All the 4G Modules Could Be Hacked
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 335 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/48425 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 2735 / 335
8
9
12
14
32
38
41
58
60
61
72
75
83
87
92
96
108
115
128
132
143
152
158
159
191
193
218
230
268
271
273
276
278
295
310
320
321
335
00:00
ComputersicherheitPenetrationstestHardwareModulComputervirusComputersicherheitHackerFundamentalsatz der AlgebraComputeranimation
00:36
Modul <Datentyp>FlächentheorieNabel <Mathematik>ModulPersönliche IdentifikationsnummerSoftwaretestOrdnung <Mathematik>FlächentheorieFundamentalsatz der AlgebraSoftwareschwachstelleInterface <Schaltung>PlastikkarteBimodulOffene MengeQuaderProzessfähigkeit <Qualitätsmanagement>BeobachtungsstudieCAN-BusFormation <Mathematik>Computeranimation
01:42
Modul <Datentyp>AuthentifikationMereologieEchtzeitsystemPhysikalisches SystemServerPunktwolkeDatenverwaltungSpeicherabzugAusnahmebehandlungKernel <Informatik>DoS-AttackeHackerInternet der DingeRechnernetzModulSoftwareschwachstelleGrenzschichtablösungBimodulDifferenteSoftwaretestBitMereologieProzess <Informatik>ModulMobiles InternetComputersicherheitFlächentheorieRichtungSoundverarbeitungThreadSchwellwertverfahrenInternet der DingeFunktionalInterface <Schaltung>Computeranimation
03:39
ModulWorkstation <Musikinstrument>Virtuelle MaschineProzessfähigkeit <Qualitätsmanagement>RouterInternet der DingeInternetworkingRechnernetzZusammenhängender GraphPunktwolkeInfotainmentDatenverwaltungModul <Datentyp>Virtuelle MaschineProzess <Informatik>DatenstrukturApp <Programm>Interface <Schaltung>InternetworkingEinfach zusammenhängender RaumBimodulNotebook-ComputerVerband <Mathematik>SoftwaretestTabelleComputeranimation
04:24
Virtuelle MaschineProzessfähigkeit <Qualitätsmanagement>ProgrammierumgebungEndliche ModelltheorieDatenmodellRouterPhysikalisches SystemPCI-ExpressModulDruckspannungARM <Computerarchitektur>ATMInterface <Schaltung>Mobiles InternetVirtuelle MaschineStreaming <Kommunikationstechnik>CoprozessorHumanoider RoboterPhysikalisches SystemHauptplatineEndliche ModelltheorieFunktionalRechter WinkelLeistung <Physik>RouterRouting
05:21
Prozessfähigkeit <Qualitätsmanagement>RouterPhysikalisches SystemKomponente <Software>HardwareSoftwareFlash-SpeicherDDR-SDRAMDivergente ReiheModulDatenstrukturVerschlingungFunktionalStellenringModulRouterPCI-ExpressSchlüsselverwaltungDatenstrukturRoutingPhysikalisches SystemGamecontrollerFrequenzEchtzeitsystemComputerARM <Computerarchitektur>BefehlsprozessorLeistung <Physik>BimodulMinkowski-MetrikComputeranimation
06:19
ModulDatenstrukturHardwareKomponente <Software>SoftwarePhysikalisches SystemFlash-SpeicherKrümmungsmaßMIDI <Musikelektronik>SchätzungAbelsche KategorieDynamisches RAMKernel <Informatik>Leistung <Physik>DatenverwaltungInterface <Schaltung>ModemBefehlsprozessorRuhmasseDatenstrukturModulMultifunktionFlash-SpeicherHalbleiterspeicherSocketPunktComputeranimation
07:00
Lokales MinimumPhysikalisches SystemMUDModemPrimzahlzwillingeFibonacci-FolgeFehlerkorrekturmodellGewicht <Ausgleichsrechnung>PlastikkarteRechnernetzTreiber <Programm>Installation <Informatik>AdressraumLastHauptidealringATMGewöhnliche DifferentialgleichungPhysikalisches SystemModulLokales MinimumTreiber <Programm>MultifunktionZahlenbereichPlastikkarteNetzbetriebssystemSoftwareLastInterface <Schaltung>Computeranimation
07:41
Gewicht <Ausgleichsrechnung>PERM <Computer>PrimzahlzwillingePhysikalisches SystemMagnetooptischer SpeicherMini-DiscMUDModulWhiteboardInnerer PunktWeitverkehrsnetzFehlerkorrekturmodellAdressraumRouterMultifunktionModulNetzadresseSoftwareTreiber <Programm>RechenschieberMereologieEinfach zusammenhängender RaumATMDifferenzkernDialektBefehl <Informatik>Kernel <Informatik>DifferenteNichtlinearer OperatorPhysikalisches SystemPlastikkarteComputersicherheitAdressraumInternetworkingRouterInternet der DingeLinearisierungBimodulQuader
09:21
Modul <Datentyp>FlächentheorieFormation <Mathematik>Protokoll <Datenverarbeitungssystem>ATMMultiplikationPeripheres GerätFehlerkorrekturmodellFiletransferprotokollDatenverwaltungVektorrechnungSoftwarePhysikalisches SystemEindeutigkeitKonditionszahlInternetworkingIntranetAdressraumDienst <Informatik>PunktwolkeTelnetRechnernetzNichtlinearer OperatorWorkstation <Musikinstrument>KontrollstrukturReverse EngineeringQuick-SortDrahtloses lokales NetzZellularer AutomatBimodulFlächentheorieModulNichtlinearer OperatorComputerProgrammierungPhysikalisches SystemResultanteNetzbetriebssystemFunktionalWorkstation <Musikinstrument>SoftwareClientStörungstheorieSoftwareentwicklerGrenzschichtablösungGamecontrollerTaskComputersicherheitLineare AbbildungLinearisierungDienst <Informatik>ATMStrömungsrichtungNetzadresseVollständigkeitIntranetVerschlingungDatenverwaltungPunktwolkeFehlermeldungRückkopplungKonfigurationsraumSoftwaretestMultiplikationsoperatorHoaxInnerer PunktMailing-ListeComputeranimation
11:59
