Stephan Huang                              Embedded Penetration Testing Lead

Warren, MI                                                                                                                 E-mail: resume@stephnet.us                                                                                    

Summary of Qualifications

In-depth knowledge of in-vehicle security architecture, network and communication

In-depth knowledge of layered vehicle security architecture and limitations

● Experienced in diagnostic protocols across vehicle and computer networks

● Experienced with embedded processors used in Automotive and IOT Devices

 

Professional Experience

General Motors                                                                                                                           (2015-Present)

Lead Embedded Security Engineer

                Vehicle Cybersecurity – Penetration Testing

Challenge suppliers to improve effectiveness in Vehicle Cybersecurity

● Created methodology, mentored and trained internal penetration testing team on various embedded security topics

● Conducted successful penetration testing engagements on multiple ECUs including telematics, Body Controls and Gateways

● Experienced in assessing external interface security, including Wifi, Bluetooth LE, USB

● Experienced in CAN topics - SecurityAccess, Secure Programming, Secure Boot, Gateways

● Experienced in analyzing entry points, developing custom fuzzers and MITM techniques

● Familiar with firmware analysis, disassemblers and debuggers on various architectures (PowerPC, MPC5xx VLE, MIPS, x86, RTOS)

 

General Motors                                                                                                                           (2013-2015)

Senior Embedded Security Engineer

                Vehicle Cybersecurity - Diagnostics

Leading change in vehicle network security

● Architected and led implementation of Diagnostic SecurityAccess strategy using session keys, privilege separation and end to end authentication.

● Architected and implemented ISO14229-1 UDS Service 0x84 to provide a standard solution for Diagnostics encryption and authentication - created concept and worked with AUTOSAR WPs to standardize solution.

● Well-versed with the use of security peripherals as well as the AUTOSAR DCM, CSM, CAL and CRY security interfaces.

● In-depth understanding of ECU Diagnostics security strategy from Supplier key provisioning to end of life services including dealership and over the air services.

● In-depth understanding of Diagnostics tools used by Service, Manufacturing, Validation and Engineering - responsible for ensuring secure, continued access is provided to authorized tools.

● Reviewed and mitigated security concerns in ECU Specific Diagnostics for current ECUs.

● Expert in improving security posture in ECUs with limited processing capabilities.

Interfaced with Service, Manufacturing and Engineering to implement strategy for next generation vehicle architectures.

Improved the designs of multiple security mechanisms to enhance vehicle security including Intrusion Detection, Gateway and end ECU security.

● Knowledgeable in IT Key provisioning and key management strategies.

● Patent inventor for 3 patents relating to the use of Session Keys and securing the reading of memory addresses to improve automotive security.

 

Cummins inc (lhp software)                                                                                                  (2011-2013)

Software consultant

                Electronic tools, common components comm, core engineering

optimization, development and support of corporate tool

● Proposed, architected and Implemented XCP interface allowing industry standard tools

   (Vector/NI Veristand) to communicate with Cummins proprietary protocols over J1939

Implemented ASAM3 TCP interface allowing tool (CUTY) to communicate with the J1939 CAN

   bus over Cummins CPP/CLIP as well as XCP over CAN/ethernet protocols

Optimized corporate data acquisition tool to fix throughput issues on embedded dataloggers

● Proposed and implemented wireshark dissector for both XCP and the Cummins ASAM3 protocol.

● Created automated regression test suite / process to ensure robustness of corporate tool

● Provided support / consultation on integration with upper level toolsets used in test cells.


Delphi electronics, Active safety systems                (2009-2011)

Lead software engineer

adaptive cruise control & collision imminent braking systems

responsible for delphi’s active scanning radar for gm Saab & Opel Insignia & Zafira

Direct interface with customer, systems and project managers spanning multiple countries to

   address customer concerns and ensure timely delivery.

● Manage global software team using software change requirements and configuration

management tools

● Experienced in developing in a time and safety critical embedded environment.

● Experienced in coding for a multi-core gateway spanning multiple CAN & SPI comm buses.

