 Alright, I'm going to hand it over to your speakers, please give them a warm welcome. Uh, hello, uh, to the talk, all the 4G module could be hacked. And here is our team, and we are from the Baidu Security Lab. I'm Shupeng. I'm Huan Zheng. Uh, okay, uh, uh, let's introduce first, uh, his agenda of today's talk. First of all, we will introduce the fundamentals of the 4G module. Secondly, we will introduce the new attack surface of the 4G module. Thirdly, we will discuss what needs to be done in order to carry out a successful attack. For example, obtain the firmware, get a shell and so on. First, we will, uh, talk about various ways to discover the vulnerabilities. And last, we will provide some better defense practice based on our appearance. Okay, uh, this picture show, showing more than 50 various 4G module and the devices we have studied. Uh, the tools about, uh, some 4G routing device and some, we call 5G devices. Yes, uh, many vulnerabilities of the 4G module we mentioned today, uh, also is it on 5G. Uh, in the middle, there are some party boxes and some portable Wi-Fi devices. Uh, down the bottom, uh, there are all kinds of band or 4G modules, about 30 can. Uh, most of them are PCI interface and LCC packages. So, uh, what we have found, we have found several general vulnerabilities taste of different baseband chips and, uh, risk in several V2X 5G modules. And RCE, uh, RCE in more than 5 cards, T-box and, uh, vulnerabilities in all parts of the 4G modules. Uh, because vulnerabilities repair is a long process. Uh, so we just show, uh, just show you the vulnerabilities which will help be fixed, uh, in this slide. Okay, uh, why do we do this studies? First of all, we found that not many, uh, not many people have done relevant research in this direction before. And, uh, no one is aware of the security problem and the wide impact of the 4G module. So, we want to shed a light on more, uh, directions of security search. For example, uh, CAS now have, uh, networking traffic, uh, networking functions. But, uh, it seems that no one has attacked the T-box, uh, it's called, uh, sometimes it's called TCO. Uh, there are also security issues with the baseband. Uh, baseband security is really important. The researchers, uh, usually talk about the baseband security or COCOM and Samsung. In fact, there are many other baseband chips such as, uh, Intel, Huawei, ZT, MTK, uh, Marvel, UBLOX and so on. And compared with mobile phones, it's easier to analyze through the 4G module. Uh, we will also introduce some new and effective attack surface and methods. In short, the goal of the thread is not only to introduce some special, uh, one base or the 4G module, but also to provide you with some new ideas, methods for a successful attack. Okay, we can see the 4G module everywhere. LTDS could connect to the Internet through 4G modules. For example, we can control car remotely by the APP. It seems the communication system of the car is online all the time. Maybe some process establishes and maintains a long-running TCP connection. Uh, there are other devices such as like 4G Wi-Fi, 4G router, TK1 new machine, uh, our laptop and some industrial, uh, device, even the slot machine in Las Vegas. Uh, there are uh, there are many three interface, uh, interfaces. In fact, uh, uh, internal structure is the same, we will say later. Uh, on the left is the circuit board, the stress-order, winding machine. Uh, we can see a module with mini PCI interface, blood in, in on the red. Uh, there is actually a ARM processor motherboard, uh, running Linux or Android system. On the red, uh, is the TELUS mode 3 4G module. Uh, which implements, uh, navigation, mobile, remote, control system, upgrade and other functions. Uh, the module is attached directly to the motherboard. Uh, in this slide on the left is the industrial 4G route. Uh, we can see this, uh, mini PCI interface module on the motherboard. In fact, it's a common route as the slot to implement the function we in the last, uh, the DS on the red is a bit special. It's a powerful Wi-Fi device, but it doesn't have a separate 4G module. It uses the ZTE-ZX chip sign. In fact, it's also a 4G module. The chip in the module is attached to the PCB bulb. It should implement, uh, implements networking, driving Wi-Fi, running HTTP service and other functions. Uh, there are many other devices designed in this way, uh, such as some local 4G route. Uh, let's look at the structure of the 4G module. In fact, uh, the 4G module is a complete computer system. ARM, CPU and baseband system are integrated in, um, man control chip. They all use the NAD flash, which has a large shortages with and the locales. And, uh, they are on, uh, they