tencent blade team hooper: in the era of iot, "white hat" takes the net as the sword to safeguard security

Posted by punzalan at 2020-03-25

From October 10 to October 11, the third Tencent Security International Technology Summit (tens ec2018) was successfully held in Shenzhen. Sponsored by Tencent security, CO sponsored by Tencent security Cohen lab and Tencent Security Platform Department, and co sponsored by Tencent Security College, tensec 2018 has invited technology leaders from home and abroad to discuss security issues in many fields, such as Internet of things, cloud computing, blockchain, etc.

As a representative of the frontier technology security research team, Hooper, director of Tencent Security Platform Department and team leader of Tencent blade team, shared at the meeting. In recent years, Tencent blade team has accumulated a lot of achievements in smart device security research, including discovering the first Google tensorflow AI framework vulnerability, remotely controlling smart home and commercial buildings, cracking the Amazon smart speaker echo, etc. In Hooper's view, in the era of the Internet of things, hackers' attacks will not only bring about the loss of information or property, but also possibly endanger the safety of life. The research work of the Tencent blade team is just the advance layout and preparation for the security issues in the field of IOT.

At the same time, Hooper also introduced Tencent's TSRC platform vulnerability incentive plan to the participants. As the first vulnerability submission platform built by enterprises in China, Tencent TSRC has gradually built a healthy and virtuous cycle ecosystem through rewarding security researchers (commonly known as "white hat") of loopholes in the feedback system, and together with the "white hat" people, it has defended the security of hundreds of millions of users around the world.

Hu Po, director of Tencent Security Platform Department and team leader of Tencent blade

The following is the full text of Hooper's speech:

It's a great pleasure to be here today to share with you the work of Tencent Security Platform Department in IOT security. It's also a great honor. First, I'd like to introduce myself to you. I'm Hooper (nicknamed lake2), who is in charge of operation and maintenance security in Tencent Security Platform Department. In short, I'm in charge of hacker attack and defense. After joining Tencent Security Platform Department in 2007, I have been engaged in the security work of Tencent platform. From 2007 to 2010, we focused on URL detection, data protection, anti intrusion, especially IDC hacking, as well as vulnerability detection and inspection. However, with the development of the Internet, smart homes, smart buildings and other large-scale access to our lives, the Internet of things industry, IOT intelligent equipment ushered in great development, this security issue is very important in the future.

In the past, the system was attacked by hackers, most of which lost data. In the era of payment, the loss may be real gold and silver. In the era of Internet of things, it is likely to endanger life safety. If hackers control Internet of things devices, it is likely to pose a threat to our lives. Today, I mainly talk about the research work of Tencent Security Blade team on intelligent security.

Tencnet blade team was established last year. At present, it mainly focuses on AI security, IOT and mobile device security. You can also go to our official website to learn about our research results. The general framework of this speech is four aspects. First, introduce the IOT era. Second, introduce the research results of the Tencent blade team. Third, as equipment manufacturers, how to ensure the safety of emerging products, how to do supply chain. Fourth, summary.

Let's start with the IOT era. Smart phones are just in time. Maybe we never thought that there would be more and more smart devices in a few years, from routers, smart cameras, smart buildings, smart homes and so on.

But the security of intelligent devices can not be ignored. From our experience, hackers in traditional shopping malls were hard to reach before, but once the devices are connected to the Internet, hackers around the world can try to attack, which is easy to cause problems. As you can see in the news now, routers are used by hackers to install Trojans to attack others. Since 2008, this kind of hacker attack has become more and more serious.

We analyzed Tencent's DDoS data last year. The attack rate of PC and traditional devices is 84%, and that of emerging IOT devices is 16%. Now there are a large number of IOT devices that can access the Internet, but they don't pay enough attention to security, and there are many loopholes, which lead to a large number of devices being attacked by hackers. The trend is obviously increasing. You are interested to pay attention to our industry report at the end of this year, and a large number of cameras and routers are used for DoS attacks.

