The Top 3 Security Aspects of Pentests in Automotive Cyber Security

20. September 2023

Connected Vehicles: Infotainment. Autonomous Driving. Cloud Backend.

Amidst these developments, new opportunities are emerging for businesses, but also entirely new attack paths for cybercriminals. At the same time, they pose new challenges for cybersecurity assessments.
A significant tool in this context is penetration testing, or pentest for short.

To take a closer look at this important topic, Tim Kranz, responsible for usd pentests, took the online stage for the webinar "Cyber Security Testing for Product and Company: Pentesting, Code Analysis and Other Methods." This event is part of the webinar series "Secure Connected Vehicles - Challenge, Opportunities and Risks for the Industry in Bayern" organized by bayern innovativ.

This event series focuses on cybersecurity questions in the automotive, commercial vehicle and supplier industries. In his presentation, Kranz provided insights into security assessment through penetration testing and now shares his three key findings from the event.

1) Car2Car, Car2X, Car2Cloud: Networking creates attack vectors

Modern vehicles are equipped with integrated computer systems that communicate with each other, their environment and the traffic infrastructure through interfaces. These enables functions such as infotainment systems, on-board computers and autonomous driving, while also providing remote access via the cloud and backend systems.

This networking poses security risks, as hackers could exploit vulnerabilities in these components to infiltrate vehicles or even take control of them remotely. Therefore, a thorough security review of these interfaces is essential.

2) Pentests and technology-specific analyses enhance automotive industry security

The IT environment of connected vehicles consists of conventional software and IT components as well as tailored solutions.

For security assessment of conventional components in the automotive industry, traditional pentests are suitable. For example, the back-end system can be examined for vulnerabilities through a classic system pentest or the environment can be examined with a cloud security audit or cloud pentest. The smartphone app for managing one's own vehicle can be analyzed with a classic mobile pentestration test.

On the other hand, to check a wireless car key for security vulnerabilities, a technology-specific analysis is advisable, involving an inspection of the cryptography and protocols used.

3.) Tailored security testing: Aligned with individual protection needs

An important aspect is adapting the security assessments to the individual protection needs of each vehicle component. Not all components require the same intensity of security testing. It is crucial to concentrate resources on the most vulnerable areas and adjust the depth of testing accordingly.
For example, it is particularly important to subject critical components that have a direct or indirect impact on traffic safety or vehicle control to intensive security assessment. This is of utmost importance due to the potential impact on road traffic.

Depending on the type of component to be tested, addressing vulnerabilities can become a major challenge. If vulnerabilities are found in components that may be installed thousands of times in the vehicle and cannot be remedied through over-the-air updates, replacement can be costly for the manufacturer. For this reason, we recommend considering security assessments early in the production cycle.

Would you like to learn more about our security solutions? Contact us. We are happy to assist you.

Also interesting:

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

DORA Deep Dive: Threat-Led Penetration Testing (TLPT)

The Digital Operational Resilience Act (DORA) will apply as of January 17, 2025. In addition to routine operational resilience testing, DORA will also make it mandatory for certain financial companies to carry out threat-led penetration testing (TLPT) every three...

Security Advisory on Gambio

Security Advisory on Gambio

The pentest professionals at usd HeroLab examined the online shop software Gambio during their pentests. The software offers merchants various functions that support the management of inventory and orders. Our professionals discovered a vulnerability in the password...