本次大会由匠歆汽车和上海市普陀区科学技术委员会联合主办，汇聚了30多位行业资深专家和900多位产业人士，共同探讨汽车信息安全的最新趋势和挑战。为期两天的会议涵盖了出海合规、数据安全、软硬件信息安全等多个热点议题，为与会者提供了一个交流和学习的平台。

犬安科技在此次大会上的表现尤为突出，在The 4th ArtiAuto Award颁奖典礼上，其创新的技术和卓越的产品解决方案赢得了评委和行业同仁的一致认可，荣获四个奖项，包括

“2024年度优秀智能汽车信息安全实验室”

“2024年度智能汽车行业白帽黑客团队”

“2024年度优秀智能汽车信息安全领军人物”

“2024年度汽车信息安全先进研究员”

犬安科技作为国内领先的智能车联网安全方案供应商，公司秉承“从硅到云守护万物互联时代”的使命，专注于为汽车行业客户提供最佳的产品与服务。公司此次被评为行业标杆，不仅代表了行业专家和市场的高度认可，也是对犬安科技长期致力于汽车全生命周期网络安全研究与实践的肯定。公司将持续在技术创新上发力，结合丰富的汽车与网络安全经验，追求卓越，为客户带来更高标准的安全解决方案，保障汽车行业安全稳健前行，为万物互联时代的科技创新保驾护航。

再获行业多项认可——犬安科技在年度网联汽车安全行业大会大放异彩最先出现在GoGoByte。

On October 27, 2023, Beijing GoGoByte (Quanan Technology) Co., Ltd. (hereinafter referred to as “GoGoByte”) and United Automotive Electronics Co., Ltd. (hereinafter referred to as “United Automotive Electronics”) signed a strategic cooperation agreement in Shanghai. With the continuous advancement of vehicle intelligence and connectivity, automobiles have become digital terminals in the Internet of Everything, bringing increasingly severe cybersecurity challenges. Against this backdrop, both parties will cooperate in areas such as security management platforms, penetration testing technologies, and threat intelligence sharing, jointly developing solutions that form the cornerstone of intelligent vehicle cybersecurity.

United Automotive Electronics Deputy General Manager Guo Xiaolu and GoGoByte CEO Li Jun attended the signing ceremony. United Automotive Electronics Cross-Domain Control Division General Manager Wang Qinghua and GoGoByte CTO Liu Wenhao signed the agreement on behalf of both parties.

In the process of building cybersecurity capabilities for intelligent vehicles, United Automotive Electronics has always placed great emphasis on security management and R&D platforms to establish systematic capabilities in secure design, secure development, and secure operations. Through this strategic cooperation with GoGoByte, a rising force in the field of information security, both sides will jointly invest resources to develop a lifecycle-wide cybersecurity management platform. This platform will provide end-to-end protection for intelligent vehicles across design, production, operation, and decommissioning stages, enabling rapid and agile threat response capabilities. In addition, the two parties will deepen cooperation and jointly build capabilities in penetration testing technologies and threat intelligence sharing.

This strategic cooperation marks a joint exploration between United Automotive Electronics and its partners in the field of intelligent vehicle cybersecurity. Looking ahead, both parties will continue to deepen collaboration to build a layered defense system for emerging electronic and electrical architectures, working together to lay the foundation for intelligent vehicle cybersecurity.

About United Automotive Electronics:
United Automotive Electronics has been deeply engaged in the automotive electronics field for nearly 30 years, establishing extensive business partnerships with OEMs and providing them with technologically advanced and reliable automotive electronic solutions. The company has strong local R&D capabilities and rich project experience in advanced connectivity, powertrain, and new energy domains. Amid the transformation toward intelligent and connected vehicles, United Automotive Electronics is actively advancing its “Two Transformations and Two Innovations” strategy, committed to building a vehicle-cloud integrated system solution centered on vehicle computing platforms and domain controllers as core hardware, and the USP (UAES Software Platform) as the core software platform.