ExploitNabel <Mathematik>RechnernetzFirmwarePunktwolkeLokales NetzZahlzeichenNichtlinearer OperatorSpannweite <Stochastik>KontrollstrukturBrowserProzess <Informatik>StellenringFlächeninhaltSoftwareschwachstelleCodeProzess <Informatik>ComputervirusSoftwareNabel <Mathematik>InformationModulVolumenvisualisierungHoaxGeradeKonfigurationsraumSoftwaretestVerschlingungNichtlinearer OperatorAdditionStellenringComputeranimation
13:28
Workstation <Musikinstrument>ClientModul <Datentyp>Zellularer AutomatParametersystemFunktion <Mathematik>WidgetRechnernetzHoaxMultiplikationsoperatorNichtlinearer OperatorPhysikalisches SystemClientBimodulATMComputeranimation
14:05
RechnernetzWidgetFunktion <Mathematik>ClientWorkstation <Musikinstrument>Modul <Datentyp>ParametersystemZellularer AutomatZellularer AutomatSoftware RadioHoaxClientParametersystemBroadcastingverfahrenATMComputeranimation
14:46
HardwareCodeSoftwareDefaultWorkstation <Musikinstrument>QuellcodeParametersystemLokales MinimumHoaxCodePhysikalisches SystemQuaderOrdnung <Mathematik>ModulFigurierte ZahlComputeranimation
15:26
Workstation <Musikinstrument>DatenübertragungModulWeißes RauschenFormation <Mathematik>Software RadioInterface <Schaltung>ModulQuick-SortHoaxDienst <Informatik>Figurierte ZahlMereologieComputeranimation
16:23
RechnernetzModul <Datentyp>FirewallMaßstabSpannweite <Stochastik>Lokales NetzClientNichtlinearer OperatorTelnetIntranetSoftwareNichtlinearer OperatorClientFirewallOffene MengePhysikalisches SystemModulTelnetMereologieRechter WinkelResultanteMultiplikationsoperatorKlasse <Mathematik>VerschlingungTelekommunikationIntranetDienst <Informatik>PortscannerComputeranimation
17:22
Einfach zusammenhängender RaumInternetworkingRechnernetzPlastikkarteSimulationIntranetVirtuelles privates NetzwerkNichtlinearer OperatorATMServerInternet der DingeFlächentheorieNichtlinearer OperatorEinfach zusammenhängender RaumEinflussgrößePunktServerPlastikkarteClientSimulationSpannweite <Stochastik>TelnetInternet der DingeMultiplikationsoperatorGamecontrollerIntranetVirtuelle MaschineResultanteComputeranimation
18:31
PlastikkarteSimulationRechnernetzWeb logFirmwareModulWeb-SeiteInstallation <Informatik>Nichtlinearer OperatorModulFirmwareLoginAnalysisKonfigurationsraumHauptplatinePunktHackerSoftwareParserComputeranimation
19:09
Modul <Datentyp>FlächentheorieFirmwareDatenübertragungNabel <Mathematik>FlächentheorieFirmwareNabel <Mathematik>Computeranimation
19:48
Nabel <Mathematik>SpeicherabzugFlash-SpeicherPhysikalisches SystemDivergente ReihePartitionsfunktionFirmwareProgrammFirmwareFlash-SpeicherProgrammierungWeb SitePhysikalisches SystemFigurierte ZahlPartitionsfunktionp-BlockElektronische PublikationComputeranimationXML
20:33
ATMPhysikalischer EffektPhysikalisches SystemPartitionsfunktionFokalpunktFirmwareATMPunktSoftwareentwicklerFirmwareModulSoftwaretestWiederherstellung <Informatik>PartitionsfunktionElektronische PublikationComputeranimation
21:09
PartitionsfunktionDateiformatBootenElektronische PublikationPhysikalisches SystemFirmwareSimulationSocketFreier LadungsträgerSpeicherabzugFlash-SpeicherFokalpunktDateiformatDateiverwaltungPhysikalisches SystemPartitionsfunktionElektronische PublikationBildgebendes VerfahrenProgrammierungKomplex <Algebra>Rechter WinkelSpeicherabzugFlash-SpeicherComputeranimation
21:59
DifferentePhysikalisches SystemSpeicherabzugFlash-SpeicherTotal <Mathematik>Wurzel <Mathematik>PasswortLoginWhiteboardDigitaltechnikInterface <Schaltung>Nabel <Mathematik>Virtuelle RealitätSerielle SchnittstelleAuthentifikationTelnetQuellcodeSoftwareentwicklerOffene MengeElektronischer ProgrammführerDienst <Informatik>ModulDateiverwaltungNabel <Mathematik>BimodulProgrammierungProzess <Informatik>DatenfeldSoftwareReelle ZahlModulJSONComputeranimation
22:35
WhiteboardDigitaltechnikPasswortOffene MengeDienst <Informatik>TelnetSpielkonsoleSerielle SchnittstelleInterface <Schaltung>Virtuelle RealitätLoginFlash-SpeicherSpeicherabzugPhysikalisches SystemModulNabel <Mathematik>DefaultDivergente ReiheInjektivitätHackerNabel <Mathematik>Dienst <Informatik>DatenverwaltungPasswortAdditionPortscannerParserSerielle SchnittstelleInterface <Schaltung>ModulGrenzschichtablösungPhysikalisches SystemComputeranimation
23:19
Nabel <Mathematik>Flash-SpeicherSpeicherabzugTelnetPhysikalisches SystemDienst <Informatik>SimulationPlastikkarteRechnernetzClientPunktwolkeOpen Archives Initiative Protocol for Metadata HarvestingSoftware RadioSchreiben <Datenverarbeitung>Gebäude <Mathematik>Workstation <Musikinstrument>Physikalisches SystemProzess <Informatik>TelnetFlash-SpeicherGebäude <Mathematik>Figurierte ZahlClientVersionsverwaltungNetzadresseComputeranimationProgramm/Quellcode
24:20
PlastikkarteWorkstation <Musikinstrument>Gebäude <Mathematik>Schreiben <Datenverarbeitung>SimulationRechnernetzDialektPhysikalisches SystemSteuerwerkPlastikkarteSimulationComputersicherheitKonfigurationsraumMultiplikationsoperatorParametersystemZahlenbereichRelativitätstheorieComputeranimation
25:12