are other chips such as power measurement, uh, radio from PCI chip and so on. Uh, let's look at the software. Most of the 4G modules are embedded linear system and a few RTOS systems. Uh, okay, this is a picture of the internal, uh, in that, in, in the structure of the Qualcomm EC2 zero module with, with the top shade removed. Uh, the memory chip is NAD flash plug, uh, DRM memory, which is integrated into a chip. Uh, by looking at the model, the flash is the BJ162 point. Uh, if we want to read or modify the data inside, we need to buy the corresponding chip socket. Uh, so how do the module work and how should they be used? We can see that the upper left corner is the LCC module, or founder technology. We build a minimal system for it, including power, uh, supply, uh, SIM card, uh, USB interface. Yes, uh, RDS communicates with the 4G module, use the USB cable. First, we need to install the corresponding drivers in the operating system. Uh, when the module is plugged in, uh, the operating system loads the corresponding driver, uh, according to VID, PID and the interface number. Uh, then the system generates a network card and gets, uh, the corresponding IP address. Then it sets the internet. Uh, the 4G module usually supports multiple connection mode and each mode has different kernel module or drivers. Uh, for example, uh, the upper part of the slide shows the PPP and ARM NT mode. Uh, when the dialing is successful, the device will get an IP address from the operator. Just like the IoT device directly gets a public IP address. Here, uh, the Venn Zero network statement is also considered a public network address. Another way, for example, in RDS, uh, or ECM mode, the 4G module usually has two network cards. Uh, when the dial is faster to get the public address from the operator and another network card is connected to the IoT device, using the 2 network statements. It looks like the 4G module becomes a router and the IoT device sets the internet through this router. The second part is the battery can or stands. Uh, here I marked the R-NDS and ECM mode because this, uh, these two modes don't require additional drivers, uh, particularly convenient to us. So now, most, uh, most of the 4G modules are using the modules, uh, using this mode. Uh, the T-Bus in the car is this way. So you'll see the security of the 4G module has turned into the security of the linear system, uh, is put out in the network. Uh, let's introduce some new test, uh, tackle surface. As we said earlier that, uh, muscle, the 4G module has, have a embedded linear system. So, whether they are operating system, uh, many reasons such as supporting 2, 3, 4G which requires a computing result. And, for example, automobile manufacturers often need to run their own program in T-Bus to achieve remote control and other functions which requires, uh, require modules with secondary development. Uh, now let's, uh, end as a text surface of the 4G module. As we said just now, all the current 4G modules have a complete linear state, uh, linear operating system. At the same time, we found that most of the modules now use the R-N-D-S or ECM networking modes. It, it means that the module will be assigned a separate IP address. This provides a chance or a talent. Linear to open your system often has some listening parts, or, uh, connect to the cloud for OTA after this, or remote management. Uh, now it has a separate IP. Uh, we can directly access the, this path, uh, intercept its IP link and do some MITM attack and so on. So, now the, the, the, the attack is essentially the task to address the hot system, the security. Uh, when the linux hot are exposed to the internet or internet, uh, but wait, it's the same that we kind of set the, the separate IP address in the same line, such a Wi-Fi hotspot. Uh, let's talk about some more attended text surface. Uh, the 4G module is a wireless cellular device connected to the operator's network, but some operators are due to, uh, configuration errors, don't have network isolation. So, clients can access, uh, IP or each, uh, or other devices. And, uh, all the 4G modules, about 2G GSM mode, because of the security problem or GSM, we can use a feedback station to monitor and modify traffic. Uh, also can obtain IP links and, uh, set paths. And there are also many third-parts, uh, service and added to the module, such as the car control service. Uh, now let's summarize the attack ideas. First of all, we need to collect enough information on the equal low, uh, vulnerabilities, uh, uh, under equal low, it's when, uh, vulnerabilities will get a shell, firmware, uh, network, uh, uh, uh, network of traffic on that and so on. Uh, there may be a lot