About GoGoByte :
Founded in 2020, Beijing GoGoByte (Quanan Technology) Co., Ltd. has developed a range of products based on extensive offensive and defensive security expertise, including the DefenseWeaver Threat Analysis and Risk Assessment (TARA) system, the ThreatGo security test management and scheduling platform, and the GoGoBark cybersecurity testing device. GoGoByte also hosts the GoGoHack security community, which has significant influence in the automotive cybersecurity industry and maintains strong collaborations with global security communities such as ASRG and DEFCON GROUP. The company has abundant resources in threat intelligence, security operations, and offensive/defensive capability building.

GoGoByte and United Automotive Electronics Form Strategic Partnership to Strengthen the Cybersecurity Foundation of Intelligent Vehicles最先出现在GoGoByte。

2022年11月，犬安科技收到ASRG-China社区的漏洞情报，鸿泉物联的T-Box存在严重漏洞，该T-Box在三一重工等企业的工程测量上被大量使用，结合三一重工自身服务端漏洞可能造成严重后果。犬安科技在第一时间联系了三一重工集团安全团队和鸿泉物联，提供了该漏洞的详细情报，并给出了相应的修复建议。同时，犬安科技向工信部车联网产品安全漏洞专业库 CAVD（China Automobile Vulnerability Database）通报了该漏洞情报，根据《CAVD 漏洞分类分级管理规则》评定，此漏洞危害等级为“超危”。

在经过ASRG、犬安科技、CAVD和相关厂商等多方力量的快速响应和处理后，该漏洞现已得到修复，且并未造成任何严重损失。ASRG已经赋予此漏洞编号CVE-2023-3028, CVSS Base Score 为 Critical 9.8 “超危”，与《CAVD 漏洞分类分级管理规则》评定一致。

漏洞描述：

鸿泉 HQT-401 TBox存在漏洞导致导致MQTT服务器的地址泄露，而采用鸿泉 HQT-401 TBox的三一重工车辆的服务器（MQTT后端）的身份验证不足致使攻击者可以访问甚至篡改整个车队的控制数据和状态数据，其中包含多个漏洞：

– MQTT 后端不需要身份验证，允许攻击者进行未经授权的连接。

– 车辆将其遥测数据（例如GPS位置，速度，里程表，燃料等）作为公共主题中的消息发布。后端还以 MQTT 在公共主题中发布的形式向车辆发送命令。因此，攻击者可以访问由后端管理的整个车队的这些敏感机密数据。

– 车辆或后端发送的 MQTT 消息未加密或身份验证。攻击者可以创建和发布消息以模拟车辆或后端。例如，攻击者可以向后端发送有关车辆位置的错误信息欺骗后台。

– 后端可以通过在公共主题上发送特定的 MQTT 消息将数据注入车辆的控制器局域网总线。由于这些消息未经身份验证或加密，攻击者可以冒充后端，创建虚假消息并向后端管理的任何车辆的控制器局域网（CAN）注入控制数据。

车辆的安全问题涉及整个汽车产业链企业，上下游任何企业的产品缺陷都将导致严重的安全隐患。作为助力汽车行业安全发展的重要一环，犬安科技始终致力于为汽车行业提供全生命周期的网络安全服务，近年来积极通过组建社区、开展协同项目、研发创新产品等方式，在实践中为企业安全问题排忧纾困，将“守护万物互联的科技创新，为汽车行业安全发展保驾护航”的使命职责落到实处。

该系列的漏洞由ASRG安全研究员Ramiro Pareja Veredas和Yashin Mehaboobe发现并提交报告。

更多漏洞信息请参考：

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3028

https://garage.asrg.io/cve-2023-3028-improper-backend-communications-allow-access-and-manipulation-of-the-telemetry-data/

https://nvd.nist.gov/vuln/detail/CVE-2023-3028

犬安联手ASRG-China社区协助修复三一重工等企业超危漏洞最先出现在GoGoByte。