The esteemed hackathon Pwn2Own has had its first ever automotive-focused event in Tokyo, Japan this January. At the end of the three-day hackathon, hackers identified 49 unique zero-day exploits, accumulating over a million dollars in awarded bounties. Hackathons like this have been common practice in the tech industry for years, however, they are just getting popular in the automotive sector.
During these hackathons, white-hat hackers gather to uncover zero-day vulnerabilities in vehicles and their systems. While hacking may have its negative connotations, ethical hacking performed in these events is better defined by the term penetration testing.
As technology advances, vehicles become increasingly vulnerable to cyber threats. Securing vehicles from these cyber threats requires extensive and proactive cyber security practices that not only protect vehicles but also actively search for new vulnerabilities in constantly developing systems. In this blog, we delve into the realm of automotive penetration testing, a critical practice aimed at identifying weaknesses in vehicle security systems.
Understanding Automotive Penetration Testing
Automotive penetration testing, or pentesting, is a process designed to identify vehicle vulnerabilities by means of hacking into specific components of a vehicle. This proactive way of cybersecurity testing allows for the uncovering of security gaps in a controlled environment.
Penetration tests can be conducted internally by cybersecurity experts employed by an OEM, as well as externally, by independent ethical hackers. Upon successful identification of a vehicle vulnerability, hackers share their findings with an OEM for further investigation and remediation.
Besides vulnerability assessment, penetration testing provides positive feedback that can be used for attack surface analysis and compliance assessment.
Attack surface analysis allows cybersecurity experts to evaluate potential entry points that malicious actors could exploit to breach a vehicle’s system. The adoption of connected features in vehicles, such as IoT devices, telematics systems, and infotainment units, has opened up new avenues for cyber attacks. The exponential growth in vehicle technology multiplies the avenues hackers can exploit to gain unauthorized access to vehicle systems, compromise safety features, or steal sensitive data. Hence, penetration testing can be used to uncover the vulnerabilities within the system and also the various entry points and attack vectors that can be used to exploit said vulnerability.
For instance, to identify security gaps in a vehicle’s external communications a hacker may conduct a penetration test on ECUs responsible for a vehicle’s connectivity functions like Wi-Fi or V2X. Hacking into these individual ECUs allows cybersecurity experts to generate a threat model that lays out the potential entryways, threats, and influences that may impact an ECU.
Why Automotive Penetration Testing Matters
By conducting thorough security assessments manufacturers can identify vulnerabilities in vehicle systems and address them proactively. This not only enhances the overall security of vehicles but also helps meet regulatory obligations effectively.
Vehicle security regulations have evolved to include robust cybersecurity measures as compliance requirements. UN Regulation No. 155 (UN R155), aimed at ensuring the cybersecurity of vehicles, mandates manufacturers to implement measures to protect against unauthorized access, manipulation, and theft of data.
To comply with the regulations manufacturers must conduct and document risk assessment tests, implement appropriate cybersecurity measures, detect, and respond to possible cyber attacks, as well as log data to support the detection of cyber attacks. Considering the extent of risk assessment required, it is clear that automotive penetration testing serves as a crucial tool in achieving and maintaining compliance with UN R155 requirements.
The Importance of Collaboration for Cybersecurity Testing
Compliance with regulations may be time-consuming and costly for vehicle manufacturers. Therefore, collaboration between automotive manufacturers, cybersecurity experts, and regulatory bodies is essential for effective security assessments. Comprehensive solutions that allow for continuous testing, threat intelligence gathering, and integrating security measures into the development process are crucial to ensure cybersecurity best practices.
AutoCrypt CSTP serves as a comprehensive cybersecurity testing platform that enables automotive OEMs to conduct cybersecurity testing for regulatory compliance and share integrated results for vehicle type approval. The newly launched platform runs a variety of vulnerability testing techniques, like penetration testing, engineering specification testing, and fuzz testing, using test cases mapped out for UN R155/156 and GB (GB/T).
As vehicles become increasingly connected, securing them against cyber threats is paramount. Automotive penetration testing emerges as a vital practice in safeguarding vehicles and ensuring the safety and security of drivers and passengers. By adhering to best practices, collaborating with industry stakeholders, and staying on top of regulatory requirements, automotive manufacturers can build resilient vehicles capable of withstanding the challenges of the digital age.