Instant MessagingNabel <Mathematik>Physikalisches SystemSpeicherabzugPunktwolkeWorkstation <Musikinstrument>Treiber <Programm>ATMNotepad-ComputerWurzel <Mathematik>Pi <Zahl>AggregatzustandFinite-Elemente-MethodePortscannerSichtenkonzeptInternetworkingRelativitätstheorieInformationPhysikalisches SystemNabel <Mathematik>FirmwareMenütechnikFlächentheorieSoftwareschwachstelleServerBimodulBenutzerbeteiligungFokalpunktPortscannerRuhmasseDienst <Informatik>DatenverwaltungOffene MengeSystemverwaltungComputeranimation
26:31
MereologieSichtenkonzeptPortscannerPhysikalisches SystemDatenverwaltungStatistikGraphikprozessorPasswortSpeicherabzugTelnetZeichenketteNabel <Mathematik>Maskierung <Informatik>ModulPasswortTelnetElektronische PublikationFirmwarePhysikalisches SystemLoginBimodulDateiverwaltungAddition
27:37
Modul <Datentyp>DatenmodellDefaultMereologieBimodulDefaultSystemverwaltungNabel <Mathematik>TypentheorieOffene MengePhysikalisches SystemMailing-ListeComputeranimation
28:28
DatenverwaltungPasswortDatenverwaltungPasswortBenutzerbeteiligungSoftwareschwachstelleDienst <Informatik>ProgrammfehlerOrdnung <Mathematik>Web-SeiteTelnetOffene MengeHintertür <Informatik>CASE <Informatik>JSONComputeranimation
29:11
SpeicherabzugFirmwareProgrammiergerätRechnernetzFunktion <Mathematik>Reverse EngineeringNabel <Mathematik>Prozess <Informatik>App <Programm>MereologieTelnetCAN-BusKontrollstrukturModulSoftwareentwicklerQuaderAnalysisFirmwareZeichenketteProzess <Informatik>App <Programm>TelnetComputeranimation
30:24
Funktion <Mathematik>TelnetInklusion <Mathematik>ATMPasswortCAN-BusKontrollstrukturFatou-MengeKonvexe HülleSchlüsselverwaltungExploitChiffrierungAdvanced Encryption StandardMini-DiscRSA-VerschlüsselungQuaderDefaultFunktionalProtokoll <Datenverarbeitungssystem>Physikalisches SystemMathematische LogikPasswortMultiplikationSoftwareschwachstelleChiffrierungSchlüsselverwaltungDateiverwaltungPublic-Key-KryptosystemDigitales ZertifikatXML
31:14
PasswortSchlüsselverwaltungExploitTelnetAdvanced Encryption StandardRSA-VerschlüsselungMini-DiscHash-AlgorithmusWurzel <Mathematik>Nabel <Mathematik>KontrollstrukturInklusion <Mathematik>CAN-BusTelnetCodeExploitDigitales ZertifikatErwartungswertGenerator <Informatik>Public-Key-KryptosystemATMPasswortPlastikkarteProgrammverifikationGraphEntscheidungsmodell
32:09
Wurzel <Mathematik>Nabel <Mathematik>Inklusion <Mathematik>TelnetHash-AlgorithmusPasswortKontrollstrukturCAN-BusServerModulCASE <Informatik>PlastikkarteNabel <Mathematik>Wurzel <Mathematik>ZahlenbereichModulOffene MengePunktwolkeServerGeradeEinfach zusammenhängender RaumFigurierte ZahlComputeranimationFlussdiagramm
32:53
ModulServerNabel <Mathematik>ProgrammierungProzess <Informatik>Offene MengeDivergente ReiheModulApp <Programm>GamecontrollerBus <Informatik>Computeranimation
34:07
KontrollstrukturCAN-BusGebäude <Mathematik>Workstation <Musikinstrument>Nichtlinearer OperatorIntranetExploitGebäude <Mathematik>SoftwareHoaxIntranetFlächentheorieServerMultiplikationsoperatorCodeComputeranimation
35:18
Modul <Datentyp>Reverse EngineeringBinärdatenServerFiletransferprotokollProtokoll <Datenverarbeitungssystem>VersionsverwaltungFirmwarePasswortAnalytische FortsetzungSoftwareschwachstelleBimodulPasswortFiletransferprotokollFirmwareLoginVersionsverwaltungServerComputeranimation
36:18
Gebäude <Mathematik>Nichtlinearer OperatorExploitKontrollstrukturCAN-BusWorkstation <Musikinstrument>IntranetFiletransferprotokollModul <Datentyp>BinärdatenReverse EngineeringVersionsverwaltungFirmwareSchnittmengeProgrammverifikationProzess <Informatik>ServerHintertür <Informatik>BimodulFirmwareVersionsverwaltungFiletransferprotokollServerElektronische PublikationRechter WinkelComputeranimation
37:31
Reverse EngineeringTelekommunikationUDP <Protokoll>ClientBinärdatenBimodulSoftwareschwachstelleModulProtokoll <Datenverarbeitungssystem>ServerDatenaustauschClientSchnelltasteCASE <Informatik>Computeranimation
38:28
Workstation <Musikinstrument>Prozess <Informatik>ExploitFiletransferprotokollDatenstrukturChiffrierungInhalt <Mathematik>ClientPasswortMIDI <Musikelektronik>Nabel <Mathematik>InjektivitätZeichenketteDigitalfilterModulSoftwareschwachstelleDatentypEin-AusgabeSchlussregelKerr-LösungDatenaustauschDatenstrukturProtokoll <Datenverarbeitungssystem>FirmwareElektronische PublikationArray <Informatik>ModulMultiplikationsoperatorHintertür <Informatik>Faktor <Algebra>Offene MengeComputeranimation
39:25
SchlussregelNabel <Mathematik>DigitalfilterZeichenketteInjektivitätModulProzess <Informatik>InjektivitätSoftwareentwicklerRoutingSoftwareschwachstelleInhalt <Mathematik>CodeStreaming <Kommunikationstechnik>Syntaktische AnalyseBildgebendes VerfahrenPhysikalisches SystemRechter WinkelZeichenketteWurzel <Mathematik>Computeranimation
40:12
Modul <Datentyp>Nabel <Mathematik>SoftwareschwachstelleDatenverwaltungInjektivitätWorkstation <Musikinstrument>SimulationPlastikkartePasswortDefaultSoftwareschwachstelleSerielle SchnittstelleInjektivitätBimodulMessage-PassingPasswortInhalt <Mathematik>ProgrammfehlerModulCASE <Informatik>ProgrammverifikationComputeranimation
41:10
DefaultPasswortKonvexe HülleRechenwerkFunktion <Mathematik>SoftwareschwachstelleAchtModulPasswortProgrammverifikationFirmwareProgramm/QuellcodeXML
