The Top 3 Security Aspects of Pentests in Automotive Cyber Security

20. September 2023

Connected Vehicles: Infotainment. Autonomous Driving. Cloud Backend.

Amidst these developments, new opportunities are emerging for businesses, but also entirely new attack paths for cybercriminals. At the same time, they pose new challenges for cybersecurity assessments.
A significant tool in this context is penetration testing, or pentest for short.

To take a closer look at this important topic, Tim Kranz, responsible for usd pentests, took the online stage for the webinar "Cyber Security Testing for Product and Company: Pentesting, Code Analysis and Other Methods." This event is part of the webinar series "Secure Connected Vehicles - Challenge, Opportunities and Risks for the Industry in Bayern" organized by bayern innovativ.

This event series focuses on cybersecurity questions in the automotive, commercial vehicle and supplier industries. In his presentation, Kranz provided insights into security assessment through penetration testing and now shares his three key findings from the event.


1) Car2Car, Car2X, Car2Cloud: Networking creates attack vectors

Modern vehicles are equipped with integrated computer systems that communicate with each other, their environment and the traffic infrastructure through interfaces. These enables functions such as infotainment systems, on-board computers and autonomous driving, while also providing remote access via the cloud and backend systems.

This networking poses security risks, as hackers could exploit vulnerabilities in these components to infiltrate vehicles or even take control of them remotely. Therefore, a thorough security review of these interfaces is essential.

2) Pentests and technology-specific analyses enhance automotive industry security

The IT environment of connected vehicles consists of conventional software and IT components as well as tailored solutions.

For security assessment of conventional components in the automotive industry, traditional pentests are suitable. For example, the back-end system can be examined for vulnerabilities through a classic system pentest or the environment can be examined with a cloud security audit or cloud pentest. The smartphone app for managing one's own vehicle can be analyzed with a classic mobile pentestration test.

On the other hand, to check a wireless car key for security vulnerabilities, a technology-specific analysis is advisable, involving an inspection of the cryptography and protocols used.

3.) Tailored security testing: Aligned with individual protection needs

An important aspect is adapting the security assessments to the individual protection needs of each vehicle component. Not all components require the same intensity of security testing. It is crucial to concentrate resources on the most vulnerable areas and adjust the depth of testing accordingly.
For example, it is particularly important to subject critical components that have a direct or indirect impact on traffic safety or vehicle control to intensive security assessment. This is of utmost importance due to the potential impact on road traffic.

Depending on the type of component to be tested, addressing vulnerabilities can become a major challenge. If vulnerabilities are found in components that may be installed thousands of times in the vehicle and cannot be remedied through over-the-air updates, replacement can be costly for the manufacturer. For this reason, we recommend considering security assessments early in the production cycle.


Would you like to learn more about our security solutions? Contact us. We are happy to assist you.

Also interesting:

Andrea Tubach is the new CEO of usd AG

Andrea Tubach is the new CEO of usd AG

Yesterday, at usd's Annual General Meeting and the subsequent meeting of the new Supervisory Board, long-prepared personnel changes were unanimously approved and then celebrated with an atmosphere of deep friendship: Andrea Tubach takes over as CEO. The founder and...

Security Advisories on Vtiger

Security Advisories on Vtiger

The pentest professionals at usd HeroLab examined Vtiger Open Source Edition 8.2.0 during the execution of their pentests. Our analysts discovered two vulnerabilities in the Vtiger software that allow low-privileged authorized users to upload files and execute...

NIS-2 Draft Bill under Examination: Everything You Need to Know

NIS-2 Draft Bill under Examination: Everything You Need to Know

A few days ago, the AG KRITIS published the latest draft bill on the NIS-2 Implementation Law (NIS2UmsuCG) on its website. Which requirements could become relevant for you if the law is passed in this version? Our experts have analyzed the draft for you and summarized...

Categories

Categories