of, uh, reverse engineer work here, uh, mainly analyzing the process of various listening paths. Then we need to consider how to run the, our attack code and, uh, we introduce the, uh, traditional method. Uh, mainly in that network such as Wi-Fi house both and, uh, uh, to assess the part of the 4G module to attack. And the new attack method, we can use the incorrect configuration of the operator network to transform the local line, uh, attacks into a very wide render of remote line attacks, which can generally increase the scope of the attacks. Uh, in addition, because of 4G, uh, because of 4G spells, uh, we can, we have a way or, a way to fully control the IP link of the nearby 4G module. We can directly, directly assess the spot and the, our attack to code. Uh, with these attacking ideas, it seems very easy to attack the 4G module. Uh, let's first talk about using free base station to attack. Uh, because clients can't identify whether the base station, uh, uh, is real or not in GSMO network, we can build a free base station system to attack and control traffic. Uh, interestingly this attack is effective for all, all 4G modules and the problem will proceed for a long time regardless of whether the operator shuts down the 2G base station or not. It's not too difficult to build a free base station, but the previous people, uh, have not solved the problem of auto attachment. If it doesn't attach automatically, uh, client need to select to the free base station manually. Uh, inspired by pseudo base station in China, we can improve the C2, uh, parameter in GSMO broadcasting channel and the client will automatically connect to our free base station. Uh, C2 is the cell reselection parameter, uh, the larger the value, the more client tends to connect to the base station. Uh, we can build our free base station via a sort of via radio such as the BLEED RF and the YET BCI system, but we need to change the value of C2. This parameter is not set in YET BTS, so let's hard code it in the south code. Uh, set it to maximum and uh, re-compare it. Here we need to remind you that it's illegal to build a free base station, although this attack is very effective. We can tie it in shade both and show in the finger on the right. In order to force the downgrade of the 4G module to 2G, you need to build a interfere with the software radio equipment such as sending some, uh, white nose interference in the current 3G and the 4G band. Uh, this also illegal. You just need to know that, uh, this method is effective. Finally, the 4G module automatically attach to our free base station, like the whirlpool. Uh, the lower red, uh, red finger shows that the C2 value is already very high, usually around the same time. So, we can now fully control the IP link, monitor the IP data transmission, access the point, run our impulse, and modify the date. The most commonly approach used is to assess the pulse, such as SSH and other service. Let's talk about, uh, uh, text through the operator's intranet. We, we have just implemented the IP links to assess the nearby devices, but it's zero way to attack remotely. Uh, most operators send, uh, send, uh, 1-0-1-7-2 network signal, to, uh, signal address, uh, to client. But many of them don't have, uh, network isolation. So, uh, such as China Unitom and China TechHome. At the same time, most 4G module don't have a favor enabled. This means that we can directly assess the pulse, uh, or other client through the pulse scan. The picture on the red is the result of scanning open pulse or ADB untimelnet service on the, uh, intranet of the operator. You can tell that many clients have those pulse open. Uh, more interestingly, we can measure wide range of text through private, uh, private, private APM. Private APM is the type, uh, technology that clients connect to their intranet server directly through operator's tunnel line. Just like, uh, VPN connection. Client and server communicate with each other so 1-0-1-7-1. Special SIM card and APM or set point are required. This kind of connection is widely adopted by most car companies and, uh, commonly seen among well-known IoT equipments, such as China's U-Ball vending machine. And, uh, all clients in this intranet are equipped with the same type are made by the same company. So, we can look forward to this in such device, then launch a massive attempt. As a result, we gain full control of all these devices. So, how, how can we get the configuration of the APM or set point? For example, so, from, from the analysis and log analysis and how to connect to the target operator APM network. Uh, we can detach the e-SIM chip on the motherboard and attach it back to our 4G module and use the AT command