At the same time, from these cases and data, we can also analyze the overall form from point to surface. The links of intelligent devices have evolved and basically formed a stable architecture. IOT devices can be controlled by mobile app. There may be interaction in the cloud, data storage, and instructions issued through the cloud. If it goes wrong, first, the mobile app may go wrong; second, the IOT device itself will be controlled by hackers; third, there may be problems in the cloud, which may be traditional hacker attacks. For example, if there is a command injection, the hackers can go black, and then gradually control the device.

What's more important is that there may be some problems in the communication protocol between app and IOT devices, or between IOT devices and cloud. Hackers can use traffic hijacking to supervise permissions. That's what we analyzed. In the second part, in the research results of Tencent blade team, many cases are found based on this architecture.

In the first case, there was a smart socket in 2014, which can be turned on and off by mobile app, and can also have a series of smart functions at a fixed time. But in the actual test process, we found that there was a problem with the communication protocol, simply speaking, there was a problem with the authentication. To transmit directly through the network, as long as I knew the device's link address, I could control and get the permission at will. In fact, there was a transmission problem.

The second case, this is the 2015 study, which can control the temperature and time of the oven through the mobile app. We analyzed the oven and found that there are two problems in it. One is to write the key directly in the program and set up the app. The transmission is clear text. You can unlock the instruction when you get the key and control it with your own instruction. There is also a logic problem, as long as the transmission control temperature is passed, the temperature limit can be bypassed to make the oven reach the temperature limit. Of course, we didn't test it specifically, but if the oven is idling and the temperature is very high, it may cause the explosion of the machine, which is actually a case of intelligent equipment affecting personal safety.

And POS, which is 2015. At that time, online payment was not so advanced. At that time, mobile phones and POS machines were used to swipe cards. What's more interesting is that we have analyzed the popular POS machine. If we take the package down directly, we can untie the package and change the parameters. For example, if we transfer one yuan, we can change it to ten thousand yuan, and the account number can also be changed. As long as he swipes the card on this POS machine, I can transfer all the money to my account. This is a case of real gold and silver.

There are also smart cameras. Now many cameras may store signals to the cloud through WiFi, and then watch and play back through some devices. In fact, it also has problems in this process, such as hijacking in the middle, replacing the original video signal, or recording a video without exception in advance. This picture is to put the camera into the mobile phone, but in fact, I was hijacked and attacked by the middleman, so I directly replaced the video signal and the QQ doll. At that time, we tested that most of the products on the market had this problem and also reported it to the manufacturer for repair.

This is a case of UAV. We analyzed a brand of UAV in China at that time, and found that we could get the protocol and break the protocol to achieve control. Our colleagues made a radio transmitter to bypass the protection of the brand of UAV. As long as the device is close to the UAV, the machine will not listen to the instructions of the owner. At that time, we also made a demonstration, in fact, the radio signal hijacking.

There is also the research on intelligent buildings by the Tencent blade team just mentioned. Today's buildings are different from traditional buildings. The power, water, wind and light inside can be controlled through app or entrance. This kind of intelligent building is easy to manage, very powerful, and even can be programmed by itself. For example, when encountering any trigger condition, it can automatically perform certain actions. At the same time, it will bring great problems. We have made a safety test on Tencent Binhai building, Tencent's latest building. There are more than 40 kinds of IOT devices and many IOT nodes in Binhai building, but we analyze that there are loopholes in a brand of intelligent building framework used in this building. Later, we analyzed several manufacturers. There are some problems, such as password encryption, even non encryption, insecure rejoining mechanism, and the use of old version protocol, which is easy to be cracked. Most of these problems have been reported to the manufacturers for repair. In order to facilitate testing, we combined some open-source testing tools on the Internet After comparison, the current tools are not particularly perfect, and the follow-up products are stable, so we will open source and let you test the security of IOT. At that time, we tested a certain floor of Binhai building, and the node was just on a higher floor. We wanted to really simulate hackers to test it. We used drones and signal transmitters to fly to the outside of the high-rise building. As long as the apartment was large enough and the floor could receive my signal, I could control it.

