Aggregator

You must login to view this content

Session 8A: Email Security

Authors, Creators & Presenters: Ka Fun Tang (The Chinese University of Hong Kong), Che Wei Tu (The Chinese University of Hong Kong), Sui Ling Angela Mak (The Chinese University of Hong Kong), Sze Yiu Chau (The Chinese University of Hong Kong)

PAPER
A Multifaceted Study on the Use of TLS and Auto-detect in Email Ecosystems

Various email protocols, including IMAP, POP3, and SMTP, were originally designed as "plaintext" protocols without inbuilt confidentiality and integrity guarantees. To protect the communication traffic, TLS can either be used implicitly before the start of those email protocols, or introduced as an opportunistic upgrade in a post-hoc fashion. In order to improve user experience, many email clients nowadays provide a so-called "auto-detect" feature to automatically determine a functional set of configuration parameters for the users. In this paper, we present a multifaceted study on the security of the use of TLS and auto-detect in email clients. First, to evaluate the design and implementation of client-side TLS and auto-detect, we tested 49 email clients and uncovered various flaws that can lead to covert security downgrade and exposure of user credentials to attackers. Second, to understand whether current deployment practices adequately avoid the security traps introduced by opportunistic TLS and auto-detect, we collected and analyzed 1102 email setup guides from academic institutes across the world, and observed problems that can drive users to adopt insecure email settings. Finally, with the server addresses obtained from the setup guides, we evaluate the sever-side support for implicit and opportunistic TLS, as well as the characteristics of their certificates. Our results suggest that many users suffer from an inadvertent loss of security due to careless handling of TLS and auto-detect, and organizations in general are better off prescribing concrete and detailed manual configuration to their users.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – A Multifaceted Study On The Use of TLS And Auto-detect In Email Ecosystems appeared first on Security Boulevard.

For the upcoming Pwn2Own Automotive contest, a total of 3 head units have been selected. One of these is the double DIN Kenwood DNR1007XR that offers a variety of functionality such as Android Auto, Apple CarPlay, USB media playback, wireless mirroring and more.

This blog post presents photos of the DNR1007XR including highlighting interesting internal components. A hidden debugging interface is also detailed which can be leveraged to obtain a shell.

Figure 1: Kenwood DNR1007XR

External

Tucked away behind the screen is a full-sized SD card slot that can be accessed by tilting the screen downwards. The SD card is used to play audio/video files as well as updating map data. This seems like an attack surface worth researching.

Figure 2: SD card slot

There's also a single USB port routed from the back of the unit that is used for:

·      Wired Android Auto
·      Wired Apple CarPlay
·      Audio playback
·      Video playback

Internal

Moving on to the internals, the DNR1007XR comprises multiple interconnected boards, with the most interesting board being located at the top of the unit. Removing a few screws and metal plates gives access to this board, which contains the main processor, eMMC, flash, and a Bluetooth / WiFi radio module.

Figure 3: Main board

Towards the center is the main Dolphin+ TCC8034 System on a Chip (SoC), which is marketed as an “IVI and Cluster solution” that supports running Android, Linux, and QNX. The SoC contains two 32-bit ARM cores and is running Linux. Last year's Kenwood target utilized a similar TCC8974 SoC; more information can be found here.

Figure 4: Dolphin+ TCC8034 SoC

Further to the right is a Kioxia THGBMJG7C2LBAU8 16GB eMMC chip which contains the main device firmware.

Figure 5: Kioxia eMMC

Below the eMMC chip and to the left is a Winbond 25Q256JVFM 256Mb serial flash chip that contains unknown data.

Figure 6: Winbond flash

Finally, to the left of the SoC is a Murata radio that handles Wi-Fi and Bluetooth operations. Searching around for the exact model number that's etched onto the radio's shielding doesn't return much information but the FCC documents for the DNR1007XR state that this is the Murata LBEE6ZZ1WD-334. This module has no public datasheet available and isn't listed on Murata's site.

Figure 7: Murata radio

Debug Connector

On the right edge of the main board is a suspicious-looking connector that lines up with a thin gap in the outer housing. This connector exposes a Linux login prompt over UART at 115200bps. Logging in with the correct credentials will spawn a shell.

Figure 8: Debug connector

Summary

Hopefully, this blog post provides enough information to kickstart vulnerability research against the DNR1007XR. Keep an eye out for another blog coming this Friday that covers the threat landscape of the DNR1007XR.

We are looking forward to Automotive Pwn2Own again in January 2026, and we will see if IVI vendors have improved their product security. We hope to see you there.

Until then, you can find me on Twitter @ByteInsight, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.

You must login to view this content