Category: Automotive Security Testing

Categories
Automotive Security Testing

Automotive Security Testing Basics: What You Need to Know

Protecting vehicles extends beyond safeguarding valuable assets, it’s about securing lives and sensitive data in an age where automobiles have evolved into intricate networks of interconnected microcomputers. These machines not only facilitate internal connections but also communicate externally, forming a vast web of interconnectivity. However, the rapid technological progression has outpaced cybersecurity measures in the automotive industry, an industry which, for too long, has taken cybersecurity for granted.

The watershed moment came in 2015 after the infamous Jeep hack. Manufacturers were compelled to act and take cybersecurity far more seriously. It could no longer be an afterthought. Governments and international bodies then joined the fray and in response, established regulations that ensure safer vehicles for manufacturers to comply with. The rising tide of cyber threats remains a concern.

Yet, despite these efforts, automotive security remains a relentless cat-and-mouse game. As hacking methods evolve, so must the defense mechanisms. This article aims to advocate for continual automotive cybersecurity testing that underscores the need for more proactive methods to avoid not only financial losses, but damage to the company’s reputation and inconvenience, or even harm, done to its customers.

Automotive Cybersecurity Fundamentals

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

– Sun Tzu

From the perspective of an Original Equipment Manufacturer (OEM), to understand automotive cybersecurity means to be aware not only of the threats posed by an attacker but to have an acute awareness of the available attack surface on the vehicle or device. What is this ‘attack surface?’ The attack surface defines interfacing entry points from which an attacker can attempt to exploit. These attackable entry points enable us to draw possible attack scenarios and attack paths that may lead to the theft or the remote compromise of the vehicle.

Modern automobiles are not only composed of many microcomputers but also comprised of services that users interact with such as Bluetooth and Wi-Fi, and of mobile applications that connect with the car. Let us not forget key fobs too. Every automotive cybersecurity assessment must first identify the threats to the vehicle and its users. We ask ourselves, ‘What would an attacker want to do with this vehicle?’ These threats could include:

  • Remote takeover
  • Shutting down the vehicle
  • Espionage, such as through interior microphones or cameras
  • Unlocking the vehicle to gain entry
  • Vehicle theft
  • Vehicle tracking
  • Disrupt and bypass safety systems
  • Install malware on the vehicle such as ransomware
  • Supply chain disruption
  • Sending unauthorized CAN messages

Once the threats are identified, we then look at the vehicle and identify the attack surface, or entry points, from which an attacker can conduct attacks. We can look at this issue as having two layers. The first layer is a simple identification of the entry points. These attack vectors include such entry points as Bluetooth, Wi-Fi, the OBD connector, the infotainment unit, mobile applications, and key fobs for keyless entry and starting. The second layer then takes each entry point, studies it in more detail to know how it works, and then identifies the weaknesses that could be exploitable. Models can then be created for each of the attackable endpoints that lay out potential tactics for attacks against them.

Once all of the models have been created, we can then diagram the overall attack model, covering all of the entry points and connecting those  points to identify potential attack paths associated with each potential threat. We then thoroughly examine and test the entry points in each chain for any vulnerabilities that could lead to compromise.

Comprehensive automotive cybersecurity testing requires a carefully planned out threat model that consists of all possible attack scenarios from the known threats and attack surface presented on every vehicle. Otherwise, any careless omission of the model may become an attack vector for a successful hack or theft of the vehicle.

Cybersecurity Penetration Testing Methodology for Automotive

Penetration tests are conducted by cybersecurity experts who are hired to perform adversary simulations against all possible attack chains in the threat model to uncover vulnerabilities. These tests are indispensable because not only do they ensure that manufacturers comply with cybersecurity regulation, but also because external cybersecurity experts are trained to spot and exploit weaknesses that internal teams might overlook.

Our testing methodology consists of tests that prepare the OEM against all of the attacks on the automotive kill chain. We can generalize these sorts of attacks into different categories:

