud Generation

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Automotive Gateway: A Key Component to Securing the Connected Car

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Symantec Ransomware Protection

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Medical Device Safety in a Connected World

OTA-On-Demand (OOD) Services with AGL

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

System-level threats: Dangerous assumptions in modern Product Security. Cristofaro

Security Concerns in Automotive Systems. James Martin

Automotive Linux Summit 2017 May 31-June 2, 2017, Tokyo, Japan Advances and challenges in remote configuration of connected cars

IoT Security for Critical Information Infrastructures. Andrey Tikhonov

Security enhancing CAN transceivers. Bernd Elend Principal Engineer March 8 th, 2017

The Value of Automated Penetration Testing White Paper

Risk-based design for automotive networks. Eric Evenchik, Linklayer labs & Motivum.io Stefano Zanero, Politecnico di Milano & Motivum.

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

Deliver Strong Mobile App Security and the Ultimate User Experience

Smart Antennas and Hypervisor: Enabling Secure Convergence. July 5, 2017

Agenda. About TRL. What is the issue? Security Analysis. Consequences of a Cyber attack. Concluding remarks. Page 2

MOBILE SECURITY OVERVIEW. Tim LeMaster

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

Gladiator Incident Alert

SentinelOne Technical Brief

ISDP 2018 Industry Skill Development Program In association with

Automotive Security: Challenges, Standards and Solutions. Alexander Much 12 October 2017

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

FIREWALL BEST PRACTICES TO BLOCK

Erlang, Open Source and The Connected Car

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

SGS CYBER SECURITY GROWTH OPPORTUNITIES

Embedding Openness in the Connected Car

AGL Reference Hardware Specification Document

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Product Overview Version 1.0. May 2018 Silent Circle Silent Circle. All Rights Reserved

Solving the AV Problem. Whitepaper

AT&T Endpoint Security

CloudSOC and Security.cloud for Microsoft Office 365

Towards Effective Cybersecurity for Modular, Open Architecture Satellite Systems

Auto Embedded Software: Infotainment

Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition

Secure Product Design Lifecycle for Connected Vehicles

Hacking Exposed Wireless: Wireless Security Secrets & Colutions Ebooks Free

Live Demo: A New Hardware- Based Approach to Secure the Internet of Things

How to Introduce Virtualization in AGL? Objectives, Plans and Targets for AGL EG-VIRT

Building Trust in the Internet of Things

EC-Council C EH. Certified Ethical Hacker. Program Brochure

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Diagnostic Trends 2017 An Overview

Jim Gallagher Senior Technical Marketing Lead, MontaVista Software

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

CANSPY A Platform for Auditing CAN Devices

CSE 565 Computer Security Fall 2018

Future Implications for the Vehicle When Considering the Internet of Things (IoT)

Transcription:

Offense & Defense in IoT World Samuel Lv Keen Security Lab, Tencent

Keen Security Lab of Tencent Wide coverage of software and hardware security research Mainstream PC & Mobile Operating Systems Mainstream PC & Mobile Internet Applications Cloud Computing & Virtualization Connected Vehicles & IoT Devices 3 Android 17 Pwn2Own winners Universal ROOT Research 3 Pwn2Own 4 ios 2Tesla Remote Hacking Research Master of Pwn Jailbreak Research 1 BMW 1 Champions 7 Blackhat Pwnie Award Nominations of Qiangwang Cup and Wangding Cup Remote Hacking Research

Cyber-Security, a Big Challenge to Connected Car OEMs 2015.7 FCA JEEP was hacked remotely by hackers. The hackers demonstrated unauthorized remote controls to JEEP. Security vulnerabilities of different modules, including TSP, Telecom Network, Head Unit etc. were reported to Chrysler. Impact: FCA recalled 1.4 million of JEEP sold in North America. 2015.7 Hackers hijacked OnStar mobile APP and demonstrated unauthorized remote controls such as unlocking door, starting engine, tooting horn etc. The issue was related to the security vulnerability in OnStar mobile APP and TSP modules. Impact: OnStar released an urgent security fix. 2016.2 Nissan LEAF EV car mobile APP was hijacked. The hacker realized unauthorized remote controls to switch on the air-condition, flash lights etc. Security vulnerabilities in LEAF mobile APP and TSP modules caused the issue. Impact: Nissan temporarily shut down the remote control services from TSP. 2016.9 and 2017.7 Keen Lab first time worldwide built the full attack chain to prove that Tesla could be hacked remotely and realized unauthorized remote controls in both parking mode and driving mode. The full attack chain successfully exploited the security vulnerabilities in in-vehicle browser, head unit OS, CAN gateway, CAN protocols and critical ECU modules. Impact: After getting Keen Lab s detailed disclosure, Tesla issued a bunch of urgent patches within 10 days and pushed the patches to variant models of Tesla cars worldwide.