to configure, uh, the correct APM or set point. So, now we can connect to the manual features, private APM network and start the pulse scan and the hack. Uh, I just introduced some new attack surface. Let's implement the attack preparation work. To get ready for a successful attack, you need to complete at least one of the following. Get from where, get the shell or obtain network traffic. In general, getting the shell is a muscle inferential. After getting the shell, it's easy to get from where and network data. But sometimes it's not always possible to get the shell. Uh, let's take a closer look at how to achieve it. First, uh, I will introduce several methods for obtaining from where. It seems the method, uh, if this method don't work, there is a, uh, ultimate method, AAD flash dump. Uh, we can get the from where by downloading, uh, by downloading the from where update program from the official website and unpacking it. This finger shows the from where update program of, uh, well-known 4G, uh, Wi-Fi device. Uh, we easily get the new set of more part, partition, uh, instead of by unpacking the, it actually fell with the bin lock. Uh, the from where can be obtained through the manufacturers update upgrade tools. Uh, most manufacturers have provided the upgrade tools to the developers. For example, Qualcomm, Qualcomm module have a 908 recovery mode, which is a set by a short circuit, some solder points. We can get the update tools from when the test support, uh, which contains the initial realization fails for all, uh, partitions. We can see, uh, that the tool contains the initial image of all partitions. We need to focus, uh, focus on system.com. Mg. This file use the UBI FS file system. We can use the UBI reader tools to successfully extract the file format and get the final linear file system. If we can get the upgrade tools, we'll use the RT motor solution. A&D flash dump. A&D flash dump, uh, is more complex to read and modify the EMI flash. Uh, the lower red corner chip is a common BGA63 chip. It's very small and it's special A&D program to read and write. After dumping the, uh, after dumping the chip, we can use the bin lock to identify the file system. Uh, let's introduce how to get the shell. Uh, where do we get the shell? If we can get the shell, it may, it will be more convenient for us to view process, fields, networks, and debug a vulnerable, uh, programs. It's very interesting that many 4D models use a common password, OE Linux 1.2.3. And, uh, in some times the passwords may not be required. In addition to serial pulse, you can also use some remote management tools such as ADB, telnet, SSH, and so on. Uh, these services can be obtained by pulse scanning. Other methods such as getting a shell from AT command. After the module is connected, the USB interface will be virtualized with several serial pulse, such as DVT-VUB0. So, which AT command can be sent? According to the manual, we can send an AT command to open the ADB service. Uh, or some module could, uh, execute certain commands through sending an AT command. If none of this work, we still have an AT module to modify NAD flash, add, uh, telnet process to the start-up script and reattach the NAD flash back. Let's look at, uh, uh, let's look at how to get, uh, network traffic. We can build a 4JB station system. Uh, why is a 4JB station? Because it's used for the search. Uh, compared with the 2JB station, building 4JB will be more stable, convenient, and fast. As you can see in the figure on the right, our client automatically connect to the 4JB station and gets the IP address. We can use the virtual to monitor the traffic. We use the SRS LTE 4JB station system in this method, which is much more convenient, uh, uh, installation than OEI. Finally, we need to write a SIM card. We need to buy a red box SIM card and a reader. Uh, not, uh, that's, uh, uh, not that this SIM card are only used for security testing, not for other illegal things. We need to write the correct IMSI, KEI, OP to the SIM card to ensure that this program play are the same as those in the SRS LTE. Finally, we start our 4JB station and it works perfectly. In fact, no matter whether it's 2JB station or 4JB station, it contains a large number of configuration items. Uh, time, uh, time relations in this talk will only explain the most important to you. Now let's have a recap. Uh, what information can we get from this, uh, preparation? Uh, most likely, uh, the shell will be captured. Then the firmware system and the network of traffic will certainly be captured. These are essential for the following upper vulnerability menu. Okay. Okay. Supong just talked a lot about attack surface and preparation for attacking 4G modules. Now, let me show you the critical vulnerabilities we find in detail. Uh, let's focus on system management devices, uh, vulnerabilities first. Usually 4G modules, uh, runs Linux systems. Uh, Linux system probably, uh, start many remote management services, uh, such as SSH, uh, Telnet and the web server. Uh, we can use fast scan tool, uh, fast, fast scan tools, uh, like, uh, mess scan, uh, which can scan the port opening status in just a few minutes. Uh, for example, uh, we find, uh, a 4G module, uh, open port 23, uh, which means the Telnet service is started. Uh, in most cases, uh, Telnet, uh, need password to login. Uh, we can extract the ATC password file from the firmware and then correct it by using hashcat tools. And if you are rich, uh, you can buy a lot of GPU to speed up the crack. Uh, 4G modules, uh, generally are not using one machine, one secret key or one secret password, uh, strategy. So if you successfully correct the password, uh, which means that you have just cracked the password of all 4G modules of this manufacturer. Uh, once we get the password, uh, we can successfully log into the file system, uh, log into the system remotely and this device is ours. Uh, in addition, uh, we find that many well-known manufacturer of 4G modules has open remote ADB services by default. Uh, we only list some of them in this table. Uh, in fact, some manufacturers, uh, some automobile, uh, manufacturers, uh, when it costs. Uh, also open remote ADB services by default. What's the consequence of this? Uh, we can simply use ADB tool, uh, to connect, support 5, 5, 5, 5, 5 of this module. And in most cases, uh, without authentication, uh, we can get the shell remotely, so we can hack it. And there are many other type of system management services, vulnerabilities, uh, such as a weak password for web management services, and even SSH that do not require password, uh, are funded on some cars. And some manufacturers in order to convenient the repair of the 4G modules, uh, they hide them, backdoor, they hide back in some external monitoring port. Uh, maybe you can use the backdoor to open Telnet or do something dangerous. I will talk about, uh, an interesting case, uh, like this on the next page. This is, uh, this, uh, this bug was caused by a secondary development of 4G module on a card T-box, T-box. Uh, we reported this problem to manufacturer six months ago, and the manufacturer has completely fixed it. And nowadays, some cars can unlock and open its engine remotely through mobile phone APP, uh, which are our interests. We bought this card T-box, uh, from, uh, from the, uh, auto parts shop, uh, with this capability. Uh, the capability is, it can use a mobile phone APP to open its, uh, door and start its engine. Uh, first, we dumped the firmware with NAND program, program, and we find a process listening on two 4XXX port. Uh, and when we use IDA IDA to scan the string of this process, we find, uh, a T-net related string, uh, that's analysis it. As you see, we find a dangerous function. Uh, this function passed the received data from that port and build a command to execute. As the picture shows, uh, it can be used to open town DSRS. We analyzed the logic of the protocol, uh, of this port. Actually, it used the PKI system, RSA certifications and, uh, AES encryption. Uh, but we find there are multiple vulnerabilities in, uh, this, uh, such as, uh, the AES key is hard-coded in binary, uh, and we get the RSA provide, uh, provide key from the file system. And the password of the fa-, uh, the private key, we can guess it. Uh, so we can use it to generate public key. Uh, and we use those problems to bypass the TRS, uh, certification successfully. After we was engineering, uh, we write the exploit code like this, uh, as expected. We finally start up the town at DSRS on this T-box through this port and using, uh, by using this exploit. However, uh, town at D in this mode requires password verification. So here comes the new power problem. What's the password is? Is. We use the most powerful four piece of NVIDIA 2080TI graphic, uh, card to crack the password. A day later, we finally, uh, got the password. The password is very complex. Uh, include, include big and little case charts, numbers, and special charts. Uh, so now we have a root shell of this T-box. So how can we control the car through, uh, this root shell? First, uh, let's learn how remote control of vehicle is implemented. First, uh, the red dotted line in this figure, uh, represents the 4G module. It has a long connection with the cloud server. Uh, the, uh, 4G module located, located in the T-box and located in the MPU of T-box. Uh, when the door, when the open door instruction is issued from mobile from APP, uh, the 4G module, uh, received the instruction. A process in MPU communicate with MCU through, uh, the serious port. Uh, another process in MPU, uh, yes, uh, another process in MCU that received the instruction and pass it and dispatch to, to canvas and the door open. I think this could be the easiest way to, uh, control the car. As we have got shell of the MPU, MPU, so we can write a program to record the date, uh, the date that MPU write to MCU. So when we want to hack another car, uh, the step is we use, uh, uh, exploit. We write before to the study standard and get a shell and execute, execute a new program to replace the date, uh, we recorded before so the door will open. The most important question is how to run our attack code or how to access that port. Do you remember that attack service, uh, the attack method that Supong, uh, just, uh, mentioned before, uh, through a fake base station, uh, operate internet or Wi-Fi hotspot, we can access that port by running, uh, the exploit without touching the car. Uh, if the car manufacturers use the private APN network without isolation, uh, everything will become simple or terrible. Uh, in the right picture, uh, we entered the private APN network of this T-box, uh, so we can scan the port to four X, X, X, X and we find there are many devices will open this port. So we could attack many devices at the same time. Uh, maybe we can use this ranged attack method to build a zombie car team just like the things in Fast Flushing 8. Next, let's talk about the vulnerability in FOTA. FOTA is a way to upgrade firmware. We find that, uh, some 4G modules frequently check whether, uh, the, the current version is the latest. Uh, some devices check update when the device start up and some are every 40 minutes. In this case, after the weather engineering, we find, uh, that he logged into an FTP server to check for new firmware version because FTP username and password is hardcoded. Uh, we can use it, we can use, use the FTP password to log in the FTP server successfully. And after logging in, we can download all the versions, uh, we got, wait for a second, yes, uh, we can download all versions of the firmware of all devices. So, uh, we probably get the old firmware version. Uh, but this is not the crazy thing. Uh, we find that this FTP account has write ball privilege. So, we can, uh, and another good news, uh, the 4G modules did not verify the firmware file in the FTP. So, we can use the write ball privilege to upload a new firmware with backdoor, uh, to the FTP server. And, uh, there are many, many 4G modules of this manufacturer. We are downloading the new firmware automatically and upgrade to it. That means, that means we can hack all 4G modules of this manufacturer in just, uh, last one day. Uh, that's a nice day problem. We have just talked about the problem on the FTP, uh, FOTA server side. Let's look at the vulnerability of the FOTA client side. We find that some 4G modules listen to some port for FOTA. Uh, for example, in this case, we find this 4G module listened to the port, uh, 45xxx, and it used to receive the upgrade command. Uh, this port was originally used for inter-process communication, but it was incorrectly bound to public, bounded to 0.0.0.0.0, not local host. So, we can send data to this port remotely. And after crack the data exchange protocol to this car, uh, this port, and we were engineering the structure of the, uh, upgrade, uh, firmware file. Uh, as you can see, the structure of this, uh, firmware file is very complicated. It, it cost us a long time. But we finally get it. So, we can, so now we can make a new firmware file with Vector and force the 4G module upgrade to it. So, we hacked it again. Almost every 4G module has its own AT command, uh, passing process. And some manufacturers implement some customer capabilities. For example, uh, only the factory engineers know, know, they know some hidden AT command. Uh, if you can find them out, maybe you can open the ADB device, uh, through the hidden instructions or open, uh, open ADB or something. Uh, we mentioned it before. Uh, in another case, AT command injection vulnerability is also allowed. For example, this foreign picture in the left, uh, is an introduction for adding root in the development document. Uh, we analyzed, we analyzed the system command called here deeply. We find laser command injection vulnerabilities. In the image on the right, we append LS string to the AT command, uh, and the written content shows the LS command executed successfully. That proves laser command injection vulnerability in AT command passing. In general, the AT command can