● Experienced with fixed point math micros like the NEC V850 Fx3 family.

● Proposed/implemented strategies include primary & secondary bootloader strategies, worst case

   jitter analysis, ramshadow checksum, Full/BasicCAN buffer allocation

Well versed with GMLAN diagnostic requirements GMW3110, 14241 and 15765

 

Delphi electronics, Software forward engineering                                          (2008-2009)

software engineer

Saint2 (System analysis interface tool)

Develop in-house capability on vehicle bus monitors and simulators

● Experienced in creating gateways across different vehicle/computer networks.

● Optimized USB driver code and worked with firmware team to increase throughput substantially

● Invented and implemented method of connecting third party vehicle networks software

   to existing Saint2 hardware using DLL.

 

Serial Communications Center Of Expertise

Troubleshoot vehicle network problems and perform/develop automated tests

● Extensive knowledge in vehicular networks including CAN, LIN and Flexray.

● Extensive knowledge in vehicular network management over various OSI layers.  

● Expert in troubleshooting / isolating issues involving vehicle networks / network management.

● Proficient in vehicle simulation tools such as Vector Canoe, CANDiva, CANape, CANDela etc

● Experienced with various embedded debuggers including JTAG, Tricore Pathfinder, miniCube

● Developed several programs that run extensive automated testing on various embedded ECUs.

 

Autosar (Automotive open systems architecture)

Gain expertise in autosar

● Experienced in the vehicle network communications stack.

● Configured and integrated full AUTOSAR stack onto NECV850 embedded hardware.

● Hardware enabled Delphi to demonstrate its AUTOSAR capabilities easily.

  Created and implemented interface for code configuration software (Eclipse plugin) to

    communicate with Vast’s virtual embedded systems (C++) using JNI / DLL

● Emulated NECV850 board in software using Java Swing GUI.

● Allowed users to visualize effects of configuration changes in real time.

 

Alliance group technologies, Software Engineer,                                                                              (2007-2008)

Worked with customer (Delphi) to create user defined scripting features by building a parser and

    interpreter for an automatic code review software based on customer requirements.

Personally responsible for entire language creation, design, implementation, documentation & testing.

Exceeded expectations and delivered product in three months.

 

 Alliance group technologies, Software tester                                                   (2005-2006)

IT&V (Independent tests and verification group)

● Successfully implemented C/C++ test scripts for the Ford SDARS satellite radio for three model years.

● Ensured that every test round deadline was met and all errors reported.

 


 

Patents

● US Patent 9460567 Establishing Secure Communication for Vehicle Diagnostics Data (Oct 2016)

● US Patent 9477843 Inhibiting Access to Sensitive Vehicle Diagnostic Data (Oct 2016)

● US Patent Pending P027766-OST-ALS Securely providing diagnostic data from vehicle to server (2014)

 

Technical Training

● Led and provided instruction for Batelle CyberAuto hands-on participants (Batelle CyberAuto 2016)

● Offensive Security Certified Professional Certification (OSCP) 2016

Exploiting Real Time Operating Systems - Tactical Network Solutions 2016

The Shellcode Lab - Blackhat 2016

Application Security: For Hackers and Developers – Derbycon 2016

Embedded Device Exploitation – Tactical Network Solutions 2015

Android Hacking Basics – DerbyCon 2015

 

 

Technical Expertise

Network protocols (Vehicle)             CAN, LIN, UDS, GMLAN, CCP/XCP, CLIP, J2534

Embedded programming                          FTDI , NECV850, TriCore, Android

Network protocols (PC)                         TCP/IP, UDP, SMTP, HTTP, USB, RS-232

Interfaces                                              Wifi, BLE, JTAG, UART, Serial, Android ADB

Firmware Analysis                              Binwalk, IDA, GDB, QConn

Programming  languages                       C/C++, Java, Python, Android

Vector toolset                               CANoe, CanDiva, CanDela, CANStress, CANape, CanGen, CANalyzer

                                                                SocketCAN

 

 

Education

B.S Computer Science                                                                                                              

computer networks and security

Purdue University, West Lafayette, Indiana