Spotlight: Vehicle Hacking at DEF CON 30

In this blog, we’ll be highlighting our Security Validation Department, who made the trip to Los Angeles to present on Ethernet and Blackbox fuzzing and participate in the annual hacking festivities. Have an insider’s look at our team, led by Dr. Jonghyuk Song, and how this group of ethical hackers are striving to make connected and autonomous driving safer for us all.

Las Vegas is a long way from Yeouido. An island sitting on the Han River in Seoul, Korea, Yeouido is often referred to as the “Manhattan” of Seoul. It’s home to many a bank and investment firm, as well as the country’s National Assembly Hall. It is a far cry from the Las Vegas strip, but last week the two collided as seven members of AUTOCRYPT’s Security Validation Department, led by Dr. Jonghyuk Song, AUTOCRYPT’s Chief Security Research Officer and Head of Security Validation, spent their week at DEF CON 30.

The annual hacking and security conference hosts tens of thousands of visitors each year and the schedule is jam-packed with presentations and workshops. However, unlike other expos or events, DEF CON is unique in the sense that it is divided into “villages” that host a variety of events and contests dedicated to hacking and pushing the boundaries of what it means to be “secure” in the connected space. Some of the most well-known villages include Aerospace Village, Car Hacking Village, Biohacking, Physical Security and even Social Engineering Village.

While the idea of hundreds of hackers and hacktivists congregating in Vegas and the aforementioned villages may seem like a recipe for disaster, in reality it’s the opposite. Hacking events, especially like DEF CON, attract hackers who are passionate about these industries, and contests allow both hackers and industries associated with these villages to be able to see vulnerabilities within existing technology.

Visitors at DEF CON 30 can participate in a number of activities, including physical security engineering.

One of the members, Donghyeon Jeong, who attended DEF CON for the first time ever, remarked, “Unlike what the general public may believe, hacking isn’t something that’s done alone or without careful planning and logic. There’s lots of advanced equipment required, and some teams have up to 20 people working on different elements simultaneously. Your team has to work together to prioritize problems and solve the problems strategically, depending on the level of difficulty.” The AUTOCRYPT team placed fifth at this year’s Capture the Flag (CTF) contest in the car-hacking village, and tasks consisted of a wide range of problems like ECU hardware-related issues, virtual environment operations, Bluetooth hacking, and firmware reverse engineering.

AUTOCRYPT’s team at work in the Car Hacking Village CTF. AUTOCRYPT came in fifth at this year’s event.

Dr. Song, a many-time participant in the CTF competitions as well as presenter for advanced hacking methods, says that he believes that hacker conventions like DEF CON are crucial to the advancement of secure technology for autonomous driving. “Hacking is just like other technologies where advanced methods are always in development, and coming to these events allows us to see firsthand how to deal with new attacks and also share new strategies we’ve come across in our own work. More and more we see the crossover between hackers and the industries that they are trying to hack as companies are beginning to recognize that the best defense is actually a smart, strategic offense. In fact, you’ll see quite a few recruiters at these events looking to hire an in-house security expert or even just an ethical hacker to test their defense systems.”

And while the competitions are a large part of the event, there are a multitude of presentations that speak more directly to visitors and participants regarding hacking techniques. Dr. Song with AUTOCRYPT’s Soohwan Oh, Jeongho Yang, and Woongjo Choi, presented on automotive ethernet fuzzing as well as black box fuzzing of UDS CAN. Dr. Song stated that he believes that presenting on automotive hacking is especially important, as more and more connectivity is moving outside the traditional IT system. “The last thing you would want to happen is for someone to tamper with a connected vehicle on the move, which could ultimately affect human lives. Showcasing how we hack into systems allows manufacturers and suppliers to take a second look at their own security architecture before drivers and passengers get in the car.”

“It’s important to note that car hacking isn’t the end all be all. Just as we moved on from traditional IT to connected IoT, I think hacking will continue to evolve into other parts of the mobility ecosystem. EV chargers, Fleet Management Systems and mobility services – they will all continue to require white hats like us to monitor and test them, so that everyone can enjoy them without worrying about the vulnerabilities or risks involved,” said Donghyeon Jang.

Check back on our blog for more Spotlight pieces, as we continue to travel around the globe to new events and exhibitions exploring automotive tech and security. To subscribe to our newsletter, visit here.