be only executed, uh, on the USB series port. Uh, but some 4G modules, uh, they support, they support use of SMS to execute AT commands. It's usually used for remote control. Uh, if we can find a AT, uh, if we can find an AT command injection vulnerability in this scenario, uh, we can explore the bug remotely by sending an attack message to it. In fact, we did find some, uh, we did find some, uh, some problem in some 4G modules like this. Uh, this is a 4G module that support use SMS to execute AT commands. In this case, we find it requires a password in the content to verify, uh, verification. Uh, if the password is right, uh, it will execute the AT command in the SMS. But the way, uh, the way he used to verification is too weak. Uh, still the old problem, the password is hardcoded in binary. And every device, the, the password is the same. And we can get it from, uh, uh, from the firmware once we get one, uh, one device. Uh, this is the, that, that 4G modules support, uh, AT command, uh, using SMS to, to control it. Uh, actually we find a command injection vulnerability in passing SMS AT command. The command name is set f c s n. And finally, we can get a reverse shell by simply sending a text message to it. We hacked it again remotely. There are many other successful case of attack. Because this talk, the limit of 50 minutes, I cannot talk about them detail one by one. Uh, let me talk about some other interesting cases quickly. Uh, such as, we can use, uh, the JAMA to attack the 4G module. Uh, using, and then using the main, in the middle. And combine with, uh, some browser vulnerabilities, such as zero day or end day to interesting, uh, interesting the IVI of our car. And the debug process on the 4G module is also an attack surface. Uh, DDoS it to death, that may cause the car lose connection, uh, with the cloud server for a long time. Uh, and the IPv6, uh, even if the 4G module has enable IP table, IP tables firewall. Uh, but sometimes we can still access that port. Why? Because the IP6 tables are not enabled. Uh, we can simply bypass the firewall, uh, by using IPv6 address. And almost every 4G Wi-Fi use 8-digit password. 8-digit password, that means the password is only number. N-numbers is, is weak password. Uh, we can use DDoS attack to get the handshake packet. And then crack the password with, uh, many, uh, graphic, uh, card like a NVIDIA 20 ADTI, uh, in a few minutes, or a few seconds. After cracked the password, we are in the same internet of the 4G module. We can launch the, uh, further attacks, such as we can attack the, um, uh, the system management of the 4G module, or we can attack, uh, all devices connected to the 4G module. Uh, in the next chapter, uh, let's talk about the suggestion for defending against, uh, those attacks. Uh, we have talked about, uh, uh, a lot of attack message that's, and when ability is detailed before. And it seems that there are many problems. So how should we, uh, do? We, uh, we can avoid those problems. After communicate with many 4G module manufacturers, hardware manufacturers, and car manufacturers, uh, uh, we find that they did not realize there is a completely, uh, completely operating system in 4G modules. Uh, sometimes there are many, uh, there could be many operating system on a motherboard. Uh, for example, there could be a three, uh, three operating system on a T-box motherboard. Uh, if one of the system has problem, it may affect each other, uh, it may, uh, affect each other. So, so first of all, we must identify, uh, those systems, uh, the IPs. And next, we should check the listening port, uh, ex, especially, uh, those ports that can be accessed remotely. Uh, we have found many, many high risk vulnerability in most of the listening port, listening port process. Uh, if not absolutely necessary, we should not listen in port. Yes. And be, uh, uh, and be aware of, uh, network access, uh, access by using 4G interface. Uh, many people think that 4G channel is thicker. Uh, but actually Hacker can play mainly in the middle easily through the fake base station. And another problem is that we find that 95% of IP tables rules in the 4G modules, uh, are empty. It's dangerous. So, uh, we think, we think the simplest way, we think the simplest way to defend this, uh, uh, attacks is to, uh, let the developer learn how to use IP tables, uh, well. Uh, here, uh, thanks to our team's member, uh, you know this is our teamwork. We have four analysts over 50, uh, 50, 50, yes, 5-0, uh, devices. Uh, this is our talk about security list, uh, research of 4G modules. I hope that our work can give you some inspiration. If you have any question, uh, you can email to us. Uh, thank you for listening.