41:52
Funktion <Mathematik>ZeichenketteSoftwareschwachstellePhysikalisches SystemInjektivitätDateiformatSyntaxbaumWeb-SeiteBrowserPasswortZahlzeichenHintertür <Informatik>FirmwareVersionsverwaltungGraphische BenutzeroberflächeNabel <Mathematik>KontrollstrukturWorkstation <Musikinstrument>RechnernetzNichtlinearer OperatorDienst <Informatik>TelnetMessage-PassingInjektivitätNabel <Mathematik>Reverse EngineeringSoftwareschwachstelleCASE <Informatik>ModulInverser LimesComputeranimation
42:33
Web-SeiteBrowserPasswortZahlzeichenFirmwareHintertür <Informatik>VersionsverwaltungGraphische BenutzeroberflächeNabel <Mathematik>Workstation <Musikinstrument>KontrollstrukturRechnernetzNichtlinearer OperatorDienst <Informatik>TelnetPasswortModulAdressraumDigitalisierungServerFlächentheoriePunktwolkeSoftwareschwachstelleProzess <Informatik>BrowserTabelleMultiplikationsoperatorDoS-AttackeFirewallFirmwareEinfach zusammenhängender RaumMetropolitan area networkComputeranimation
43:32
Web-SeiteBrowserPasswortZahlzeichenHintertür <Informatik>FirmwareVersionsverwaltungGraphische BenutzeroberflächeNabel <Mathematik>Workstation <Musikinstrument>RechnernetzKontrollstrukturNichtlinearer OperatorDienst <Informatik>PasswortZahlenbereichDoS-AttackePlastikkarteHypermediaZweiInternetworkingSystemverwaltungModulIntranetVorlesung/KonferenzComputeranimation
44:26
Modul <Datentyp>FlächentheoriePhysikalisches SystemSystemidentifikationInterface <Schaltung>SchlussregelTropfenEin-AusgabeFirewallDienst <Informatik>Message-PassingSoftwareschwachstelleMechanismus-Design-TheorieSoftware Development KitModulHardwareBimodulVollständigkeitPhysikalisches SystemSoftwareProzess <Informatik>MultiplikationsoperatorHauptplatineNetzbetriebssystemComputeranimation
45:59
FlächentheorieFirewallPhysikalisches SystemSystemidentifikationDienst <Informatik>Interface <Schaltung>Modul <Datentyp>SchlussregelEin-AusgabeTropfenHoaxKontextbezogenes SystemSoftwareInterface <Schaltung>TabelleHackerBimodulMetropolitan area networkSoftwareentwicklerVorlesung/KonferenzComputeranimation
46:41
ComputersicherheitSoftwaretestDigitale PhotographieHardwareInternet der DingePenetrationstestComputersicherheitBimodulComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
Alright, I'm gonna hand it over to your speakers, please give them a warm welcome. Uh, hello. Uh, today's talk, how the 4G module could be hacked. And uh, here is our team and uh, we are from the Baidu Security Lab. I'm Shu Peng. I'm Huan Zheng. Uh,
00:27
okay, uh, uh, let's introduce first, uh, here's the agenda of today's talk. First of all, we will introduce the fundamentals of the 4G module. Secondly, we will introduce the
00:40
new attack surface of the 4G module. Thirdly, we discuss what need to be done in order to carry out a successful attack. For example, obtain the firmware, getter, shell, and so on. First, uh, we will uh, talk about various ways to discover the vulnerabilities. And
01:04
uh, this picture show, show you more than 50 various 4G module and the devices we have studied. Uh, the two just about uh, some 4G routing device and uh, some vehicle 5G devices. Yes, uh, many vulnerabilities of the 4G module, uh, we mentioned today, uh, also
01:25
exist on 5G. Uh, in the middle, there are some party boxes and some possible Wi-Fi devices. Uh, down the bottom, uh, there are all kind of band or 4G modules, about 30 can. Uh, most of them are PCI interface and LCC packages. So, uh, what we have
01:45
found, we have found several general vulnerabilities of different uh, baseband chips and uh, uh, risk in several V2X 5G modules and RCE, uh, RCE in more than 5 cars, T-box and uh,
02:01
vulnerabilities in all possible 4G modules. Uh, because vulnerabilities repair is a long process, uh, so we just show, uh, just show you the vulnerabilities which will help be fixed, uh, in this slide. Okay, uh, when we do this studies, first of all, we found
02:21
that no ma- uh, not many people have done relevant research in this direction before. And, uh, no one is aware of the security problem and the wide impact of the 4G module. So, we want to share a lot more, uh, direction of security search. For example, uh, cars now have, uh, networking traffic, uh, networking functions, but, uh, it seems that no one has
02:45
attacked the T-box, uh, it's called, sometimes it's called TCO. Uh, there are also security issue with the baseband. Uh, baseband security is really important. Researchers, uh, usually talk about the baseband security of Qualcomm and Samsung. In fact,
03:02
there are many other baseband, uh, chips such as, uh, Intel, Huawei, ZT, MTK, uh, Marvel, Ubisoft and so on. And compared with mobile phones, it's easier to analyze through the 4G module. Uh, we will also introduce some new and the effect- effective
03:21
attack surface and the methods. In short, the goal of the thread is not only to introduce some special, uh, one base or the 4G module, but also to provide you with some new ideas, methods for, uh, successful attacks. Okay, we can see the 4G module everywhere.
