Jonghyuk Song

Security Researcher
Director of Vehicle Threat Research Laboratory at AUTOCRYPT

Email: jhsong@autocrypt.io, jonghyk.song@gmail.com
Blog: https://www.linkedin.com/in/jonghyuksong/

Experience

Mar. 2021 ~ present: Director of Vehicle Threat Research Laboratory, AUTOCRYPT
Sep. 2015 ~ Feb. 2021: Security team, SAMSUNG Research

Education

Sep. 2008 ~ Aug. 2015: Ph.D. in Computer Science & Engineering, POSTECH, Korea
Mar. 2004 ~ Aug. 2008: B.S. in Computer Science & Engineering, POSTECH, Korea

Prof. Jong Kim

Publications

[Google scholar]

Conference

CrowdTarget: Target-based Detection of Crowdturfing in Online Social Networks
Jonghyuk Song, Sangho Lee, and Jong Kim
Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (ACM CCS 2015), Denver, CO, USA, October 12-16, 2015. (128/646=19.8%)

Detection of Heap-Spraying Attacks Using String Trace Graph
Jaehyeok Song, Jonghyuk Song, Jong Kim
The 15th International Workshop on Information Security Applications 15th International Workshop (WISA 2014), Jeju Island, Korea, August 25-27, 2014.

I Know the Shortened URLs You Clicked on Twitter: Inference Attack using Public Click Analytics and Twitter Metadata
Jonghyuk Song, Sangho Lee, and Jong Kim
22nd International World Wide Web Conference (WWW 2013), Rio de Janeiro, Brazil, May 13-17, 2013 (125/831=15.0%)

Spam Filtering in Twitter using Sender-Receiver Relationship
Jonghyuk Song, Sangho Lee, and Jong Kim
14th International Symposium on Recent Advances in Intrusion Detection (RAID 2011), Menlo Park, California, USA September 20-21, 2011. (20/87=23.0%)

Journal

Inference Attack on Browsing History of Twitter Users using Public Click Analytics and Twitter Metadata
Jonghyuk Song, Sangho Lee, and Jong Kim
IEEE Transactions on Dependable and Secure Computing (TDSC), 2014 (SCIE)

Talks

UDSonCAN Attacks: Discovering Safety-Critical Risks by Fuzzing [link]
Seunghee Han, Soohwan Oh, Jonghyuk Song
DEFCON32, Car Hacking Village, LasVegas, Aug. 9-11, 2024

Automotive USB Fuzzing: How to Fuzzing USB in Vehicles to Discover the Real-World Vulnerabilities [link]
Euntae Jang, Donghyeon Jeong, Jonghyuk Song
DEFCON31, Car Hacking Village, LasVegas, Aug. 10-13, 2023

Automotive Ethernet Fuzzing: From purchasing ECU to SOME/IP fuzzing [link]
Jonghyuk Song, Soohwan Oh, Woongjo Choi
DEFCON30, LasVegas, Aug. 11-13, 2022

SMART BLACK BOX FUZZING OF UDS CAN [link]
Soohwan Oh, Jonghyuk Song, Jeongho Yang
DEFCON30, Car Hacking Village, LasVegas, Aug. 11-13, 2022

STEVE: Security Testing Framework for EV Charging Environments
Jonghyuk Song, Jaejo Lee, Hyunwoong Kim, Jaeson Yoo, Kiho Joo
International Electric Vehicle Symposium & Exhibition (EVS35), Oslo, June 13-15, 2022

자동차 보안성 검증기술 소개(Introduction to Verification for Autumotive Security)
Jonghyuk Song
IoTcube Conference 2021, Seoul, Aug 18-19, 2021

Breaking Pseudo-Random Number Generator in Ethereum Smart Contracts
Jonghyuk Song
Codegate 2019, Seoul, March 27, 2019

Breaking Pseudo-Random Number Generator in Ethereum Smart Contracts [link]
Jonghyuk Song
Codeblue 2018, Tokyo, November 1-2, 2018