This is the screenshot of the test at that time. The red dot is the UAV. It flies to the high-rise building, turns on the light of the whole floor, sends another signal, turns off the light, and then opens the curtain. The harm depends on the function of the intelligent building. For example, if the intelligent building can control the socket, I can attack the socket. Can control the curtain, can attack the curtain. At that time, we tried to turn on and off the light, and then blinked at a certain frequency. We reported the problem to the manufacturer, and now it has been fixed. Like this kind of intelligent system, it is possible to have a great impact on our personal safety in the future.

This is to attack AI smart devices. Google has a machine learning framework called tensorflow. When our team conducted research, it was found that this framework was used by a large number of people, but few people studied its security issues. We have done some research and found that it has security problems. It is typical that hackers can construct malicious virtual files by themselves and give them to the framework. As soon as the framework reads the files, they will be hacked, and the hacker can control the whole system.

Some third-party libraries are also used, and there will be overflow when processing the protocol, resulting in the framework being controlled. At that time, we made a demo and reported it to the official. At that time, Google did not have a reporting channel for loopholes, so we helped them establish and improve this mechanism. In the future, if you find a vulnerability, you can send it to them. Now they have established a series of vulnerability reporting processes and mechanisms.

This is Amazon's smart speaker, which is commonly used. Many people will put it in bedrooms, living rooms and other places. But have you ever thought that in such a private place, it might become a bug, or lose control in the middle of the night and play a terrorist sound?

Amazon speaker is the hottest speaker in the world. We took apart the firmware and took out the chip. Our team didn't dismantle the hardware before, especially extract the chips. For this reason, we went to Huaqiangbei, the largest electronic market in China, and found a teacher Fu to learn how to extract the electronic components. Later, we also mastered the technology.

After taking out the chip, we found that the third-party components have overflow, and there are a series of loopholes. By combining several loopholes, we can successfully attack Amazon speakers. Because Amazon's speaker is that you can put several speakers at home. If you get one, first modify the firmware, get the control permission, put the speaker in the local area network, and through the combination of a series of loopholes mentioned above, you can control all other devices through the protocol. If you have control, you have permission, which means you can do whatever you want. What we demonstrated at that time was to make a bug. For example, the speaker can wake up only when it has specific words, but under control, it does not need to wake up, as long as there is content, it can all be transmitted to the cloud. You can also replace the content to play, let it play the National Anthem or other things. This also proves the impact of smart devices on life privacy. Later, we also reported the bug to Amazon, and Amazon official also changed it quickly. Now the bug has been fixed.

In the same way, we also tested millet products and found a series of problems, which were reported to the official, and now they have been repaired.

We talked about the security problems of some IOT devices and their impact on our lives. Next, we will enter the third part to discuss how to make IOT products safer when designing them.

In fact, this is also a reference to Microsoft's SDL. There are a series of processes from product demand design to design, verification, coding, online and post online response. In Tencent, important products are executed according to this process. Key technical points may be different, but the whole process is consistent. Let's share the core points of several processes.

As I mentioned just now, there are four problems in the whole intelligent device architecture, which are listed here. One is the problem of mobile app, which can't go wrong. In the process of analysis, we found that many problems lie in the lack of security awareness in the research and development stage, which may cause the password and private key to be directly written in the app and easily extracted by hackers. There are other problems, such as using plaintext to transmit.

Second, the transmission is not encrypted in the cloud, which is easy to be attacked by hackers. Or there is a problem with the Bluetooth and WiFi, which are easy to be controlled by hackers.

The third is the hardware security of the intelligent device itself. Is the firmware easy to be extracted for analysis.

Fourth, the security of the cloud, whether the server has vulnerabilities, whether it will be controlled by hackers, and whether the data storage is accurate.

There are a large number of cases in these four aspects, including the cases mentioned above. If we do IOT security, we can do standard design from these four aspects.

There are specifications and process mechanisms, but there will be problems when they are implemented. Enterprise security, whether it is IOT or previous mobile app or PC, or even external, will encounter this problem. For example, the processes used are OK, and the specifications used are also followed, but there will be problems in the implementation. Another important thing is to do a safety test before the device goes online.