03:40
IOTDS could connect to the internet through the 4G, uh, modules. For example, we can control a car remotely by the APP. It seems the communication system of the car is online all the time. Maybe some process is table-shaped and maintains a long-running TDP connection. Uh, there are other devices such as like 4G Wi-Fi, 4G router, TKs,
04:04
one new machine, uh, our laptop, and some industrial, uh, device. Even the slot machine in Las Vegas. Uh, there are, there are many interface, interfaces. In fact, the, uh, internal structure is the same. We will see later. Uh, on the left is a circuit about
04:26
the stress of the vending machine. Uh, we can see a module with mini-PCI interface plugged in, in, on the right. Uh, there is ac- actually, uh, ARM processor motherboard, uh, running Linux or Android system. On the right, uh, is a TELUS mode stream 4G module. Uh,
04:45
which implements, uh, navigation, mobile remote control system, upgrade, and other function. Uh, the module is, uh, attached directly to the motherboard. Uh, in this slide, on the left is, uh, industrial 4G route. Uh, we can see this, uh, mini-PCI interface module
05:05
on the motherboard. In fact, it's a common route as a slot to implement the function we internet assess. Uh, the device on the right is a bit special. It's a portable Wi-Fi device, but it doesn't have a separate 4G model. It uses the CTZX chip stand. In fact, it's also a
05:27
4G model. The chip in the module is, uh, attached to the PCB board, which implements, networking, driving, Wi-Fi, running, ATP source, and other function. Uh, there are many other devices designed in this way, uh, such as, uh, some local 4G route. Uh, let's look
05:48
how the structure of the 4G module. In fact, uh, the 4G module is a complete, uh, computer system. ARM CPU and the baseband system are integrated in the main control
06:01
chip. They all use, uh, AD flash, which has a large shortage of space and the locales. And, uh, they are on, uh, there are other chips, such as power management, uh, radio frequency chips, and so on. Uh, let's look at the software. Most of the 4G modules are embedded linear system and a few RTOS systems. Uh, okay, this is a picture of the internal,
06:28
uh, in that, in, in structure of the Qualcomm EC2-0 module, we, with the top sheet removed. Uh, the memory chip is an AD flash plug, uh, DRAM memory, which is integrated
06:43
into a chip. Uh, by looking at the model, the flash is, uh, BGA162 point. Uh, if we want to read or modify the data inside, we need to buy the corresponding chip socket. Uh, so how do the module work and how should they be used? We can see that the upper left
07:06
corner is the LCC module or founder technology. We build a minimal system for it, including power, uh, supply, uh, SIM card, uh, UIB interface. Yes, uh, our device communicate with the 4G module use, uh, USB cable. First, we need to install the
07:24
corresponding drivers in the operating system. Uh, when the module is applied in, uh, the operating system loads the corresponding driver, uh, according to VID, PID, and the interface number. Uh, then the system, uh, generates a network card and gets, uh, the
07:44
corresponding IP address. Then you set the internet. Uh, the 4G module uses multiple connection mode and each mode has different kernel module or drivers. Uh, for example, uh, the upper part of the slide shows the PPP and RMT mode. Uh, when the dialing is successful,
08:06
the device will get an IP address from the operator, just like the IoT device directly gets a public IP address. Here, uh, the 1-0 network statement is also considered a public network address. Another way, for example, in RMTs or ECM modes, the 4G module
08:25
usually has 2 network cards. Uh, when they are forced to get the public address from the operator and another network card is connected to the IoT device using 1-0, 2 network statements. It, uh, looks like the 4G module became a router and the IoT device will
08:45
access the internet through this router. This second part is about the kind of sense. Uh, here I mark the RMTs and ECM modes because this, uh, these 2 modes don't require additional drivers. Uh, particularly convenient to us, so now mo- most of the 4G
09:03
module are you- using the modules, uh, using this mode. Uh, the T-box in the car is, uh, this way. So, you'll see the security of the 4G module has turned into the security of the linear system, uh, is followed in the network. Uh, let's introduce some new task, uh,
09:23
attack surface. As we said earlier that, uh, most of these 4G module has, have an embedded linear system. So, why is there an operating system? Uh, many reasons, such as supporting 2, 3, 4G, which requires a computing result. And, for example, automobile
09:45
manufacturers often need to run their own program in T-box to achieve remote control and other function, which requires, require module with secondary development. Uh, now let's, uh, analyze the attack surface of the 4G module. As we said just now, all the
10:06
current 4G module have a complete linear state, uh, linear operating system. At the same time, we found that most of the module now use the RNDIS or ECM networking modes. It, it means that the module will be assigned a separate IP address. This provide a chance or
10:24
attack. Linear system often has some listening ports, uh, uh, connect to the cloud for OTA after this, uh, or remote management. Uh, now it has a separate IP. Uh, we can directly assess, uh, this port, uh, intercept its IP link and do some MITM attack and so on. So,
10:48
now the, the, the, the attack is, uh, essentially the task to analyze the hot symptoms, symptoms sec- security. Uh, when the Linux hots are exposed to the internet or
11:00
intranet. Uh, but wait, it seems that we can't assess the, the separate IP unless in the same lab, such a Wi-Fi hotspot. Uh, let's talk about some, some intended attack surface. Uh, the 4G module is, uh, very cellular device connect to the operator's
11:20
network. But some operators due to, uh, configuration errors don't have network isolation. So, clients can't access, uh, IP or each, uh, uh, or other devices. And, uh, all the 4G modules bought 2G GSM mode. Uh, because of the security problem of GSM, we can use a
11:42
feedback station to monitor and modify traffic. Uh, also can obtain IP links and access ports. And there are also many third-party, uh, service and ID to the module, such as, uh, car control service. Uh, now let's, uh, some, uh, attack ideas. First of all, we
12:03
need to collect enough information and deploy, uh, vulnerabilities, uh, uh, uh, and deploy it, uh, vulnerabilities, uh, get a shell from the, uh, network, uh, network, uh, traffic and so on. Uh, there may be a lot of, uh, rewards engineer work here. Uh,
12:24
mainly analyzing the process of various listening ports. Then we need to consider how to run, uh, our attacker code and, uh, we introduce, uh, traditional method. Uh, mainly in that network, such as Wi-Fi hotspots and, uh, uh, to assess the, the port of the 4G
12:45
module to attack. And the new attack method, we can use the incorrect configuration of the operator network to transform the local, uh, uh, test into a very wide render or remote line test, which can generally increase the scope of the test. Uh, in addition,
13:05
because of 4G's, uh, because of 4G's loss, uh, we can, we have a way, a way to fully control the IP link of the nearby 4G module. We can directly, directly assess its port and run our attack to code. Uh, with this attacking ideas, it seems very easy to
13:26
attack the 4G module. Uh, let's first talk about using fake base station to attack. Uh, because clients can't identify whether the base station, uh, uh, is real or not in GSM
13:41
mode network, we can build a fake base station system to attack and control traffic. Uh, interestingly, this attack is e- effective for all, all 4G modules and the problem will proceed for a long time, regardless of whether the operator shuts down the 2G base station or not.
14:03
It's not too difficult to build a fake base station, but previous people, uh, have not solved the problem of auto-attachment. If it doesn't, uh, attach automatically, uh, client need to slide to the fake base station manually. Uh, inspired by pseudo base station in
14:23
China, we can improve the C2, uh, parameter in GSM mode broadcasting channel and the client will automatically connect to our fake base station. Uh, C2 is a cell reselection parameter. Uh, the larger the value, the more client tend to connect to the base
14:44
station. Uh, we can build, uh, our fake base station via a software radio such as the blade RF and the yet BTS system, but we need to change the value of C2. This parameter is
15:01
not set in yet BTS, so let's hard code it in the source code. Uh, set it to maximum and re-compare it. Here, we need to remind you that, uh, it's a useful, uh, illegal to build a fake base station, although this attack is very effective. You can tell it
15:21
in shade both and shown in the finger on the right. In order to force the downgrades of the 4G module to 2G, you need to build, uh, interface with the software radio equipment, such as sending some, uh, white noise interference in the current 3G and the 4G band. Uh,
15:44
this also illegal. You just need to know that, uh, this method is effective. Finally, the 4G module automatically attach to our fake base station. Like the whirlpool, uh, the lower red, uh, red finger shows that the C2 value is already very high, usually around the
16:03
70. So, we can now fully control the IP link, monitor the IP data transmission, access the point, run our e-pods, and, uh, modify the data. The most common approach used is to access the pods, such as SSH and other service. Let's talk about, uh, uh, attacks through
16:25
the operator's intranet. Uh, we, we have just implemented IP links to access the nearby devices, but is there a way to attack remotely? Uh, most of the operators uh, send, uh, uh, uh, send, uh, 1-0, uh, 1-7-2 network segment to, uh, segment to address,
16:45
uh, to client. But many of them don't have a network, uh, isolation. So, uh, such as China Unitom and, uh, China Tech Home. At the same time, most of 4G module don't have a favor enabled. This means that we can directly access the pod, uh, or other
17:05
clients through the pod scan. The picture on the right is the result of scanning open pods or ADB and telnet service on the, uh, intranet or the operator. You can tell that many clients have those pods open. Uh, more interestingly, we can measure a wide range,
17:26
range attacks through private, uh, private APN. Private APN is the type, uh, technology that clients connect to their intranet server directly through operator's telnet. Just like, uh,
17:42
VPN connection, client and the server, uh, communicate with each other through 1-0 line segments. Special SIM card and VPN asset points are required. This kind of connection is widely adopted by most of the car com- uh, most of the car companies and, uh,
18:02
commonly seen among well-known IoT equipment such as China's Yobow vending machine. And, uh, uh, our clients in this, uh, intranet are equipped with the same time or made by the same company. So, we can look for vulnerabilities in such device, then launch a massive
18:23
attack. As a result, we gain full control of these devices. So, how, how can we get the configuration of the APN asset point? For example, so, firmware, firmware analysis and
18:40
log analysis. And how to connect to the target operator APN network? Uh, we can detach the eSIM chip on the motherboard and, uh, attach it back to our 4G module. And, uh, use the AT command to configure, uh, the correct APN asset point. So, now we can connect to the
19:02
manufacturer's private APN network and start the ports again and the hack. Uh, I just introduced some new attack surface. Let's implement the attacker prep- uh, preparation work. To get ready for a successful attack, you need to complete at least one of the
19:25
following. Get the firmware, get the shell, or obtain network traffic. In general, uh, get, getting the shell is most influential. After getting the shell, it's easy to get firmware and never did. But sometimes it's not always possible to get the shell. Uh, let's
19:44
take a closer look at how to achieve it. First, uh, I will introduce several methods for obtaining firmware. It seems the method, uh, if this method don't work, there is, uh, ultimate method, AAD flash dump. Uh, we can get the firmware by downloading, uh, by
20:07
downloading the firmware updater program from the official website and, uh, unpacking it. This finger shows the firmware updater program of, of, uh, well-known 4G, uh, Wi-Fi device. Uh, they easily get the new system or parti- partition, uh, inside by
20:27
unpacking the dot exe file with the binwalk. Uh, the firmware can be obtained through the manufacturer's update, upgrade tools. Uh, most manufacturers have provided the upgrade
20:43
tools to the developers. For example, Qualcomm, Qualcomm's, um, module have, uh, 9008 recovery mode, which is, uh, uh, set by a short circuit, some solder points. We can get the update tools from the vendor tag support, uh, which contains the
21:02
initialization files for all, uh, partitions. We can see, uh, that the tool contains the initial image of all partitions. We need to focus, uh, focus, uh, on system dot IMG. This file use the UBIFS file system. We can use the UBI reader tools to
21:27
successfully extract the file format and get the final Linux file system. If we can't get, uh, upgrade the tools, uh, use the altimotor solution. NAD flash dump, NAD flash dump, uh, is
21:43
more, uh, complex to read and modify than EMIC flash. Uh, the lower right corner chip is a common PGA63 chip. It's very small and in special NAD program to read and write. After
22:02
dumping the, uh, uh, after dumping the chip, we can use the BIM vault to identify the file system. Uh, let's introduce how to get the shell. Uh, where do we get the shell? If we can get the shell, it may, it will be more convenient for us to
22:24
review process, fields, networks, and the debug of vulnerable, uh, programs. It's very interesting that many 4G module use a common password, OELinux123, and in some times, the passwords may not be required. In addition to serial ports, you can also use
22:43
some remote management tools such as ADB, telnet, SSH, and so on. Uh, this service can be obtained by port scanning. Other methods such as getting a shell from AT command. After the module is connected, the USB interface will be virtualized with several serial ports
23:06
such as DV, TTY, UB0. So, which AT command can be sent? According to the menu, we can send, uh, AT command to open the ADB service, uh, or some module could, uh, execute
23:22
the system command through sending a AT command. If none of this work, we still have, uh, at most, a way to modify NAD flash, add, uh, telnet process to the startup script, and reattach the NAD flash back. Let's look up, uh, as, let's look at how to get, uh,
23:47
network traffic. We can build a 4G base station system. Uh, where is the 4G base station? Because it's used for the search. Uh, compared with the 2G base station, building 4G will be more stable, convenient, and fast. As you can see in the figure on the right, our
24:05
client automatically con- connect to the 4G base station and gets the IP address. We can use version to monitor the traffic. We use the SRS-LT 4G base station system in this method, which is much more convenient, uh, installation than OEI. Finally, we need to
24:26
write a SIM card. We need to buy a readable SIM card and a reader. Uh, not, uh, that's, uh, not that this SIM card are only used, uh, for security testing, not for other
24:40
illegal things. We need to write the correct IMSI-KEI-OP to the SIM card to ensure that, uh, this program is, uh, the same as those in the SRS-LTE. Finally, we start our 4G base station, and it works perfectly. In fact, no matter whether it's a 2G base station or 4G
25:05
base station, it contains a large number of configuration item. Uh, time solut- uh, time relations in this talk will only explain the most important to you. Now, let's have a recap, uh, what information can we get from this, uh, uh, preparation. Uh, most likely,
25:26
uh, the shell will be captured. Then the firmware system and the network traffic will certainly be captured. These are essential for the following, uh, probability menu. Okay.