이더리움 스마트 컨트랙트에서 발생하는 취약점 소개 (Introduction to Ethereum smart contract vulnerabilities)
Jonghyuk Song
KimchiCon2018, Seoul, September 14-15, 2018

Honors & Awards

The 4th place at DEFCON 31, Car Hacking Village CTF, Las Vegas, USA, Aug, 2023 (AUTOCRYPT)

The 5th place at DEFCON 30, Car Hacking Village CTF, Las Vegas, USA, Aug, 2022 (AUTOCRYPT)

1st place at Cyber Security Challenge Competition - Car Hacking, Ministry of Science and ICT, South Korea · Nov 2021 (AUTOCRYPT)

The 11th place at DEFCON 25 CTF, Las Vegas, USA, Aug, 2017 (hacking4danbi)

The 8th place at DEFCON 19 CTF, Las Vegas, USA, Aug, 2011 (PLUS)

Silver prize at KISA (Korea Information Security Agency) Hacking Defense Contest, Jul, 2011 [link]

The 3rd place at DEFCON 17 CTF, Las Vegas, USA, Aug, 2009 (PLUS)

The 2nd place at Wowhacker Corea Hacking Challenge, 2007

Winner of POSTECH-KAIST Hacking Contest, Science War, 2007

The 1st place at Wowhacker Corea Hacking Challenge, 2006

Special prize at KISA (Korea Information Security Agency) Hacking Defense Contest, 2006

Winner of POSTECH-KAIST Hacking Contest, Science War, 2006

The 9th place at HUST (Hongik University Security Team) Hacking Festival, 2006

Winner of POSTECH-KAIST Hacking Contest, Science War, 2005

Reported Vulnerabilities

CVE-2018-14715: Vulnerability of Cryptogs smart contract (Ethereum game)

CVE-2018-13877: Vulnerability of MegaCryptoPolis smart contract (Ethereum game)

CVE-2018-12975: Vulnerability of Cryptosaga smart contract (Ethereum game)

CVE-2018-12885: Vulnerability of MyCryptoChamp smart contract (Ethereum game)

CVE-2018-12454: Vulnerability of 1000 Guess smart contract (Ethereum game)

CVE-2018-12056: Vulnerability of All For One smart contract (Ethereum game)

CVE-2018-11411: Vulnerability of DimonCoin(FUD) smart contract (Ethereum ERC20 token)

CVE-2018-10944: Vulnerability of ROC(aka Rasputin Online Coin) smart contract (Ethereum ERC20 token)

CVE-2018-10666: Vulnerability of IDEX Membership(IDXM) smart contract (Ethereum ERC20 token)

CVE-2018-10468: Vulnerability of UselessEthereumToken(UET) smart contract (Ethereum ERC20 token)

16-664(KISA): Wifi-Router, Remote command execution in a daemon

16-639(KISA): Wifi-Router, Remote command execution in a daemon

16-514(KISA): Wifi-Router, Command execution in a web server daemon

16-513(KISA): Wifi-Router, Command injection in a WPS configuration page

16-510(KISA): Wifi-Router, Command injection in a firmware update page

16-498(KISA): Wifi-Router, Command execution using a hidden web shell

*KISA = Korea Internet Security Agency
I'm in the Hall of Fame 2017, KISA S/W vulnerability reporters [link]

Media Coverage

Inside the world of the people keeping “smart” transportation safe [link]

POSTECH Times Interview, April. 11, 2012 [link]

Dailysecu news Interview for DEFCON CTF 2011, Aug, 18, 2011 (team PLUS) [link]

Boannews Interview for DEFCON CTF 2009, Aug. 11, 2009 (team PLUS) [link]

Ahnlab Interview for PLUS, Jan. 2007 [link]

PCLove Interview for POSTECH-KAIST hacking war, Nov. 2005 [link1] [link2]