  • In-Vehicle Network Testing – Comprehensive testing of interior bus messaging systems, including CAN, Flex-Ray, MOST, and automotive ethernet. This also incorporates gateway security, whole-vehicle diagnostics, and bus network security testing.
  • Electronic Control Unit (ECU) testing – Diagnostic security testing such as UDS (Unified Diagnostic Services) testing, fuzz testing, update procedure testing, message security testing, and reverse engineering for vulnerabilities in the code.
  • Wireless Testing– A comprehensive testing of all wireless networks within the vehicle interfacing either within the vehicle or with the outside world.
  • Bluetooth Security Testing – Assessing vulnerabilities in Bluetooth connections, covering weak authentication, code execution, data storage, unencrypted data transfer, and faulty configurations.
  • Infotainment System Security – Testing the unit to ensure proper protections on the user interface that safeguard the interior filesystem from such attacks as malicious file uploads and examining the operating system for vulnerabilities.
  • Physical Access Assessments – Ensuring the vehicle interior is protected against any break-ins and checking for any exposed devices, such as ECUs, on the exterior of the vehicle susceptible to tampering.
  • Software and Firmware Testing – Comprehensive reviews of software or firmware. This can be done as either a white-box test where we have access to the code, or through reverse engineering.
  • Diagnostic Port Security – Testing the diagnostics port (typically OBD) against physical unauthorized access to ensure attackers cannot use it to maliciously communicate with the vehicle.
  • Mobile App Testing – Assessing security in mobile apps connected to the vehicle to prevent malicious activities, data theft, unauthorized vehicle access, and access to cloud data.
  • Driver Protection Systems Security – Testing the security of such systems as tire pressure monitors, sensors, collision detection, and cruise control for any vulnerabilities.
  • Hardware Security – Examining the hardware of any devices inside the vehicle and checking for vulnerabilities against hardware attacks that could do such things as dump memory or leak secret keys. We also check the secure boot functionality against any tampering. Finally, we perform side-channel analysis and fault-injection attacks to check against any potential data leaks.

The results and feedback from our testing methodology contribute to improved vehicle security, higher product quality, and improved customer protection. These benefits extend across the customer experience to the interconnected realm of automobiles and empower manufacturers with greater insights to refine their development processes

Additionally, our testing methodology ensures compliance with regulations and standards such as UNECE R155 and R156. Vehicle manufacturers in Europe are mandated to meet these requirements starting in 2024.

Our Pentests at Work – Remote Control of a Motorbike

In a recent penetration test on a motorbike, our investigation unveiled a critical vulnerability, providing us with full remote control over the vehicle. Our team identified and exploited a remote code execution (RCE) vulnerability originating from within the head unit of the bike, allowing us to assume control of the underlying Linux operating system. The situation only worsened when we realized that, leveraging the compromised head unit, we could inject Controller Area Network (CAN) messages, thereby gaining the ability to manipulate the entire motorbike, not only at rest but in motion. To emphasize the severity of the situation, we developed a small piece of malware during our testing. This malicious program could be uploaded to the system through the identified vulnerability, enabling it to send messages that tampered with critical functions such as the throttle, odometer readings, and transmission.

This discovery is only one of the many numerous findings from our penetration tests. We test the security of our vehicles from the eyes and mind of an attacker and our methodology is designed precisely to emulate attack plans similar to those of a real-life attacker. By conducting our tests like this, we aim to provide the best results possible to our customers that ensure the security and quality of their vehicles and devices.

Enhancing Security: Practices For Robust Automotive Defense

Effectively securing automotive systems demands continuous awareness, particularly as new research and technologies emerge. OEMs need to revise and update their development process to meet these evolving changes. In the realm of automotive cybersecurity, where the stakes include personal injury or even death, it is critical to always stay on top of the trends as they unfold.

Central to this enterprise is solid and robust communication with partners. Manufacturers not only need to be well informed of the trends in cybersecurity but must be in tune with their partners and third parties involved in the product development process. Third-party devices or software in a vehicle are equally accountable for its security. A flaw in their product could serve as an entry point for a complete vehicle takeover.

As vehicles become increasingly interconnected and as we face increased attacks from outsider nation-states and threat actors, the responsibility for maintaining a robust cybersecurity posture intensifies. OEMs must conduct effective internal testing internally, while continually working with experts in the automotive cybersecurity field. Collaborating with these specialists ensures fine-grained security testing with effective results and advice necessary to improve the security and overall product quality. In this dynamic and ruthless field, a job well done in one project does not guarantee the same success in the future, necessitating continual testing done both internally and with more qualified experts.

Conclusion

The key takeaway is to understand that we are at a critical inflection point in the field of automotive cybersecurity. A field long-neglected for a very long time, the rise in cyber attacks over the last decade has given a new impetus inside the automotive industry to shift more attention to cybersecurity. Only in the last few years has the response finally become commensurate with the threats facing the industry and its consumers.

We highly recommend that OEMs make continuous security testing a high priority as they adapt to the changing and potentially more dangerous landscape. The escalating risks stemming from increased vehicle interconnectivity, rising crime rates, and the growing frequency of cyber-attacks demand it. Leveraging the experts in the field of cybersecurity, who possess the expertise and up-to-date knowledge is vital and must be a consistent practice.