Easy to Attack, Hard to Hold! Connected Car Security Needs Holistic View! N Attack Surfaces 1 1 3 rd party CP Services IV APPs 6 7 WiFi Hotspot BlueTooth USB 5 4 3 9 1 0 OEM TSP OEM backend Services T-Box 1 3 Internet Services/Content 1 OBDII Infotainment OS 8 Gateway 1 4 Charging Station 1 2 BT Key 2 1 5 V2X Mobile APP User Portal CAN BUS & ECUs ADAS 1 6

Keen Lab Offense Research

Technical Overview: Tesla Remote Hacking Research WebKit Browser Vehicle Control Cellular/WiFi Cellular: Phishing with malicious URLs WiFi: Malicious hotspot Browser auto connect behavior OTA Update Service (VPN) Radio Cellular Ubuntu ARMv7 CID Other Services Ethernet 192.168.90.100 192.168.20.2 Bluetooth TCP/UDP IC (Ubuntu) 192.168.90.101 Gateway (RTOS) 192.168.90.102 WiFi (Linux) 192.168.20.1 ABS PAM ESP... CH CAN Bus Body CAN Bus DDM PDM HVAC... In-Vehicle Network Browser Linux Kernel Gateway CAN Multiple vulnerabilities with exploits to get code execution ability Vulnerability with exploit to escalate system privilege and disable AppArmor to get Linux ROOT permission Bypass code integrity check and patch gateway firmware Send malicious CAN messages on arbitrary CAN channels

Tesla Recognitions to Keen Lab Research https://www.tesla.com/about/security Highest reward to security researchers in Tesla history Tesla Remote Hacking 2016 Research Video https://v.qq.com/x/cover/dvlu8l3oz88aiuo/y0329yuyczc.html Tesla Remote Hacking 2017 Research Video https://v.qq.com/x/cover/dvlu8l3oz88aiuo/r0024awar9h.html

Technical Overview: BMW Remote Hacking Research 1 2 Software Defined Radio Platform Simulated GSM Network 3 BMW Car 5 4 CAN Network Central Gateway T-Box

BMW Group Recognitions to Keen Lab Research 1 st BMW Group Digitalization and IT Research Award https://www.bmwgroup.com/en/general/security.html The BMW Group is convinced that the study presented constitutes by far the most comprehensive and complex testing ever conducted on BMW Group vehicles by a third party. - BMW Group Press Release, May 22 nd 2018

Keen Lab Defense Work

Keen Lab IoT Security Solutions Detect, Mitigate, Prevent the REAL Attacks to IoT Mitigations Devices Sandboxing System Hardening SoC Detections APP IoT Firmware Preventions Security Analyzers

ECU Tbox IVI Ports ECU Passenger Gateway Kernel ECU

ECU Tbox IVI Ports Step 1: Luring into a malicious wifi ECU Passenger Gateway Kernel ECU

ECU Tbox IVI Step 2: Pwn an application Ports ECU Passenger Gateway Kernel ECU

ECU Tbox IVI Ports ECU Passenger Gateway Kernel Step 3: Pwn the kernel and get full control ECU

ECU Tbox IVI Ports ECU Step 4: Hack the gateway Gateway Passenger Kernel ECU

ECU Tbox Step 5: Send CAN packets and have fun! IVI Ports ECU Passenger Gateway Kernel ECU

Mitigation: Android/Linux System Hardening SoC Agent Benign App Malicious/ Compromised App User Filtering Kernel Module Policy Hotspot#1 Hotspot#2 Hotspot#3 Hotspot#4

Filter Mitigation: Sandboxing Application Isolated Process User Data Core Logic Host Proxy Web Engine App Sandbox GPU Proxy IO Proxy Life-cycle Proxy System Service Proxy

Detection: IoT/Vehicle SoC Kernel is important, but not the only one USB devices SMS, Wi-Fi, Bluetooth OTA packages Awareness is just as important as intervention A security operation center to Monitor Assess Defend Defeat sophisticated attacks Big data Cloud-side policies

Prevention: APP Security Analyzer

Prevention: IoT Firmware Security Analyzer Source (Opt) Firmware Unpacker App/System Config Source Analyzer Static Analyzers Dynamic Analyzers VM-based Fuzzer Bug Report Report

Cybersecurity Collaborations with Industries Joint-Research: Security for Future Autonomous Driving Intrusion Detection Backend AI/ML Analysis Engine Device Virtualization Expert Services: Battlefield Offense and Defense Practices In-Depth Security Trainings Security Advisory on Security Practices and Implementations Penetration Test (Devices, Backend, Mobile APP, accessories ) Technical Consulting on Security/Incident Response Defense Solutions: Mitigations, Detections & Preventions Android/Linux System Security Hardening Security Operations Center (Instruction Detection Service) Sandbox Mitigation Backend/Cloud Services Protections Security Testing Tools and Automations

THANKS!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback