Protecting vehicles extends beyond safeguarding valuable assets, it’s about securing lives and sensitive data in an age where automobiles have evolved into intricate networks of interconnected microcomputers. These machines not only facilitate internal connections but also communicate externally, forming a vast web of interconnectivity. However, the rapid technological progression has outpaced cybersecurity measures in the automotive industry, an industry which, for too long, has taken cybersecurity for granted.
The watershed moment came in 2015 after the infamous Jeep hack. Manufacturers were compelled to act and take cybersecurity far more seriously. It could no longer be an afterthought. Governments and international bodies then joined the fray and in response, established regulations that ensure safer vehicles for manufacturers to comply with. The rising tide of cyber threats remains a concern.
Yet, despite these efforts, automotive security remains a relentless cat-and-mouse game. As hacking methods evolve, so must the defense mechanisms. This article aims to advocate for continual automotive cybersecurity testing that underscores the need for more proactive methods to avoid not only financial losses, but damage to the company’s reputation and inconvenience, or even harm, done to its customers.
Automotive Cybersecurity Fundamentals
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
– Sun Tzu
From the perspective of an Original Equipment Manufacturer (OEM), to understand automotive cybersecurity means to be aware not only of the threats posed by an attacker but to have an acute awareness of the available attack surface on the vehicle or device. What is this ‘attack surface?’ The attack surface defines interfacing entry points from which an attacker can attempt to exploit. These attackable entry points enable us to draw possible attack scenarios and attack paths that may lead to the theft or the remote compromise of the vehicle.
Modern automobiles are not only composed of many microcomputers but also comprised of services that users interact with such as Bluetooth and Wi-Fi, and of mobile applications that connect with the car. Let us not forget key fobs too. Every automotive cybersecurity assessment must first identify the threats to the vehicle and its users. We ask ourselves, ‘What would an attacker want to do with this vehicle?’ These threats could include:
- Remote takeover
- Shutting down the vehicle
- Espionage, such as through interior microphones or cameras
- Unlocking the vehicle to gain entry
- Vehicle theft
- Vehicle tracking
- Disrupt and bypass safety systems
- Install malware on the vehicle such as ransomware
- Supply chain disruption
- Sending unauthorized CAN messages
Once the threats are identified, we then look at the vehicle and identify the attack surface, or entry points, from which an attacker can conduct attacks. We can look at this issue as having two layers. The first layer is a simple identification of the entry points. These attack vectors include such entry points as Bluetooth, Wi-Fi, the OBD connector, the infotainment unit, mobile applications, and key fobs for keyless entry and starting. The second layer then takes each entry point, studies it in more detail to know how it works, and then identifies the weaknesses that could be exploitable. Models can then be created for each of the attackable endpoints that lay out potential tactics for attacks against them.
Once all of the models have been created, we can then diagram the overall attack model, covering all of the entry points and connecting those points to identify potential attack paths associated with each potential threat. We then thoroughly examine and test the entry points in each chain for any vulnerabilities that could lead to compromise.
Comprehensive automotive cybersecurity testing requires a carefully planned out threat model that consists of all possible attack scenarios from the known threats and attack surface presented on every vehicle. Otherwise, any careless omission of the model may become an attack vector for a successful hack or theft of the vehicle.
Cybersecurity Penetration Testing Methodology for Automotive
Penetration tests are conducted by cybersecurity experts who are hired to perform adversary simulations against all possible attack chains in the threat model to uncover vulnerabilities. These tests are indispensable because not only do they ensure that manufacturers comply with cybersecurity regulation, but also because external cybersecurity experts are trained to spot and exploit weaknesses that internal teams might overlook.
Our testing methodology consists of tests that prepare the OEM against all of the attacks on the automotive kill chain. We can generalize these sorts of attacks into different categories:
- In-Vehicle Network Testing – Comprehensive testing of interior bus messaging systems, including CAN, Flex-Ray, MOST, and automotive ethernet. This also incorporates gateway security, whole-vehicle diagnostics, and bus network security testing.
- Electronic Control Unit (ECU) testing – Diagnostic security testing such as UDS (Unified Diagnostic Services) testing, fuzz testing, update procedure testing, message security testing, and reverse engineering for vulnerabilities in the code.
- Wireless Testing– A comprehensive testing of all wireless networks within the vehicle interfacing either within the vehicle or with the outside world.
- Bluetooth Security Testing – Assessing vulnerabilities in Bluetooth connections, covering weak authentication, code execution, data storage, unencrypted data transfer, and faulty configurations.
- Infotainment System Security – Testing the unit to ensure proper protections on the user interface that safeguard the interior filesystem from such attacks as malicious file uploads and examining the operating system for vulnerabilities.
- Physical Access Assessments – Ensuring the vehicle interior is protected against any break-ins and checking for any exposed devices, such as ECUs, on the exterior of the vehicle susceptible to tampering.
- Software and Firmware Testing – Comprehensive reviews of software or firmware. This can be done as either a white-box test where we have access to the code, or through reverse engineering.
- Diagnostic Port Security – Testing the diagnostics port (typically OBD) against physical unauthorized access to ensure attackers cannot use it to maliciously communicate with the vehicle.
- Mobile App Testing – Assessing security in mobile apps connected to the vehicle to prevent malicious activities, data theft, unauthorized vehicle access, and access to cloud data.
- Driver Protection Systems Security – Testing the security of such systems as tire pressure monitors, sensors, collision detection, and cruise control for any vulnerabilities.
- Hardware Security – Examining the hardware of any devices inside the vehicle and checking for vulnerabilities against hardware attacks that could do such things as dump memory or leak secret keys. We also check the secure boot functionality against any tampering. Finally, we perform side-channel analysis and fault-injection attacks to check against any potential data leaks.
The results and feedback from our testing methodology contribute to improved vehicle security, higher product quality, and improved customer protection. These benefits extend across the customer experience to the interconnected realm of automobiles and empower manufacturers with greater insights to refine their development processes
Additionally, our testing methodology ensures compliance with regulations and standards such as UNECE R155 and R156. Vehicle manufacturers in Europe are mandated to meet these requirements starting in 2024.
Our Pentests at Work – Remote Control of a Motorbike
In a recent penetration test on a motorbike, our investigation unveiled a critical vulnerability, providing us with full remote control over the vehicle. Our team identified and exploited a remote code execution (RCE) vulnerability originating from within the head unit of the bike, allowing us to assume control of the underlying Linux operating system. The situation only worsened when we realized that, leveraging the compromised head unit, we could inject Controller Area Network (CAN) messages, thereby gaining the ability to manipulate the entire motorbike, not only at rest but in motion. To emphasize the severity of the situation, we developed a small piece of malware during our testing. This malicious program could be uploaded to the system through the identified vulnerability, enabling it to send messages that tampered with critical functions such as the throttle, odometer readings, and transmission.
This discovery is only one of the many numerous findings from our penetration tests. We test the security of our vehicles from the eyes and mind of an attacker and our methodology is designed precisely to emulate attack plans similar to those of a real-life attacker. By conducting our tests like this, we aim to provide the best results possible to our customers that ensure the security and quality of their vehicles and devices.
Enhancing Security: Practices For Robust Automotive Defense
Effectively securing automotive systems demands continuous awareness, particularly as new research and technologies emerge. OEMs need to revise and update their development process to meet these evolving changes. In the realm of automotive cybersecurity, where the stakes include personal injury or even death, it is critical to always stay on top of the trends as they unfold.
Central to this enterprise is solid and robust communication with partners. Manufacturers not only need to be well informed of the trends in cybersecurity but must be in tune with their partners and third parties involved in the product development process. Third-party devices or software in a vehicle are equally accountable for its security. A flaw in their product could serve as an entry point for a complete vehicle takeover.
As vehicles become increasingly interconnected and as we face increased attacks from outsider nation-states and threat actors, the responsibility for maintaining a robust cybersecurity posture intensifies. OEMs must conduct effective internal testing internally, while continually working with experts in the automotive cybersecurity field. Collaborating with these specialists ensures fine-grained security testing with effective results and advice necessary to improve the security and overall product quality. In this dynamic and ruthless field, a job well done in one project does not guarantee the same success in the future, necessitating continual testing done both internally and with more qualified experts.
Conclusion
The key takeaway is to understand that we are at a critical inflection point in the field of automotive cybersecurity. A field long-neglected for a very long time, the rise in cyber attacks over the last decade has given a new impetus inside the automotive industry to shift more attention to cybersecurity. Only in the last few years has the response finally become commensurate with the threats facing the industry and its consumers.
We highly recommend that OEMs make continuous security testing a high priority as they adapt to the changing and potentially more dangerous landscape. The escalating risks stemming from increased vehicle interconnectivity, rising crime rates, and the growing frequency of cyber-attacks demand it. Leveraging the experts in the field of cybersecurity, who possess the expertise and up-to-date knowledge is vital and must be a consistent practice.
By prioritizing cybersecurity testing, the automotive sector not only safeguards its technological assets but also fortifies its reputation for reliability and safety in an increasingly interconnected world. As cyber security experts, we assert that a proactive and cooperative approach to security testing is not just a choice but a responsibility for securing the future of connected vehicles.