All the 4G Modules Could be Hacked

Presented at Black Hat USA 2019, Aug. 7, 2019, 1:30 p.m. (50 minutes)

Nowadays more and more 4G modules are built into IoT devices around the world, such as vending machines, car entertainment systems, laptops, advertising screens, urban cameras etc. But no one has conducted comprehensive security research on the 4G modules. We carried out this initiative and tested all the major brand 4G modules in the market (more than 15 different types). The results show all of them have similar vulnerabilities, including remote access with weak passwords, command injection of AT Command/listening services, OTA upgrade spoofing, command injection by SMS, and web vulnerability. Through these vulnerabilities we were able to get to the shell of these devices. In addition to using wifi to exploit these vulnerabilities, we created a new way to attack through fake base station system, triggered by accessing the intranet of cellular network, and successfully run remote command execution without any requisites. In this talk, we will first give an overview on the hardware structure of these modules. Then we will present the specific methods we use in vulnerability probe. In the final section we will demonstrate how to use these vulnerabilities to attack car entertainment systems of various brands and get remote control of cars.

Presenters:

• Ye Zhang - Security Researcher, Baidu Security Lab   as Zhang Ye
  Ye Zhang is a security researcher of Baidu Security Lab X-Team. He's good at reverse engineering and malware analysis, now he focuses on finding IoT vulnerabilities.
• Zheng Huang - Leader of Baidu Security Lab X-Team, Baidu Security Lab
  Zheng Huang is the head of Baidu Security Lab X-Team. He is a prolific finder of vulnerabilities in the browser security area, has contributed a lot of vulnerabilities in Microsoft browsers, Chrome, and Safari. Previously, he mainly focused on malicious URL detection and defense of APT attacks, he is now responsible for the research of autonomous driving security.
• Haikuo Xie - Senior Security Researcher, Baidu Security Lab
  Haikuo Xie is a security researcher of Baidu Security Lab X-Team. He focuses on IoT security and vulnerability discovery and specializes in malware analysis, reverse engineering and fuzzing. He has found some Windows kernel vulnerabilities and now researches the Vulnerabilities of PDF. He also found some very influential vulnerabilities in smart devices.
• Shupeng Gao - Senior Security Researcher, Baidu Security Lab
  Shupeng Gao is a member of Baidu Security Lab. He is an expert on IoT security, AI security, penetration testing, etc. He was invited to talk at multiple security conferences, and successfully pwned IOT equipments on XPwn 2016/2017/2018, GeekPwn May/October 2017,the biggest pwn competitions in China.

Links:

• https://www.blackhat.com/us-19/briefings/schedule/#all-the-4g-modules-could-be-hacked-16187
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/All the 4G Modules Could be Hacked.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2019/All the 4G Modules Could be Hacked.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=n9dvDa8PEYc

Similar Presentations:

• DEF CON China 1.0 (2019) / How to perform security analysis on IoT equipment through building a base station system
• Black Hat Asia 2017 / 3G/4G Intranet Scanning and its Application on the WormHole Vulnerability
• DEF CON 27 (2019) / All the 4G modules Could be Hacked