By prioritizing cybersecurity testing, the automotive sector not only safeguards its technological assets but also fortifies its reputation for reliability and safety in an increasingly interconnected world. As cyber security experts, we assert that a proactive and cooperative approach to security testing is not just a choice but a responsibility for securing the future of connected vehicles.

Categories
Automotive Security Testing

How to carry out a successful penetration test?

Penetration testing became de-facto standardized service that companies either use or plan to use as integral component of security operations. However, many companies still struggle with the same challenges. What shall we test? How to adequately scope the penetration testing project? How to utilize penetration testing in order to measurably improve security in long run? How to set reasonable budget? Is it really going to improve our security posture or is it going to be just another checkbox ticked?

Our company has been active in penetration testing and security auditing since 2015 and we would like to answer some of those fundamental questions in this article. We will especially focus on the following:

  1. Penetration test objectives
  2. Setting the right scope / budget
  3. Finding the right resources
  4. Optimal timing for penetration test
  5. Outcome of the penetration test

We hope this information provides you with requisite confidence to successfully embed penetration testing into your operations. If after reading this article you still have questions how to properly carry out penetration test in your specific case, please feel free to reach out to us via our contact details and one of our consultants would be happy to discuss it with you.

Penetration test objectives

There are several types of penetration tests that a company might need, depending on what you are trying to achieve. For that reason there are several objectives that have to be analyzed and discussed in order to find the right one for you:

  1. Infrastructure penetration test – Are you ICT manager responsible for company infrastructure? Then you shall be interested in conducting penetration test examining whether your entire ICT infrastructure is resilient against malicious actors. Depending on assets you manage, you might be interested in an internal, external infrastructure penetration tests or combination of both.
    • External penetration test tests resilience of your publicly exposed infrastructure (web, mail, VPN server etc) against omnipresent malicious actors on the Internet. Ultimate goal of the test is to evaluate whether it is possible to gain unauthorized access from the Internet into your internal network.
    • Internal penetration test tests resilience of assets which are only hosted internally (ERP system, internal file servers, versioning servers etc). Objective of such test is to see whether unprivileged local user would be able to access or modify systems which shall not be accessible to him, i.e. disgruntled employee or external contractor gaining access to your accounting, intellectual property etc.
    • Combination of both. Our usual customers typically have both external as well as internal infrastructure. In that case, it is advisable to do both starting with external penetration test following internal one. Using this approach allows to first verify if external attacker can get foothold in the company via your public IPs, which is then followed by internal test verifying how far such attacker would get internally. If there is strict budget limitation, either of them shall be selected based on your risk profile or testing shall be distributed across multiple budgeting periods.
  2. Product penetration test – Are you product manager or development lead? In this case you would be rather interested in how would your product withstand malicious attacks. No matter if you are responsible for web application, desktop application or hardware appliance – product penetration test done early in the development life cycle will assist your development team in building inherently more robust and secure system.
    • Web application / API test. Your web application is assessed against complete OWASP Top 10 (API against OWASP API Security Top 10). De-facto, industry best practice web application security standard.
    • Desktop / mobile application test. Penetration test evaluating your application against the most common application security issues – depending on the platform (Windows/UNIX/mobile). It demonstrates how such issues can be misused and also avoided in the future.
    • Hardware appliance test. Are you developing your own hardware together with software? We have extensive experiences testing Linux, Android and custom-based automotive ECUs, aerospace units as well as custom military ICT equipment. Situation with custom appliances is very specific case which in itself would allow for several stand-alone article. If you are considering such test please reach out to us. We will assess your situation on case-by-case basis and provide necessary advise.

Automated vulnerability scan vs manual penetration test

Nowadays, there are many great automated vulnerability scanning solutions on the market. Those include among others Tenable, Rapid7, Qualys. Both automated vulnerability scanners and manual penetration tests are there to uncover vulnerabilities. Both have, however, very different use-cases. Automated vulnerability scans are great to periodically uncover the most obvious security issues on large ever-changing infrastructures (default credentials, missing OS security patch). Automated vulnerability scanners are great for instance to periodically scan whole enterprise ICT infrastructure for such fundamental security errors.

On the other hand, manual penetration test is there to uncover specific high profile vulnerabilities in limited set of systems (vulnerability in custom build application, guessable admin password based on user behavior observed elsewhere). Manual penetration test is therefore great fit for custom build applications, products or heavily customized infrastructures where automated scanning would fail to achieve expected results.

It is always important to understand which of those bring you greater security value and if the decision is made for manual penetration test, you must ensure that given penetration tester has sufficient qualification to indeed conduct manual penetration test. After all, what are you paying for during penetration test is the human expertise to find vulnerabilities which would be missed by automated vulnerability scanner. You do not want to end up paying for someone to run vulnerability scanner on your behalf. See section “Finding the right resources” for more information how to select right person to do the penetration testing job.