25:50
Okay. Shupong just talked a lot about attack surface and preparation for attacking 4G modules. Now, let me show the critical vulnerabilities we find in detail. Uh, let's focus
26:04
on system management, so I see, uh, vulnerabilities first. Usually, 4G modules, uh, runs Linux systems. Uh, Linux system probably, uh, start many remote management, so as, so as is, uh, such as SSH, uh, telnet, and the web server. Uh, we can use fast scan tool,
26:25
uh, fast, faster scan tools, uh, like, uh, mass scan, uh, which can scan the port opening status in just a few minutes. Uh, for example, uh, we find, uh, a 4G module or open port 23, uh, which means the telnet device is started. Uh, in most cases, uh,
26:48
telnet, uh, need password to login. Uh, we can extract the A- ATC password file from the firmware and then correct it by using hashcat tools. And if you are rich, uh, you can
27:03
buy a lot of GPU to speed up the crack. Uh, 4G modules, uh, generally are not using one machine, one secret key, or one secret password, uh, strategy. So, if you successfully correct the password, uh, which means that you have just cracked the
27:23
password of all 4G modules of this manufacturer. Uh, once we get the password, uh, we can successfully login to the file system, uh, login to the system remotely and this device is ours. Uh, in addition, uh, we find that many well-known manufacturer of 4G
27:43
modules has open remote ADB devices by default. Uh, we only list, uh, some of them in this table. Uh, in fact, some manufacturers, uh, some automobile, uh, manufacturers, uh, when it costs. Uh, also open remote ADB devices by default. What we found is that
28:05
what's the consequence of this? Uh, we can simply use ADB tool, uh, to connect the port 5555 of this module. And in most cases, uh, without authentication, uh, we can get the
28:21
shell remotely so we can hack it. And there are many other type of system management services vulnerabilities, uh, such as a weak password for web management services and even SSH that do not require password, uh, are funded on some costs. And some
28:42
manufacturers in order to convenient the repair of the 4G modules, uh, they hide backdoor, they hide backdoor in some external monitoring port. Uh, maybe you can use the backdoor to open telnet or do something dangerous. I will talk about, uh, an
29:03
interesting case, uh, like this on the next page. This is, uh, this, this, uh, this bug was caused by a secondary development of 4G module on a card teabox, teabox. Uh, we reported this problem to manufacturer 6 months ago and the manufacturer has
29:24
completely fixed it. And nowadays, some cars can unlock and open its engine remotely through mobile phone APP, uh, which allowances our interest. We bought this car teabox, uh,
29:41
from, uh, from the, uh, auto parts shop, uh, with this capability. Uh, the capability is it can use a mobile phone APP to open its, uh, door and start its engine. Uh, first, we dump the firmware with NAND program, program, and we find a process listening on 24XXX port.
30:12
And when we use IDA IDA to scan the string of this process, we find, uh, a telnet related
30:21
string. Uh, that's analysis it. As you see, we find a dangerous function, uh, this function passed the received data from that port and build a command to execute. As the picture shows, uh, it can be used to open telnet device. We analyze that the logic of
30:44
the protocol, uh, uh, of this port. Actually, it use the PKI system, RSA certifications, and, uh, uh, AES encryption. Uh, but we find there are multiple vulnerabilities in this, uh, such as, uh, the AES key is hard-coded in binary, uh, and we get the RSA provide,
31:07
uh, provide key from the file system and the password of the fi- uh, the private key, we can guess it, uh, so we can use it to generate public key, uh, and we use those
31:21
problems to bypass the TRS, uh, certification successfully. After we was engineering, uh, we write the exploit code like this, uh, as expected. We finally start up the telnet device on this T-box through this port and using, uh, by using this exploit. However, uh, telnet
31:46
D in this mode requires password verification, so here comes the new pa- uh, problem. What's the most powerful four piece of Nvidia 2080 Ti graphic, uh, card to crack the password. A
32:05
day later, we finally, uh, got the password. The password is very complex, uh, include, include big and little case of charts, numbers, and special charts. Uh, so, now we have a root shell of this T-box, so how can we control the card through, uh, this root shell?
32:27
First, uh, let, let's learn how remote control of vehicle is implemented. First, uh, the red dotted line in this figure, uh, represents the 4G module. It has a long connection
32:42
with the cloud server. Uh, the, uh, 4G module loca- loc- located in the T-box and located in the MPO of T-box. Uh, when the door, when the open door instruction is issued from mobile phone APP, uh, the 4G module, uh, received instruction. A process in MPO
33:05
communicate with MCU through, uh, the series port. Uh, another process in MPO, uh, yes, uh, another process in MCU that receive the instruction and pass it and dispatch to, to
33:25
10 bus and the door open. I think this could be the easiest way to, uh, control the car. As we have get shell of the MPO, MPO, so we can write a program to record the data, uh, the
33:45
data that MPO write to MCU. So, when we want to hack another car, uh, the step is we use, uh, uh, exploit we write before to start this target and get a shell and execute, execute
34:00
a new program to replace the data, uh, we recorded before so the door will open. The most important question is how to run our attack code or how to access that port. Do you remember that attack server is, uh, the attack method that Shupeng, uh, just, uh,
34:22
mentioned before, uh, through a fake base station, uh, operate intranet or Wi-Fi hotspot, we can access that port by running, uh, the exploit without touching the car. Uh, if the car manufacturers use the private APN network without isolation, uh, everything will become
34:44
simple or terrible. Uh, in the right picture, uh, we entered the private APN network of this T-box, uh, so we can scan the port 2 4 x x x x and we find that many devices will open
35:02
this port so we could attack many devices at the same time. Uh, maybe we can use this ranged attack method to build a zombie cars team just like the things in Fast Flushing 8. Next, let, uh, let's talk about the vulnerability in FOTA. FOTA is a way to upgrade
35:27
firmware. We find that, uh, some 4G modules frequently check whether, uh, the cr- the continuation is the latest. Uh, some devices check update when the device start up and
35:42
some are every 40 minutes. In this case, after OS engineering, we find, uh, that he logged into, uh, FTP server to check for new firmware version because FTP username and password is hardcoded. Uh, we can use it, we can use, use the FTP password to logging
36:07
the FTP server successfully and after logging, we can download all the versions, uh, we got,
36:22
wait for a second, yes, uh, we can download all versions of the firmware of all devices. So, uh, we probably get the old firmware version. Uh, but this is not the craziest
36:43
thing. Uh, we find that this FTP account has writeable priority. So, uh, we can uh, and, uh, another good news, uh, the 4G modules, uh, did not verify the firmware file, uh, in the FTP. So, we can use the writeable priority to upload a new firmware
37:07
with backdoor, uh, to the FTP server and, uh, there are many, many 4G modules of this manufacturer will download the new firmware automatically and upgrade to it. That means,
37:21
that means we can hack all 4G modules of this manufacturer in just, uh, last one day. Uh, that's a nice day probably. We have just talked about the problem on the FTP, uh, F-O-T-A
37:42
server side. Let's look at the vulnerability of the F-O-T-A client side. We find, like, some 4G modules listen to some port for F-O-T-A. Uh, for example, in this case, we find this 4G module listened to the port, uh, 4, 5, x, x, x, and it used to receive the upgrade command.
