Connected Vehicles: Infotainment. Autonomous Driving. Cloud Backend.
Amidst these developments, new opportunities are emerging for businesses, but also entirely new attack paths for cybercriminals. At the same time, they pose new challenges for cybersecurity assessments.
A significant tool in this context is penetration testing, or pentest for short.
To take a closer look at this important topic, Tim Kranz, responsible for usd pentests, took the online stage for the webinar "Cyber Security Testing for Product and Company: Pentesting, Code Analysis and Other Methods." This event is part of the webinar series "Secure Connected Vehicles - Challenge, Opportunities and Risks for the Industry in Bayern" organized by bayern innovativ.
This event series focuses on cybersecurity questions in the automotive, commercial vehicle and supplier industries. In his presentation, Kranz provided insights into security assessment through penetration testing and now shares his three key findings from the event.
1) Car2Car, Car2X, Car2Cloud: Networking creates attack vectors
Modern vehicles are equipped with integrated computer systems that communicate with each other, their environment and the traffic infrastructure through interfaces. These enables functions such as infotainment systems, on-board computers and autonomous driving, while also providing remote access via the cloud and backend systems.
This networking poses security risks, as hackers could exploit vulnerabilities in these components to infiltrate vehicles or even take control of them remotely. Therefore, a thorough security review of these interfaces is essential.
2) Pentests and technology-specific analyses enhance automotive industry security
The IT environment of connected vehicles consists of conventional software and IT components as well as tailored solutions.
For security assessment of conventional components in the automotive industry, traditional pentests are suitable. For example, the back-end system can be examined for vulnerabilities through a classic system pentest or the environment can be examined with a cloud security audit or cloud pentest. The smartphone app for managing one's own vehicle can be analyzed with a classic mobile pentestration test.
On the other hand, to check a wireless car key for security vulnerabilities, a technology-specific analysis is advisable, involving an inspection of the cryptography and protocols used.
3.) Tailored security testing: Aligned with individual protection needs
An important aspect is adapting the security assessments to the individual protection needs of each vehicle component. Not all components require the same intensity of security testing. It is crucial to concentrate resources on the most vulnerable areas and adjust the depth of testing accordingly.
For example, it is particularly important to subject critical components that have a direct or indirect impact on traffic safety or vehicle control to intensive security assessment. This is of utmost importance due to the potential impact on road traffic.
Depending on the type of component to be tested, addressing vulnerabilities can become a major challenge. If vulnerabilities are found in components that may be installed thousands of times in the vehicle and cannot be remedied through over-the-air updates, replacement can be costly for the manufacturer. For this reason, we recommend considering security assessments early in the production cycle.