Setting the right scope / budget

Setting the right scope for penetration test is not as easy as it might seem. It shall take into consideration risk profile of your company / product as well as your budget limitations and security expectations. In order to take the most out of the penetration test, there must be clear and specific scope prior commencing. Following are just a few questions which must be answered:

  • (infrastructure) Which assets shall be tested?
  • (product) Which product interfaces / components shall be tested?
  • Are they publicly facing or only for internal use?
  • What would be the impact if such system gets hacked?
  • How much can they be affected by downtime?
  • How many users or employees rely on the normal and daily use of this system?

We understand that each customer has a specific needs. Penetration test shall always start with kick off meeting to clearly define the scope of the future testing. We always advise on how to make the testing most appropriate to you as end customer from both budget and risk profile perspective.

Penetration tests are scoped by amount of man-days which are utilized for the test. Just to give you some high level idea the following are the average scopes some of the typical scenarios:

  • External penetration test of single publicly facing IP – 1 MD
  • Custom medium-sized web application – 5MDs
  • Internal penetration test of 200 assets – 7 MDs
  • Complex desktop application connected to backend API – 10 MDs
  • Automotive head unit – 40 MDs

Finding the right resources

As everywhere, quality (penetration tester skills and experiences) is much more important than quantity (amount of man-days invested). Finding the right tester / company for the job is not always a straightforward job. There are many companies that sell “penetration tests” and at the end deliver only ready made reports exported from automated vulnerability scanning tools. On the other hand, there are specialized companies that dig deeper and are more focused on security research. To overcome this you can search for the right indicators when choosing the company that will perform the penetration test.

Look for certifications. Although certifications are not everything, they prove that their holder must have gone through exam which verifies certain baseline proficiency on the topic. Offensive Security for instance provides great certifications testing hands-on penetration testing skills. Their most popular certification – Offensive Security Certified Professional (OSCP) – verifies candidate skills in 24-hour long real-world penetration testing exam. Experienced penetration tester of your choice shall have proven technical background with at least certifications equivalent to OSCP.

Consider past projects of the company. There are many successful and good companies that provide cyber security services but not all might be suitable for you. We recommend to check their portfolio and verify whether they have experience with similar sized projects from the past.

Consider company security research. Security is about uncovering the unknown and unexpected. Good security company shall be conducting its own security research, finding its own vulnerabilities and developing its own tooling. We have proven track record for both – finding our own 0day vulnerabilities (flaws in software that are unknown to creator / vendor themselves) as well as developing our own open source projects which we use during our penetration testing projects.

Optimal timing for penetration test

So at this point you know the objective, scope and you have right person / company to kick it off so why not to start immediately? It is important to note that penetration test is simulated attack against your systems and as a such can cause unexpected business disruption. It is therefore crucial to plan it well. Here are just some of the consideration:

  • Can the penetration test be done on staging instead of production environment?
  • In an unlikely event that any system crashes, will there be anyone on call to restore its functionality without undue delay?
  • Shall any critical systems be tested out-of-business hours?
  • Shall any critical system be tested in less aggressive way (i.e. not running memory corrupting exploits)?
  • Shall we do the test on finalized product or early in development life cycle?

Answering such questions and planning the test accordingly is highly appropriate during kickoff workshop prior penetration test commences.

Outcome of the penetration test

The outcome of the penetration test should always be a detailed penetration testing report divided in several sections. First of all, an executive summary discussing all the identified findings together with severity in manner which is understandable to the technical as well as management teams. Secondly, there shall be detailed explanation of all the issues found in the technical detail which would be sufficient for engineering team to replicate those issues. Finally, there should be section describing optimal mitigation strategy for all identified issues together with next steps. Next steps might include re-testing once fixes are applied to confirm that fixes are effective.

Apart from the report we always recommend to also arrange a closing presentation (workshop) to present all identified issues, demonstrate how they can be misused by potential attacker and have a discussion with stakeholders how to fix those issues. It is always good to involve various stakeholders in such presentation – both managerial and technical – to join the presentation and ask their questions.

Finally, optional training can be arranged for the developers / ICT admins as an advanced benefit of the penetration testing project. Goal of the training is to provide necessary guidance and best practices which if followed would allow to prevent similar security issues from re-occurring in the future. In the end we all need to learn from the past security mistakes in order not to repeat them in the future.

Penetration testing is a process of securing your assets which became more or less a must have in the digital age. We hope this article would help you establish or improve penetration testing inside your organization. If you have any further questions or comments please feel free to reach out to us.