38:08
Uh, this port was originally used for interprocess communication, but it was incorrectly bind to public, binded to 0.0.0.0, not local host. So, we can send data to this port
38:26
remotely. And after crack the data exchange protocol to this car, uh, this port and the reverse engineering the structure of the, uh, upgrade firmware file. Uh, as you can see, the structure of this, uh, firmware file is very complicated. It, it cost us a long time. But
38:48
we finally get it. So, we can, so now, we can make a new firmware file with vector and force the 4G module upgrade to it. So, we hacked it again. Almost every 4G module has its
39:03
own AT command, uh, parsing process. And some manufacturers, uh, implement, implement some customer capabilities. For example, uh, only the factory engineers know, know, they know some hidden AT command. Uh, if you can find them out, maybe you can open the ADB
39:24
device, uh, through the hidden instructions or open, uh, open ADB or something. Uh, we mentioned it before. Uh, in another case, AT command injection availability is also allowed. For example, this following picture in the left, uh, is an introduction for adding
39:43
root in the development document. Uh, we analyze it, we analyze the system command called here deeply. We find there is a command injection availability. In the image on the right, we append LS string to the AT command and the written content shows the LS command
40:04
executed success, successfully. That proves that the command injection availability in AT command parsing. In general, the AT command can be only executed, uh, on the, the USB serial port. Uh, but some 4G modules, uh, they support, they support use of SMS to
40:27
execute AT commands. It's you, it's usually used for remote control. Uh, uh, we can find, if we can find an AT, uh, if we can find an AT command injection availability in this scenario, uh, we can exploit the bug remotely by sending, uh, attack
40:46
message to it. In fact, we did find some, uh, some problem in some 4G modules like this. Uh, this is a 4G module that support use SMS to execute AT command. Uh, uh,
41:04
in this case, we find it requires a password in the content to verif- uh, verification. Uh, if the password is right, uh, it will execute the AT command in the, uh, SMS. But the way, uh, the way he uses to verification is too weak. Uh, still the old problem, the
41:26
password is hardcoded in binary and every device, the, the pa- password is the same. And we can get it from, uh, uh, from the firmware once we get, uh, one device. Um, this is the,
41:43
that, that, that 4G module support, uh, AT command, uh, using SMS to, to control it. Uh, actually, we find a command injection availability in passing SMS AT command. The command name is set FCSN. And finally, we can, we can, we can, we can, we can, we
42:05
can get a reverse shell by simply send a text message to it. We hacked it again remotely. There are many other successful case of attack. Because this talk, uh, limit, uh, 50
42:23
minutes, I cannot talk about them detail one by one. Uh, let me talk about some other interesting cases quickly. Uh, such as, we can use, uh, the JAMA to attack the 4G module. Uh, using, and then using the main in the middle and combine with, uh, some
42:43
browser vulnerabilities such as zero day or end day to interesting, uh, interesting the IWAI of our car. And the debug process on the 4G module is also an attack surface. Uh, detox it to death. That may cause the car lose connection, uh, with the cloud server
43:03
for a long time. Uh, and the IPv6, uh, even if the 4G module has ena-enable IP table, IP tables firewall, uh, but sometimes we can still access that port. Why? Because the
43:21
IPv6 tables are not enabled. Uh, we can simply bypass the firewall, uh, by using IPv6 address. And almost every 4G Wi-Fi use 8 digit password. 8 digit password, that means the password is only number, n-numbers. It's, it's wake password. Uh, we can use
43:45
DDoS attack to get the handshake packet and then crack the password with, uh, many, uh, graphic, uh, card like in media 2080 TI, uh, in a few minute or a few second. After
44:05
crack the password, we are in the same internet of the 4G module. We can launch the, uh, further attacks such as we can attack the, um, the system management of the 4G module or we can attack, uh, all devices connected to the 4G module. Uh, in the next chapter, uh, let's
44:29
talk about the suggestion for defending against, uh, those attacks. Uh, we have talked about, uh, a lot of attack messages that and, uh, vulnerabilities detail before and it
44:41
seems that there are many problems. So, how should we, uh, do? We, uh, we can avoid those problems. After communicate with many 4G module manufacturers, hardware manufacturers and car manufacturers, uh, we find that they did not realize there is an
45:01
completely, uh, completely op- operating system in 4G modules. Uh, sometimes there are many, uh, there could be many operating system on a motherboard. Uh, for example, there could be a 3, uh, 3 operating system on a T-box motherboard. Uh, if one of the system has
45:22
problem, it may affect each other, uh, it may affect each other. So, so first of all, we must identify, uh, those systems, the IPs and next we shall check the listening port, uh, ex- especially, uh, those ports that can be accessed remotely. Uh, we have found many,
45:42
many high-risk availability in most, uh, of the listening port, listening port process. Uh, if not absolutely necessary, we should not listening port, yes? And be, uh, uh, and be, uh,
46:01
aware of, uh, network ac- access by using 4G interface. Uh, many people think that 4G channel is secure, but actually, hacker can play main in the middle easily through the fake base station. And another problem is that we find that 95% of IP tables through us
46:21
in the 4G modules, uh, are empty, it's dangerous. So, uh, we think, we think the simplest way, we think the simplest way to defend this, uh, uh, uh, attacks is to, uh, let the develop, learn how to use IP tables, uh, well. Uh, here, uh, thanks to our, uh,
46:45
our team's member, uh, you know, this is, uh, teamwork. We have full an- analysis over 50, uh, 50, 50, yes, 50, uh, devices. This is our talk about security list, uh, research
47:01
of 4G modules. I hope that our work can give you some in- inspiration. If you have any question, uh, you can email to us. Uh, thank you for listening.