On the right is our team's security system for mobile app, which will be tested before going online. It is found that the components of access board are used. Generally speaking, they can be made into a combination of automation and manual audit. There are also protocol audits, all with different tests.

The following is the process of automated testing. First, submit the program and start the audit through the control center. The above is an audit report.

We have come across a lot of IOT devices, and found that some manufacturers are in short supply of security capabilities or R & D capabilities. At this time, if you ask them to establish processes, it is actually more complex. A better way is for the security vendor to provide the SDK to the vendor, and the SDK is responsible for all security issues. For example, protocol encryption and algorithm strength call SDK directly. What I see is that no matter at home or abroad, there are security manufacturers doing this. Next, our bladeteam will also study whether there is an SDK to alleviate this problem. We hope that when we share it with you next year, there will be some open source SDK to help you.

The mechanism and process mentioned above, but in addition, there should be an executable and landing vulnerability response process after going online. At the beginning, we couldn't find the email of Google vulnerability report, because it doesn't have this mechanism, and there is no relevant personnel responsible for it. Later, we assisted it to get through the process. If anyone finds any loopholes in the future, they can feed back through the process.

In 2012, Tencent established Tencent security emergency response center, which has a vulnerability reward plan for all Tencent client products, websites and even systems, and is aimed at the world to find out the problems. This reward plan is also operated by our team. During the operation process, it is found that, for example, blade team may do many targeted tests, but in fact, a team has limited views or ideas on security.

We found that after a vulnerability was tested, there was still a problem when it was put on the line. There might be a very clever idea that we didn't expect. So then we launched the vulnerability reward program, hoping that security researchers around the world can study our problems and report them to us. On the one hand, we can fix product problems, on the other hand, we can find our own ideas to improve.

Tencent is an Internet company with a large number of website businesses, so there are many vulnerability reports. We can see that even if we have done the SDK process, we have done a lot of tests, but there are still some problems that will be exposed online. Why? The system and short board I just mentioned is our understanding of security, or some attack ideas have problems. We will feed back the system through reward plan, and optimize the system through external report loopholes every year. The vulnerability reward plan was implemented in 2012. After 2012, our system has been optimized and improved a lot.

Why should I end with the loophole reward program? I also hope to appeal to manufacturers to actively look for loopholes. Some things can't be covered. In fact, China is doing a better job now. I hope it will be better in the future. I hope competent manufacturers will try the loophole reward plan.

Finally, make a summary. Now our era can be understood as the first year of IOT security. Many IOT devices are very popular now, and there will be explosive growth in the future. Compared with 2010 and 2011, the growth of mobile devices has brought serious security problems. I have a special feeling. At that time, a lot of domestic and foreign manufacturers had a lot of research on Android. In fact, up to now, Android has a lot of security problems, which means that security must be ahead of the product. Now that we know that IOT will break out, why don't we make the layout in advance?

From the trend in recent years, we can see that more and more devices are online, but more and more devices have problems, which will be controlled by hackers and used for DOS. Recently, it's more interesting that we can see that hackers used your devices to attack others with DDoS, but now they don't do it. They took it to mine, which shows that the black production also keeps pace with the times, so the future network security, which we think is the security of the Internet of things, is a broad range.

Future security may involve privacy and personal safety. As mentioned earlier, it may have been just that computers were hacked, data lost, or money lost. But in the future, just like the control of the speaker we just demonstrated, it can be used as a bug in your bedroom. As a bug, it can also realize the function of the speaker. The user has no perception. There are other teams, such as Cohen, whose security research on the Internet of vehicles can also find that future hacker attacks may really affect people's life security.

Some time ago, our team was also doing research on image recognition used by some intelligent driving systems, and found that we can make some invisible changes to the traffic signs through some simple methods, thus affecting the car. For example, the speed limit here is 80. I can change it to 30 instead of turning right. People can't perceive it at all, but it's a problem for machines and equipment. So the IOT security in the future will rise to a certain level, just like the current network security, and also to a national level.

Finally, a small advertisement. Welcome to Tencent vulnerability reward program, this is the website. If you find that Tencent has some security problems, you can report them to us through channels, and Tencent will respond and deal with them. Thank you!